This article has been written by Rakesh Ranjan Nayak, co-founder and VP of Engineering at TurboHire. He is an alumnus of IIT-Bombay and formerly a Software Engineer at Microsoft. Rakesh, along with Abhishek Kabra, takes care of the Engineering and Infrastructure at TurboHire. Being ISO 27001 certified is one of the biggest achievements for us so far. It is a testament to our dedication towards the protection of our customers’ data and who would be better than Rakesh to discuss at length and throw light upon the reasons why we decided to get ISO 27001 certification done.
‘Do things the right way’ – our very first value system at TurboHire is exemplified in everything we do, and our recent ISO 27001 certification is just another example of the same. At TurboHire, the team is committed to providing the highest level of security to our customers’ data. As a testament to our commitment, We are pleased to announce that we have been awarded ISO/IEC 27001:2013 certification for our information security management system (ISMS). ISO 27001 is one of the most recognized international standards on information security.
The certification by Alcumus ISOQAR, a recognized UKAS accredited certification body, is a testimony to our strong security culture, processes, and state-of-the-art infrastructure.
–Rakesh Ranjan Nayak
In addition, to having a secure infrastructure built on Microsoft Azure, we have added the best processes and control to ensure that our customers are fully assured of the security of their data. With the certification in place, they can place their full trust in us with their data without having to worry about data loss, theft, or downtime.
What is the ISO 27001 Certification?
ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and then revised in 2013. The main purpose of ISO 27001 is to help organizations, of any size or any industry, protect their information systematically and cost-effectively by implementing an Information Security Management System (ISMS). Given its rigorous approach, the standard puts in place and maintains appropriate security controls to protect the information assets of customers and other stakeholders at all times.
The major objectives of ISO 27001 are to safeguard 3 aspects of information:
- Confidentiality: Only authorized persons have the right to access information.
- Integrity: Only the authorized persons can change the information
- Availability: The information must be accessible to authorized persons whenever it is needed.
What does ISO 27001 Certification involve for TurboHire?
In order to comply with the best security practices, ISO 27001 requires us to have various controls and policies in place for the following areas
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptographic Control
- Physical and Environmental Security
- Operations Management
- Communications Security
- Security acquisition, development, and maintenance
- Supplier relationships
- Information Security Incident Management
- Information security aspects of business continuity management
- Compliance with internal requirements, such as policies, and with external requirements, such as laws
We are maintaining the evidence that we are adhering to all the controls set up. We are required to conduct periodic reviews of the controls and policies to determine their effectiveness over time. We are maintaining an objective tracker to measure our compliance to different objectives mentioned in our ISMS Manual.
5 Ways ISO 27001 will help us serve our customers better
1. Strengthening trust from our customers
It is our utmost responsibility to protect our customers’ data and information. We have been consistently taking measures from the beginning to ensure that we follow the best industry-standard security practices. The certification by ISOQAR will only strengthen the trust that our customers have in us with regard to information security.
2. Global readiness
As ISO 27001 is one of the most reputed global standards for Information Security, this certification will help us ascertain the trust of customers across geographies. It will help us scale our business to other countries without any compliance issues.
3. Better processes
Being a fast-growing company, having regular reviews and documentation for different processes and procedures is difficult without control. With the ISMS set up, we will be regularly reviewing our processes to maintain our compliance with ISO 27001. This will help all our team members adhere to the best standards for Information Security applicable to our organization.
4. Legal compliance
The number of laws and regulations concerning information security is growing constantly. ISO 27001 certification will help us comply with most laws and regulations. This will help us clear contractual requirements during enterprise deals and partnerships with other platforms for a better customer experience.
5. Competitive advantage
As the customers are getting more sensitive towards information security and the protection of their data, the certification will give us a competitive advantage over other companies in this space.
How did TurboHire achieve ‘ISO 27001 Certified’ Status?
We started building our ISMS in February 2021 and it involved collaborative efforts between different teams in TurboHire to finally get all the processes running by June. We got our certification audit done in July and got our certificate in August 2021. Here’s the breakdown of the process we went through:
Step 1: Engaging an ISO 27001 expert
We engaged a knowledgeable ISO 27001 expert with proven experience in IT Security management to guide us in bringing our policies to the highest standard for achieving ISO 27001 compliance.
Step 2: Gap analysis
The external ISO Expert very objectively assessed and compared our organization’s existing information security arrangements against the standard’s requirements. This third-party assessment helped us identify opportunities for improvement in the existing arrangements, address shortfalls against the standard’s requirements and mitigate the risk of data breaches.
Step 3: Establishing a management framework
We established a management framework that lists down all the processes we need to follow to meet our ISO 27001 implementation objectives. These involve written documentation of all our standard operating procedures, different policies concerning information security, and a schedule for activities we need to perform to measure the effectiveness of the controls.
Step 4: Risk assessment
We performed an asset-based risk assessment where we identified all the risks associated with each of the assets we currently have in the organization including the People, IP, and other intangible assets.
Step 5: Risk mitigation or exceptions
Once the risks were identified, the risks were analyzed and evaluated as per a risk assessment matrix to determine which risks must be mitigated and which can be accepted with preventive measures in place. We created a risk treatment plan to eliminate the critical risks.
Step 6: Security awareness training
We conducted multiple awareness training sessions with our team members to go through the information security policies enacted in our organization. This helped us in getting everyone aligned on the dos and don’ts with respect to the information security standard in our organization.
Step 7: Internal audit
The consultant assessed if our documentation and the policies are properly set up to meet the requirements for ISO 27001. This helped us in getting our policies reviewed thoroughly before the final certification audit. We conducted a Management Review meeting to discuss the non-conformities and added corrective actions in place to resolve the issues and improvement areas.
Step 8: Certification Audit by Alcumus ISOQAR
The ISOQAR auditors assessed if our policies and controls meet the requirements of the ISO 27001 Standard. The audit was a rigorous one, which was done in two stages and lasted approximately 2.5 days in total. The auditors reviewed the evidence for each of the controls in detail to ascertain if we are following the controls we have documented. There were no non-conformities observed in the audit. With the help of the auditors, we identified a few areas of potential improvement of the management system. They gave a go-ahead for the certification and sent the assessment report to the UK accreditation body to issue the certification.
What was the outcome of the ISO Audit?
Doing things the right way and in the best possible way is a core value we live by at TurboHire. Our team received congratulatory mail from the auditors which cited TurboHire as one of those finest entities they have audited so far with the highest level of commitment and professionalism.
What does the process look like in the future for TurboHire?
A lot of changes have been happening in the past few years with respect to data protection laws, be it the stringent GDPR law enacted by the EU or the Personal Data Protection Bill (2019) in India. There has been an increasing awareness among the public regarding information security.
For us, the journey to data protection does not stop here. Information Security is an ongoing process and TurboHire will continue to take steps to maintain and exceed the best security standards to protect users’ data. Periodic audits will be conducted by independent security consultants to maintain the effectiveness of the ISMS. Yearly surveillance audits will be performed by Alcumus ISOQAR to test our continuous compliance as we grow and expand our business.