We’ve been talking about data a lot lately. Whether looking at how smart cities are harnessing it to make urban areas greener, or how banks are using it to drive fintech forward, it’s no big secret that data is the powerful driving force behind business insight.
You can read some of our previous articles here:
A Data-driven Future. Is it Sensible or Scary?
The Growth of Fintech and Why it Excites Us
The Road to Smart Cities
These are huge topics – but also areas and industries that excite us, and where we think we can affect real, positive change. But to do so, we also must become the ‘custodians of data’. Whilst that does sound a little like the next Avengers movie, it is in fact a fairly serious thing for agencies like us to consider. Put simply, our clients need to be able to trust us with their information, no matter how much or little of it we process, and feel reassured that our security is up to scratch.
That’s why we’re an ISO 27001:2013 registered company.
Let’s break this down and find out exactly what it entails and the who, why and how of it all. ISO 27001 is a ‘standard’ for information security management. Think of it as a set of requirements that we must meet and continue to follow. Its primary goal is to ensure that businesses keep information and assets secure, and by becoming registered, clients can trust that their financial information, intellectual property and product data are all in safe hands.
The 27001 is simply the code, and 2013 is the most current version of the standard by year, although it does incorporate some of the changes made in 2017 (despite ISO 27001:2017 being a separate standard in itself).
More than just paperwork
ISO isn’t just a standard, man. It’s a way of life. Okay, not quite. But the standard should be omnipresent in everything that you do as a business. From onboarding a new starter all the way through to offboarding a project. We have a Security Policy Statement, which is not only part of our induction training, but also forms part of our ongoing training programme. This is important and ensures that we always keep sight of the various best practices and policies, and that information security is front of mind for everyone at AndAnotherDay.
Hardware, software, anywhere
Part of ISO 27001 requires Keiron, our founder, to conduct risk assessment around devices and media throughout the company. This means ensuring that ‘computing’ is limited to particular laptops and smartphones, and that we are certain that these devices and the wider network are clear of risk. This starts with basic policies around things like removable USB drives but also includes more fundamental network policies such as encryption and security.
Keeping the code under control
This is very particular to us and other web, tech or software agencies. There must be a clear line between development code and public domains. Specifically, we need to make sure that test code and live code are handled in a way that minimises any risk of the two being confused or compromised. We must also keep records of tests and deployments and maintain those lists.
No stone left unturned
There’s a lot more to ISO 27001—probably too much to squeeze into a blog—but some of the other areas that are covered include information security policies for all and any supplier relationships, the logging of all security incidents (we haven’t had any of these), regular internal audits, management reviews, and perhaps most importantly of the lot, business continuity.
Additionally, there are the more granular pieces of guidance that we follow too. Such as a clear desk policy, CCTV requirements, anti-piracy measures, money laundering and virus protection.
It’s in our blood
This all sounds rather complicated and thorough, but much of it is common sense, and these are practices that we, as good developers and engineers, should be following anyway. Security, redundancy and maintenance are an integral part of our roles, and we see ISO 27001 as a structured guide to ensure we continue to uphold our sensible but secure approach to data. Saying that, we have made some welcome changes lately, such as using Confluence alongside Jira (our ticketing system), so that we can attach the relevant policies to projects.
What it isn’t
Whilst this ISO is incredibly detailed, one thing it isn’t about is control or surveillance. We feel it’s important to say this in today’s climate. Our team here are still welcome to work flexibly, and browse the web when they need or want to. All we ask is that they do so with security fundamentals in mind. We are a fun, friendly and easygoing business with the proper credentials in-place to find a semblance between culture and compliance. We also take this fair approach client-side too, and won’t dazzle our clients with a dozen burning hoops to jump through. Simply some upfront and clear policies and procedures which some of them may be used to seeing, but all of them will be reassured to see.
Ultimately, this is all about being a better agency. A business that our clients can trust, and a business that is working towards the greater good of transparency around data. This is fundamentally important to us and aligns with our values. In a world where consumers and users are showing increasing awareness of the whereabouts and ownership of their data, alongside some understandable mistrust of big companies and their usage of data, it is our role to set a positive example. An example that demonstrates our dedication to doing the right thing, the right way.
If you’re keen to hear more about what we do to keep things above board at AndAnotherDay, get in touch.
If you have a sensitive project in mind, where data and security is key, you know you’ve come to the right place.