We’ve applied for ISO 27001 Certification
Why are we doing this?
“The security of your data is paramount to us” – see how easy that is to say!
One thing we’ve realised since we started WriteUpp in 2012 is that providing “software as service” is like an iceberg. As users, you see the features and user interface enhancements above the water but much of the work, effort and brain-power is applied to the things below the water that you can’t see such as security, data management, 24*7*365 operation and server optimisation.
Obviously, these are matters that come sharply into focus if things go wrong but by then, from your perspective, it might be too late.
From our perspective we know what we do day in day out to make sure you can sleep easy at night and occasionally you see evidence of this in things like our recent decision to move to Microsoft’s Azure platform but all too often you don’t.
With this in mind we decided that we wanted certification (ISO 27001) of our approach and systems so that you and clinicians considering using WriteUpp have an official stamp of approval about all the things that go on in the background.
What is ISO 27001?
The ‘International Organization for Standardization’ (ISO) developed its 27001 standard to give organisations an effective way of “establishing, implementing, maintaining and continually improving an information security management system.”
ISO 27001 is a globally recognised standard that provides the framework for an effective Information Security Management System (ISMS). It sets out the policies and procedures needed to protect any organisation that places a reliance upon IT systems. It includes all the risk controls (legal, physical and technical) necessary for robust IT security management.
Certification will demonstrate that we have the IT security management systems and controls in place to combat cyber attacks and other threats to data integrity.
In gaining certification, we will have to demonstrate to an independent body that our ISMS complies with the ISO 27001 standard.
What is and isn’t certification?
While we’ve been doing our due diligence on the standard we’ve noticed that a number of organisations state that their partners have ISO 27001 certification with the inference (by proxy) that this covers them. It doesn’t.
To be ISO 27001 certified the business concerned (not its partners) must have been certified by an official auditor. Below is our letter of intent from the auditor that we have chosen to work with:
ISO 27001 & GDPR
GDPR (General Data Protection Regulation) will come into effect in May 2018 and it’s our stated intention to ensure that you are provided with all the tools you need to ensure that your practice is compliant.
Our decision to gain ISO 27001 certification positions us very well for the challenges that lie ahead as we all get to grips with GDPR.
In the coming months we will be providing you with more information and guidance about GDPR and the steps that we are taking in WriteUpp to ready you and us for its arrival.