We recently caught up with our Chief Information Security Officer at Xeerpa, Guillermo Cediel Blanco, on obtaining our recent ISO 27001, the international information security standard. We discussed the certification and data safeguards in general with him and a talked a bit about what the future holds. Xeerpa works processing information so certifying that our systems are meeting the strictest security requirements was of the utmost importance for the company.
ISO helps businesses set up their own information security management systems (ISMS) to organize their security measures. Organizations must take a long hard look at their risks, where they’re vulnerable, and what impact those breaches might have. Then, with that information in hand, they have to design controls and measures to avoid or transfer that risk if unacceptable. To frame these tactics, they need to map out a management process to cover their security needs over time.
ISO is a major step for Xeerpa. Guillermo points out that, “ISO 27001 is a guarantee that the service we’re offering our customers meets the necessary information security requirements.” This wasn’t something that happened overnight. “At Xeerpa we worked hard on adapting our systems and internal processes for over a year,” he adds, “to perfection our Security policies and procedures, before we could get the ISO 27001 certificate.” And this isn’t just a notch in our belt either or an addition to a list of certificates, it’s “a guarantee and the proof that we’re working the right way to ensure all the information we’re handling is secure.”
Today’s information market needs, according to Xeerpa’s CIO, “incredibly high security levels, which is not limited to physical security of the information, its confidentiality, to keep out unwanted visitors,” it also means, “making sure information is available for all its possible recipients, its availability,” and that it’s “exact, its integrity.” He clarified that, “these three points are the basis of the ISO 27001 standard: integrity, confidentiality, and availability.” By covering them all, a company ensures that it has a solid base to build the rest of its services on, those offered to customers and also the ones used in-house.
To earn certification, Guillermo told us that Xeerpa, “adapted [its] systems to get ready.” We had to “pass two audits (an internal and then an external one carried out by Applus).” The auditors “reviewed over 100 points on different work processes or how we handle information, going from the existence of and then compliance with internal security policies, to how we manage our assets, security and cryptography used in our systems and communications, and our relationship with our suppliers and customers.” Our adaptation process went off without a hitch because we “passed the audit [on our] first try with no major non-conformities” and earned their ISO 27001 certificate.
Looking ahead, we asked Guillermo what the challenges were down the road in security. The biggest one, he said, was to finish restructuring to meet the EU’s new General Data Protection Regulation. He also said we were just about done with the adaptations we needed to make. It’s not the only regulation out there and new ones are constantly being passed which the company keeps up with. Other challenges in the future are more recurring ones, to improve and enhance security in Xeerpa’s systems and services, which is always on the front burner. The company’s CIO said that “we run periodic tests to make sure we meet security requirements, and have ongoing improvement methodologies in place.” He stressed that our overriding goal was that “the services we offer our customers, the relationship we have with our suppliers, and our internal processes meet the highest security requirements on all levels.” Xeerpa, he assured us, aspires to make staying on top of new practices, recommendations, and technologies a top priority, to offer the highest quality and most secure service possible.