Following an intensive process, this summer Yellowstar was awarded ISO 27001 certification for information security. Chief Security Officer Pablo Girardi explains the significance for his own organisation and, in particular, for customers. "For us, it's much more than just a piece of paper."
What is the essence of ISO 27001 for you?
"The awareness it creates about potential security risks – both within Yellowstar itself and for our customers. As a company, we have a responsibility to ourselves and to our customers in terms of cybersecurity – especially in the world we live in today. During the pandemic, even more loopholes were created for hackers to exploit. Eighty percent of security issues have a human cause – often through very basic things like clicking on suspicious e-mails, being careless with passwords, etc. ISO 27001 establishes a focus on information security and helps create the right mindset to want to continuously improve it. It is a demonstration to customers that we value safe working and are aware of the risks, but also that we expect the same from our own suppliers."
How does Yellowstar use ISO 27001?
"ISO 27001 makes you look at yourself even more critically as an organisation. We do this in a very hands-on way. For example, by running through a checklist of security aspects before an application goes live. Or by adopting a critical attitude from the outset when a customer asks for a new application, in terms of its possible impact on security or performance. By creating awareness among customers, we may be able to come up with different, safer solutions."
How do you ensure that ISO 27001 is actually given practical relevance?
"First of all, I think through the way we approached achieving ISO 27001. We chose a bottom-up approach, from practice to policy – how do we at Yellowstar work and what are the appropriate risk mitigation measures that will be truly effective? Because of this approach, it took us longer than is normal for an ISO implementation, but we did create real awareness within the organisation and the policy also enjoys broad support. The concluding audit was highly complimentary about that approach."
And what are the next steps, now that the ISO 27001 certificate has been obtained?
“We continually highlight security and security risks at all levels within Yellowstar. The issue features in regular blogs, is addressed in internal meetings and is on the management team's agenda each week. In addition, we test actual practice. For example, through penetration testing focused on infrastructure security. But we also occasionally send fake phishing e-mails internally to see what happens. It really makes the subject concrete to people. Security is not the concern of others."
Is Yellowstar's ISO 27001 certification unique?
"For a company of Yellowstar's size, achieving ISO 27001 is not a simple matter. It is one of the tougher ISO certification processes. So in that sense, it is special. At the same time, it is increasingly becoming a requirement for customers. Personally, I think it reflects well on us as a company that we took the time to really tackle the certification process properly. That's kind of unique. It shows that we take information security seriously as an organisation. For us, it's much more than just a piece of paper."