It’s not enough to say that you take security seriously. You either live it daily, or you don’t. The challenge of implementing security in startups is nothing new. How do you grow the business and invest in the right projects while maintaining customer trust?
To demonstrate serious commitment to information security, Contentful recently chose to invest in compliance certification with a recognizable international standard: ISO 27001. In this post, I describe the path that Contentful took towards ISO 27001 certification.
An intro to the standard: What is ISO 27001?
Companies can have their security program certified against the international information security standard called ISO/IEC 27001:2013, or ISO 27001 for short. Take your ISMS, the Information Security Management System, and apply the ISO 27001 on top. If it fits, it’s compliant. ISO 27001 ensures companies stay above a vital threshold for the security of their own and customers’ data.
This means that your information security processes are in good shape and you can trust that the certified company is doing all that is necessary to secure their business. Contentful has been working hard to become compliant with ISO 27001 by improving security processes and applying them to the whole business.
The path to certification
First things first. You can’t create security culture and build a solid security program without senior management support. It can’t be done. Trust me, I tried. When I interviewed to join Contentful with Paolo Negri, our CTO, the ISO 27001 topic was already on the table. I knew this company meant business with security. I joined the company and started working on the project a few months later.
For startups like ours, the first challenges to implementation are mostly related to commitment from senior management, budget and resources. In our case, management was on board from the outset. Budget was pre-allocated because it was a strategic decision. Resources were the main challenge, since the operational side of security always takes precedence, especially in a small team.
However, with the first hurdles under control, we set out for success.
Compliance to ISO 27001 does not mean a secure product, or even a secure company. It means that security processes are in place and risks are analyzed and treated in an educated manner. This is not an unpopular opinion; it’s just the truth.
However, this is exactly what is needed to transform security as a driver for business growth. A solid security program compliant with a respected international standard is the foundation for future improvements. Everyone benefits from it. It begins with senior management delegating power to the team to make decisions and own risks, one of the key commandments of the ISO 27001.
The project had two main phases: asset management and risk management. The first identified the assets to be evaluated, allocated owners to processes, analyzed the data and systems that support those processes and, in the end, classified information based on a data classification policy. The second phase mapped the risk for all the previously analyzed assets, allocated risk owners, identified the security measures already in place, and decided on what to do with them.
This was a daunting task. With the limited resources we had, the team spent hours in workshops making vital decisions about risks and data security. Not everyone is always comfortable with taking ownership for risks in a company. But security is not solely owned by one team. It may sound like a cliché, but security is indeed everyone’s responsibility.
Safer and more secure
After months of painstaking work, the security culture at Contentful is better than ever. We now have a set of policies that standardize the way we operate, and we have a significantly improved decision-making process based on the information security risks we previously assessed. This program is also flexible — we know that threats evolve, and we’re prepared to evolve and improve as well.
Every business feature has a security owner, from our web app to our APIs. And, thanks to mandatory training for every single Contentful@, security ownership is clearer and every employee is better equipped to identify and mitigate security threats.
This is why customers trust service providers that have their security program certified against an international standard like the ISO 27001. Contentful’s path to certification proves that commitment to earning and keeping trust, from its investors and customers to its own employees.
We kicked off our ISO 27001 compliance efforts in Q4 2017 and are on track to complete ISO 27001 certification by the end of June 2019 at the latest. When we say that Contentful takes security seriously, we mean it.