Why we decided to get the ISO 27001 certification

Information security matters to us, it matters to our clients, and it matters to their own customers, who will be using the products we develop.

The long answer, however, is much more interesting.

The first set of rules and standards that would become ISO 27001 was devised by a department of the British Government in 1995. They were then known as the British Standard (or BS), and numbered 7799. BS7799 was published and ratified by an institution that still exists to this day, the BSI, or British Standards Institute.

The BSI has over 80.000 clients, and it produces technical specifications and minimum required standards in a broad ranging diversity of areas. Anything from energy management services to greenhouse gas emissions can be the subject of a BSI certification.

This is why 1995 is such an important date: this was the first time the BSI turned its attention to information security management.

BS7799 would be updated in 1998, and then it would be adopted by ISO (the International Standards Organization, the international equivalent to the BSI) into several of its ordinances throughout the early 2000s.

By the time we reach ISO 27001, very little of the original early ‘90s text is still in use, but the history is important so that we understand how regulation evolves with the times and technology.

This certification does for contemporary information systems what it has done for all information systems in the past: it serves as a seal of confidence for the market. It ensures our clients that information security is guaranteed by default because our practices follow a certain standard from the get-go.

It’s not easy to achieve this certification, and Untile had to go through a very serious internal analysis process to look at our operational, strategical, regulatory, financial and even human resource-related risks. The impact of always ensuring the practices demanded by ISO27001 are significant.

They are the gold standard.

After this evaluation was completed, we had to determine what the level of risk was for us. Because we knew that once we had these standards in place, not being able to keep up to them would mean not delivering our clients’ projects at all. This was a deep and all-encompassing exercise for the entire company.

Here’s how Miguel Oliveira, one of our founders and CEO, saw the process:

“The Information entrusted to us by our customers is a crucial pillar for Untile. The ISO 27001 certification allowed us to carry out an analysis and introspection work to know our vulnerabilities as also our operational, financial and strategic risks associated with business continuity, regarding to the various information assets, the relationship with its suppliers, the assets information, work methodologies, management of its human and physical resources. This exercise and this visibility allowed us to move to a level of maturity far above the existing one.”

This is a fair summation of the entire process. It allowed us not only to assess the standards we were operating under, but also to identify and work on our fragilities and limitations. We realized that while we were already operating at a very high level in terms of security, we would commit fully to ISO27001. We would not only fix everything that needed fixing to achieve the certification, we would also keep it.

Once you have a certification like this one, it becomes a responsibility in and of itself. All growth must uphold these standards, all new developments must be up to these levels.

There are no exceptions.

This is how Abel Soares, Head of Engineering at Untile, sees this added responsibility:

“ISO27001 is a powerful tool not only for our clients, who get to know the strict guidelines that our company follows and guide our work and culture, but also for us as a company and individuals in the sense that we work daily to improve our processes and quality of work.”

This isn’t a moment in time for Untile, this is how we do things from now on. It’s an attitude towards security that we always fostered within the company but has now been sharpened to the point of becoming a part of our day-to-day activities and tasks.

This is extremely gratifying as we deal with customers because the simple knowledge that we are operating under these parameters allows them to check a set of pre-requisites and expectations immediately. 

The ISO 27001 is a fundamental standard for anyone building information systems because it has a 360º scope to its quality assurance. It deals with a comprehensive range of areas, such as telecommunications, security, protection of physical means, human resources, etc.

Instead of focusing only on the more obvious aspects of building such a system, or only on the system itself, a true ISO 27001 assessment will take into consideration every possible aspect that may concern the actual usage and maintenance of the system.

There are two main aspects to ISO 27001:

Evidently, this is true for any ISO standard. But the ISO 27001 is an especially good example. If you are dealing with a company that applies the ISO 27001, such as Untile, you can be confident that all requirements and controls will be put in place to absolutely guarantee the safety of your product.

This doesn’t mean an increase in bureaucracy at all. Moreover, it’s like an x-ray of the entire company. There are 114 controls that ensure everything is done neatly throughout the company.

Here are some of the topics included:

Everything we make must perform at the highest possible level. We know this, our customers know this, but we always feel like any opportunity to demonstrate this in objective ways that everyone can understand, should be taken.

These certifications provide exactly such an opportunity.

This way, anyone who doesn’t know Untile, and is unaware of the work we do, will be perfectly aware of the demands we put on every single product we make.

We wouldn’t have it any other way.