Scroll Top
  • Home
  • Articles
  • The Importance of an ISO 27001 Certification in Finance

Table of Content

The qualifications needed for an ISO 27001 certification

The three pillars of security in ISO 27001

How Atfinity complies with ISO 27001

Is an ISO 27001 certification truly helpful?

ARTICLE

The Importance of an ISO 27001 Certification in Finance

An ISO 27001 certification is one of the most straightforward ways to showcase your commitment to data security. And with it being predicted that cybercrime will cause damages of up to 10.5 trillion dollars USD annually by 2025, with a single data breach being valued at around 4.5 million dollars USD on average, fostering ideal data security practices has become essential for many businesses.

Given the nature of our clients, Atfinity treats these measures with the utmost importance. This is why we successfully went through the ISO 27001 certification process.

To showcase what this means in practice, as well as how this approach keeps our clients’ data safe, we’ll go through what we had to accomplish to get this certification and how it has impacted our work culture and approach to data safety.

Share

The qualifications needed for an ISO 27001 certification

Fundamentally, ISO 27001 defines a standardised framework for security measures that is applied across industries and companies. As it follows a risk-based approach, context such as the industry, timing, business model and location, influence the details of the implementation.

In practice, when applying for the certification, the business in question will have to look at their current Information Security Management System (ISMS), scope out and plan safety measures and identify gaps when compared to the ISO 27001 standard.

Management is then instructed to allocate resources within the business so that these standards can be maintained and improved upon. Internal and external audits ensure that security measures are keeping up with the modern landscape and arising threats.

The three pillars of security in ISO 27001

The three pillars that make up the ISO 27001 framework are confidentiality, integrity and availability. Each describes how data should be treated and secured to minimise risk.

Therefore, to better contextualise the specific measures we’ve taken at Atfinity, we will first discuss these pillars and how they dictate data security.

Confidentiality

Firstly, data must be classified according to its sensitivity level. Given the classification, access to such data will be limited to authorised persons and services.

This manifests in a strict need-to-know principle, where data will only be accessible to authorised persons who need said information to properly perform their duties.

Confidentiality is also key in business-to-business relations, with plenty of legal measures being put in place to prevent the unauthorised spreading of company data. This is why we insist on using secure channels for communication and even advise our clients/partners on how to keep their data safe.

Integrity

Safeguarding data integrity means safeguarding the correctness and completeness of information.

This is especially important because having key data deleted or altered can harm the operations of our clients and Atfinity.

Availability

Availability stipulates that data must be accessible to authorised persons. Depending on the type of data, required availability levels vary.

Thus, businesses must have contingency plans for situations when access to relevant data is somehow obstructed.

Atfinity tackles this issue by making sure that key data is backed up appropriately. On top of that, we strive to always have an open channel of communication with our clients and partners so that they will be aware if any issues do occur.

How Atfinity complies with ISO 27001

To start, Atfinity has implemented a robust Information Security Management System that is constantly being worked on and improved. The said system constitutes both technical and organisational measures that ensure the safety of both our own and our clients’ data.

However, for obvious reasons, we can’t divulge all the details of our security system. Therefore, keep in mind that the described measures are only a subset of our overall security and only serve to showcase some of the safety practices we’ve adopted.

Treating data according to its classification

We take extra precautions to ensure that only authorised persons can access any non-public data. To these ends, all confidential data is encrypted and shared strictly through protected software while physical confidential data is labelled, locked away, and destroyed once it’s no longer of use.

Alongside the aforementioned safety guards, we also instil practices that affect everyday scenarios.

For example, we implement a strict clear desk policy that stipulates that no internal or confidential information should be visible on paper on your desk or on your screen while you are not present. Therefore, all physical data is kept in locked compartments and all devices are password-protected and turned off when not in active use.

And both internal and especially confidential data is handled with a need-to-know principle in mind, thus limiting the number of potential breach points.

Software safety

Keeping our software safe from cyber threats is a main priority when it comes to security. Therefore, we have a long list of measures in place to ensure that there are no vulnerabilities in our software that can put us or our clients at risk.

These measures can be divided into a few key domains:

Quality Assurance

Unforeseen bugs are a major cause for concern, as they both lead to a worse user experience and create unpredictable circumstances that can be exploited in a cyber attack. Therefore, the Quality Assurance department at Atfinity is constantly looking for and reporting even the smallest irregularities.

This involves testing the code itself and running simulations for different processes and checking the results. To be more specific, we run automated unit tests, which check whether smaller segments of code are operating as expected, and integration tests, which check whether the code is working properly in conjunction with the database and other components.

On top of these automated tests, we also have our QA team manually go through and perform exploratory testing, to check whether different functions and processes are working properly.

It’s also important to note that aside from our own QA team, we also have an external team that checks the software, to ensure that nothing has slipped through the cracks.

Security tests

In terms of security tests, there are a few key factors we hone in on. Namely, we run static code analysis tests (SAST) and monitor whether the libraries we use have any known security problems. And while slightly different, we also ensure that the licences of said libraries are up to date and valid.

But just like with Quality Assurance, it’s important to note that we don’t just perform these tests by ourselves. Namely, Atfinity has partnered with Aikido to constantly test our code, libraries and infrastructure and provide human-readable Common Vulnerabilities and Exposures (CVEs).

We also use Snyk for a similar purpose. Therefore, there are multiple checkpoints in place before anything goes to live, ensuring that our security standards are impeccable and the software as risk-free as possible.

Penetration tests

Lastly, we perform penetration tests to look for vulnerabilities on a grand scale. And once again, we utilise the expertise of security specialists alongside our own efforts to guarantee top-in-the-industry security.
Specifically, Atfinity has partnered with Secuteer to run thorough penetration tests as well as using Scanmeter to monitor the entire process.

And these penetration tests are especially important as they give us real-life scenarios for how threat actors could cause damage to Atfinity and our clients. But with our partnerships in place, as well as our own IT department, we’re able to always stay one step ahead and protect our own software as well as any information that is stored on our Cloud.

Hardware security

Another important aspect of data security is to ensure that our hardware isn’t vulnerable to attacks. For the most part, this aspect goes hand-in-hand with software security and includes (amongst others) the strict regulation of software installed on the device, forced software updates and encrypted hardware.

To ensure that our measures are thorough, we also make sure to cover different kinds of machines as well. Therefore, we educate the staff not just on how they should keep their work computers safe but also their private computers, phones, and any other devices they might have and use.

Mitigation of human error

An ISMS is only as strong as its weakest link. This is because even when disregarding malice or ulterior motives, an ISMS can still fall victim to a data breach due to a much more common factor – carelessness.

Human error in this context encompasses many different security risks. One of the more notable examples is phishing attacks. With phishing being the most common form of cyber crime, it’s also the most likely to cause a data breach. And since generative AI is predicted to make this already prevalent form of cyber crime both better and more common, it’s an area that requires attention.

Another example of human error could be disregarding the confidentiality classification of data. Talking about company data in public, sending important documents via unencrypted mediums or displaying data on your laptop in a public setting all fall under this category. The same can be said about personal data breaches, as they can then lead to larger vulnerabilities.

To mitigate such risks, we implement a few processes aimed at keeping security on everyone’s mind as well as showcasing how certain threats should be handled. Primarily, we have mandatory employee awareness training and random awareness tests that further gauge employee’s understanding of the best security practices.

Moreover, we occasionally craft fake phishing emails to see whether they’re dealt with properly. After the fact, we also go over the fake phishing email and point out warning signs that can help our team identify harmful emails at a glance.

Lastly, to ensure a healthy environment in regards to security, as well as stay ahead of the curve when it comes to new potential threats, we provide tools that allow everyone to make suggestions on how security could be improved as well as log any new recognised threats.

Is an ISO 27001 certification truly helpful?

We strongly believe that a strong Information Security Management System certainly helps to protect the integrity, availability and confidentiality of our data and data of our clients.

  The ISO 27001 standard is a very helpful tool to achieve such a strong Information Security Management System

•  It showcases our commitment to data protection towards clients

  It engrains information security as a core tenant of our work culture

  It forces us to constantly be on the lookout for pitfalls and ways to improve their security further

Share

Join the Future of Banking

Book your demo today and see why leading financial institutions
worldwide trust Atfinity to drive their digital transformation.

Join the Future of Banking

Book your demo today and see why leading financial institutions worldwide trust Atfinity to drive their digital transformation.

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.