People.ai just achieved ISO 27001:2013 certification. We now stand shoulder-to-shoulder with Apple, Google, and Amazon, though, perhaps not with as much congressional turmoil. We’re like the short, badminton-playing cousin twice-removed in the awkward holiday photo of three generations of football players. Still, we’re getting there. ISO 27001:2013 certification is no easy task for anyone, but practically unheard of for a company of our size. Yet, some more meat and potatoes, and fewer stringbeans, over the next few years, and we’ll be towering over our cousins.
Read more about People.ai’s Security and Trust
ISO certification is an impressive, albeit soporific accomplishment. For more than 20 years, I’ve been designing and implementing security systems. For me, it’s always been fun, and sometimes exciting, such as the time I overwrote a production database of 200,000+ credentials with a single command. ‘ldap2db’ is not the same as ‘db2ldap’. Bringing a major retailer to a grinding halt is exciting. Getting ISO-certified is not.
ISO 27001:2013 certification is not about designing or implementing cool controls. It’s not about placing a Robocop cyborg-like creature at your data center’s entrance, with a gatling gun and Sidewinder missiles. That is what SOC 2 Type 2 certification is about. (We’ve been SOC 2-certified since 2017; We’ve recently re-upped our cert, adding ‘availability’ and ‘confidentiality’ to our already-present ‘security’ set of certified controls.)
No, ISO certification is not exciting or fun, not at all. If playing beach volleyball is fun, getting ISO-certified is like having to account for all of your freckles, with a photo of each dated, tagged, and described. If you’ve got pale skin like me, that can take a while. Leave it to the European Commission to take the fun out of technology.
However, as an enterprise focused on information security, this is what you want: Your service provider should have a solid, reliable, boring “information security management system” (ISMS). Your service provider’s executive management team should lead the effort to secure your data. You want that team to be serious about your data. That’s how you know your service provider is a responsible partner. What you want are binocular-clad lifeguards, not Baywatch sunbathers, when you go swimming in shark-infested, rip-tidal water.
When it comes to your data, yes, you want boring. ISO can take the excitement out of security for someone like me, but it’s good for you, and for your customer’s data. Thank the Europeans for that.
About The Author
Jonathan Jaffe, Director of Information Security at People.ai
With over 20 years experience designing and implementing large-scale Internet security solutions for the world’s largest companies and government agencies, as well as practicing information security law, Jonathan Jaffe is an expert in cyber-security implementation, information security strategy, security system implementation, and security and privacy compliance.