Is your testing partner ISO 27001 compliant?
In a world where data security breaches, hacking, thefts and cyber attacks are becoming more frequent and commonplace, it is essential that companies protect their data using all means available.
One of the more spectacular data breaches in recent years involved the data analytics firm Cambridge Analytica’s harvesting of over 50 million Facebook profiles of voters in the United States, using this information to build software that could predict who these voters were likely to choose in the US presidential election in 2014. The app then targeted voters with political advertisements designed to influence their vote. At the time, Cambridge Analytica was owned by Donald Trump’s key advisor, Steve Bannon. The app collected information via a so-called personality test where users who were paid to take part agreed to share their data for ‘academic purposes’. However, the app also collected data of the Facebook friends of the participants, without authorisation and in breach of Facebook’s data protection policy.
Massive-scale data breaches make the headlines, but there are many more that happen on a daily basis, impacting thousands of online users and creating havoc for companies as they scramble to assist their unhappy customers, repair their reputational damage and implement tighter controls for data protection.
Because data security has become so incredibly important, compliance regulations surrounding data privacy and security have been intensely scrutinised, with new and far more stringent regulations and rules coming into effect towards the end of 2018.
One such system is the International Organization for Standardization (ISO) 27001:2013, which sets out the requirements for an information security management system (ISMS). ISO 27001 certification demonstrates that an organisation has identified the risks and put systems and controls in place to limit data breaches.
“ISO 27001 certification requires 100% commitment to protecting all critical information held by the organisation,” says Jacques Fouché, CEO, Inspired Testing. “In our line of business – software testing – we get exposed to massive volumes of data from a broad range of industries, including retail, financial and medical companies. ISO 27001 certification takes us to another level of security, whether it’s exposed to our information systems or we are granted access to our clients’ systems,” says Fouché. “Attaining the certification involved an independent assessment and audit of our information security system to ensure we meet the requirements of the standard. We also have to regularly review our ISMS and conduct the necessary assessments to retain our certification. It is a task that requires tenacity and total dedication to protecting our clients’ data.”
Updating the legislation that protect data is also of paramount importance in today’s fast-moving technological world. To this end, the General Data Protection Regulation (GDPR) came into force on May 25 2018, designed to modernise laws that protect the personal information of individuals. It also boosts the rights of individuals and gives them more control over their personal information. GDPR is a regulation in EU law covering data privacy and protection for all individuals in the EU and European Economic Area. It also addresses the export of personal data outside these areas.
In South Africa, data privacy is covered by the Protection of Personal Information Act (POPI), and like the GDPR it regulates how companies can collect, process and store information such as names, ID numbers, location and IP addresses.
The synergy between GDPR, POPI and ISO 27001 is self-evident. ISO 27001 identifies personal data as an information security asset and most of the GDPR and POPI requirements are covered by the certification.
“It is essential that all key staff in an organisation are exposed to and fully understand the ramifications of ISO 27001 for the business and for clients,” says Fouché. In fact, staff awareness, training and leadership support are requirements of ISO 27001 certification, not only to achieve it but to maintain the standard going forward.
The seriousness with which data breaches are viewed can be seen in the fallout after the March 2018 Facebook incident, with the company’ shares dropping seven percent – that’s $43 billion off the company’s market capital - in one day. The company faced lawsuits, reputational damage, investigations by the attorneys general of Massachusetts and New York and an investigation by the Federal Trade Commission into its privacy practices. Facebook’s co-founder, chairman and chief executive, Mark Zuckerberg, was called to testify before Congress about Cambridge Analytica and the company was eventually fined $500 000 for failing to protect users’ information.
Of course, this is an extreme, high profile case, but imagine if your customers’ data was breached and your business had to deal with the fallout. It could cost a whole lot more than the time it takes to ensure that your testing partner is fully compliant. It’s really not worth taking the risk.
Jacques Fouché is the CEO of global software testing company Inspired Testing.
Inspired Testing’s disruptive onshore offshore model offers a revitalised alternative to outdated offshore models. With a scalable pool of 250+ expert QA professionals in the UK and South Africa, the company’s strength lies in knowing how to structure, execute and automate testing, using a unique combination of experience, technique and blended onshore offshore delivery capabilities and testing across most platforms, devices and environments. www.inspiredtesting.com
Inspired Testing is a wholly owned subsidiary of Dynamic Technologies, a software and technology group with 1 000+ staff and thirteen group companies across the UK and South Africa, providing a diverse range of technology solutions, digital services and related core competencies. Our group companies comprise DVT (which includes the DVT Academy), Cloudsmiths, DotModus, EventSmiths, Swarm, Blue Pencil Consulting, Inspired Testing (including the Global Testing Centre), IndigoCube, Candice Clark Recruitment, Emerald Consulting, Dynamic DNA and DTH Services. www.dynamic-tech.com