Data security is a core concern for every company, particularly since the introduction of the GDPR in May 2018. SMEs and large enterprises alike now rightly have a laser focus on the security of their third-party software providers, with a spotlight on HR software and staff data. But why choose an ISO 27001 certified HR software provider?
HR software providers typically host a lot of Personally Identifiable Information within their HR systems on behalf of their clients (as data processors in GDPR terms), because thousands of companies keep personal data about staff within their HR system. This means it’s crucial for HR software companies to get data security right.
ISO 27001 certification is a good indication that a company is taking security seriously with robust infrastructure and processes in place, ensuring your data is stored and processed in an appropriate manner and thereby reducing the risk of a data leak or breach.
What is ISO 27001?
ISO 27001 (or to give its full name, ISO/IEC 27001:2013) is an internationally-recognised security standard that provides the specification for an Information Security Management System (ISMS). Based on risk management principles, the ISMS sets out the policies and procedures defined by organisations to keep all the information they hold secure, helps increase resilience to cyber-attacks, and provides a central framework for the management of data and information.
ISO 27001 is an externally audited certification, which requires organisations to present their ISMS framework and evidence records of its use to certified auditors trained in Data Security during a rigorous set of interviews and meetings.
By adopting a systematic approach to security management, a company with ISO 27001 certification is much better prepared to identify, manage and assess the risks associated with the collection, storage and deletion of personal data.
Related article: Information security and HR: creating a security-conscious culture
What does ISO 27001 certification involve?
Gaining ISO 27001 certification is not a quick process and requires real commitment from the organisation to put in the hours and resources needed to pass the audit process. In most cases, a large proportion of time is spent creating the required documentation needed for the ISMS. This involves assessing existing processes and infrastructure to ensure conformity to the ISO 27001 standard while still ensuring practical use.
This is no small feat – here at myhrtoolkit, it took us a year of hard work and commitment to prepare for and gain ISO 27001 certification. Companies also spend time training their staff on the ISMS. Gaining certification is not just about having the right documents; more importantly, it’s about creating a company-wide culture where data security is something that each employee takes seriously.
Then comes the audit. The initial audit process for ISO 27001 certification is conducted in three stages:
Before inviting any external scrutiny, companies carry out an internal audit of the system and its day to day use to identify any areas of the standard that are not being met and enact any corrective action needed.
External stage one audit
At this stage, the auditor assesses whether the company has successfully complied with the proposed scope of the ISMS and that the structure of their ISMS fulfils the requirements of the certification standard. It is a constructive audit, showing companies where they may have weaknesses (called non-conformities, which can be major or minor) so they can take any remedial action needed in preparation for the next stage.
External stage two audit
30 days after the stage one audit, a stage two audit is conducted, which takes a deeper look into the processes and procedures the company operates. This audit is conducted to ensure that not only do these processes and procedures conform to the requirements of the standard, but also that they work in practice and are being followed throughout the organisation.
Any non-conformities from the stage one audit are reassessed to ensure corrective action has been taken. If additional non-conformities are found at stage two, they are assessed as to their severity. If they are minor and can be addressed simply and quickly, certification may still be awarded; if the non-conformities are significant, it may require a third audit to satisfy the auditor that their concerns have been addressed.
Why does ISO 27001 certification matter?
ISO 27001 matters for software providers as it shows a clear, strong commitment to data security against international standards. Customers can rest assured that their HR software provider, for instance, has a robust approach to keeping personnel data secure and managing risks. The whole company learns about certification and using the ISMS, to ensure high standards of security across the organisation.
However, getting ISO 27001 certification isn’t the be all and end all – it’s an ongoing process. Companies with ISO 27001 in place are checked annually to ensure they continue to use the processes put in place. This auditing cycle ensures that that their data security practices are continuously improving. Companies must also reapply for certification every 3 years.
Hear from an ISO 27001 certified HR software provider
If you’d like to find out more about why ISO 27001 certification is a must when you’re looking for HR software, you can get in touch with the myhrtoolkit team.
Written by Camille Brouard
Camille is a Senior Marketing Executive for myhrtoolkit who writes on topics including HR technology, workplace culture, leave management, diversity, and mental health at work.