We have certified our information security in accordance with ISO 27001

2. February 2024 - from Martin Mattli

Apps with love has been ISO/IEC 27001:2022 certified since December 2023. This strengthens our safety and quality standards. It is our third ISO certification in addition to ISO 9001 for our quality management system and ISO 14001 for our environmental management system. 

A certification such as ISO 27001 primarily says something about how, or to what extent, a company deals with aspects of information security. A certification in itself only provides very limited security: the key question is how processes, guidelines and best practices are actually implemented on a daily basis. An ISO certificate is therefore primarily an indicator that we as a company are addressing information security issues. Of course, we have done this before, but the certification forces us to scrutinize all relevant aspects systematically and in a process-oriented manner. This blog post describes what these aspects are, how the certification process works and what we have learnt in the process.

What is the ISO 27001 standard?

ISO/IEC 27001 is an international standard for information security management systems (ISMS). The standard specifies the requirements for the introduction, implementation, maintenance and continuous improvement of the documented ISMS. 

The main objective of the ISO 27001 standard is therefore to help organisations or companies to establish and maintain a systematic approach to managing information security risks.

At Apps with love, we come into contact with sensitive project, personal and customer information that must be protected against unauthorized access, theft, manipulation or loss by means of suitable security measures. ISO 27001 helps us to ensure this protection in a systematic and process-oriented manner.

Why do we need ISO 27001?

Over the last few years, the software projects that we were allowed to implement have tended to become larger and more complex. This means that we often already have to ensure and confirm certain security requirements of the client when preparing and submitting an offer.

Due to the tightening of the Data Protection Act in September 2023, the obligation to comply with IT baseline protection in certain projects and recent incidents of cyberattacks, it was clear to us that we wanted to further standardize the security measures and processes we had already developed and take them to the next level. That's why we decided to aim for an ISO 27001 certification at the beginning of 2023. 

Our main reasons for the ISO 27001 certification:

  1. We protect sensitive information: ISO 27001 helps to protect sensitive information such as personal, customer and project data as well as business information from unauthorized access, theft, manipulation or loss. 

  2. We meet legal requirements: We are legally obliged to take appropriate measures to protect internal data and data from our customers and partners. The processes and guidelines anchored in ISO 27001 enable us to meet these requirements.

  3. We identify risks: The ISO standard enables us to identify and assess security risks and threats in a standardized manner and derive specific measures to deal with them.

  4. We increase trust when working with our customers: The ISO 27001 certification demonstrates to our customers, business partners and stakeholders that we as a company actively take care of the security of information.

  5. We guarantee our business continuity and that of our customers: ISO 27001 helps us as a company to safeguard business processes and IT systems against disruptions and disasters, thereby ensuring business continuity.

How did the ISO 27001 certification process work?

The path to the ISO 27001 certification is a structured procedure that ensures that the ISMS to be developed meets the requirements of the ISO standard. The certification process takes place in various steps.

Identify and assess risks

Firstly, we identified and assessed the relevance of the BSI risks* for our company. The ISO 27001 standard is based on the risks identified by the BSI. We determined the relevance of all BSI risks for our company. We then assessed the probability of occurrence and the extent of damage for all relevant BSI risks.

Apps with love Risk Matrix
The Apps with love risk matrix and the resulting top 10 risks (as of summer 2023)

*BSI risks: BSI stands for the Federal Office for Information Security in Germany. BSI risks refer to potential dangers or threats in the area of information security that are identified by this office. The BSI has the task of ensuring and promoting IT security in Germany. With the BSI standard, the BSI offers a recognized method that enables companies to manage their information security risks in an effective and targeted manner. This method is based on the fundamental threats described in the «IT-Grundschutz» compendium, which serve as the basis for the creation of the IT-Grundschutz building blocks. The BSI has worked out the most important points from the many specific individual hazards for a company and converted them into 47 elementary risks that must be assessed. The ISO 27001 standard is also based on the risks identified by the BSI.

The statement of applicability defines the scope

The Statement of Applicability (SoA) is an essential component of the ISMS in accordance with ISO 27001. The SoA document is the most important instrument for achieving the ISO standard and includes specific requirements, control points, measures and decisions on security measures in accordance with the standard requirements.

The key elements of the SoA are:

  • Identification of controls: The SoA lists the information security controls that an organisation considers relevant and applicable to address the identified risks. These controls can be of a technical, organizational or legal nature.

  • Applicability statement: For each control listed, the SoA states whether or not the control is applied in the company. It is made clear whether the control is "applicable" or "not applicable".

  • Reason for non-applicability: If a control is classified as "not applicable", we as a company must be able to justify and document this.

  • Documentation of exceptions: If there are exceptions to the specified security controls, these are documented in the SoA, along with the reasons for the exception.

The SoA is a dynamic document and is updated whenever changes are made in the organization. It serves as a reference document for internal and external audits and provides a clear overview of which security controls are implemented in our organization and which are not.

During around 10 workshops, we discussed the SoA control points and associated measures with Thomas Frischknecht from the consulting firm abrima-consulting.

Develop safety measures

Based on the results of the risk assessment and the SoA checkpoints, we have developed and documented safety measures for all topics that are relevant to our company. All measures are incorporated into the continuous improvement process (CIP) and are categorised as follows:

  • Organisational controls

  • Personnel controls

  • Physical controls

  • Technical controls

Documentation of measures and fulfilment of SoA requirements

The documentation of the ISMS is the most important component for obtaining and maintaining certification. Accordingly, the necessary documentation, such as the ISO 27001 manual, the risk assessment, the SoA document, defined information security objectives, the security policy or risk treatment plan must be created and maintained.

Every measure defined for the SoA control points ultimately requires proof of implementation. This means that the defined measures had to be implemented as part of the 1st certification. The focus was on integrating the safety measures into the daily life of our organization and processes.

A non-exhaustive, approximate overview of the scope of documentation:

  • ISO 27001 manual which, among other things, defines the security policy and applicability 

  • IT information security guidelines for employees

  • Documentation of technical and organisational measures (so-called TOMs): Checklists, data protection concept, backup strategy, personal data processing directory, data classification and confidentiality levels and so on.

  • Process adjustments: Processes for service portfolio and service catalogue, incident management and response process, update of coding guidelines, process for onboarding and offboarding of employees, adaptation of standardized non-functional requirements, etc.

  • Audit and training plan

Internal & external audits

Internal and external audits are carried out to ensure that our ISMS is effective and meets the relevant standards.

Compliance guidelines and specific guidelines such as the information security guidelines for employees and suppliers and the guidelines on data protection and the handling of personal data are checked.

As part of an external audit, an independent certification body carries out an assessment of the ISMS. This often includes a review of the documentation, interviews with employees and a review of the implemented security measures.

Maintenance and improvement

It is important to emphasize that ISO certification is not a one-time story. It requires regular review and continuous improvement. To ensure this, we rely on a continuous improvement process (CIP) that includes regular reviews and the implementation of measures for optimization.

This also includes the annual risk assessment to ensure that the information security objectives are in line with the strategic corporate objectives. The CIP also helps us to gradually embed the security measures and security principles in our corporate culture.

Martin Mattli, Fabienne Meister and Olivier Oswald with ISO 27001 certificate
The blog author Martin, Fabienne Meister from the Quality Management Team and CTO Olivier Oswald present the ISO 27001 certification

Focus on requirements, framework conditions and measures

  • We ensure access and access control to systems, servers, office premises and locations and only grant authorised persons access to sensitive data and information.

  • We have a data protection officer and CISO organisational role

  • We are constantly developing our IT security policies and procedures and the data retention concept

  • We carry out internal and external audits to ensure that the data protection and security measures we have implemented are effective

  • We train our employees on the topics of data security and protection

  • We ensure our incident management and response process in order to be able to react quickly and effectively to security incidents.

Fundamental technical aspects that are always guaranteed

  • Firewalls

  • Security patches and updates: Regular updates of operating systems, applications and other software components

  • SSL/TLS encryption 

  • Monitoring of our systems and applications

  • Access control and authorisation management (servers, applications, passwords)

  • Backups as well as tested recovery

  • Separation of productive and test/staging development environments

With ISO 27001, we have strengthened the basis for a secure future

We have reached an important milestone with the ISO 27001 certification. We are thus creating more security in our business activities by protecting them with comprehensive information security measures. We ensure that laws and compliance guidelines are adhered to in order to protect customer, personal and project data as well as our corporate reputation.

Our security practices are integrated into all company processes in order to minimize internal and external risks and strengthen our customers' trust in working with us.

By taking security and data protection seriously and continuously monitoring and improving it, we not only ensure the protection of sensitive information and data, but also the long-term integrity of our company. 

We just noticed that you surf with Internet Explorer. Unfortunately, our website does not look so nice with it.

You want to know why that is?
We have written about it.

Blog

You need help with the changeover?
Get in touch. We are happy to help

Contact

Install a new browser?
There's lots of choice.

Browser