ISO 27001:2017 Information Security Assurance for Ardoq's Customers

7 Apr 2022

As a SaaS company, it is crucial that Ardoq is on the front foot when it comes to security. In an ever-shifting security landscape, security can be neither static nor paper-based. Ardoq’s Chief Information Security Officer (CISO) Nick Murison chats about what our recent ISO certification means for our customers and how this ties into the bigger security picture at Ardoq.

What Is ISO 27001:2017?

ISO 27001:2017 is an internationally recognized standard for Information Security Management Systems (ISMS). The standard advocates for continuous improvement, something we believe in strongly at Ardoq. At its core, the ISO 27001:2017 standard defines an ongoing loop of activity. They require us to assess, plan, implement, measure and look for ways to improve. Nick explains how Ardoq’s approach to security is continuous, “it's not like we just want to tick the box, which can be a tempting approach when it comes to compliance. We're keen not to have that. Compliance, in our mind, cannot be paper-based and static.”

How Does Ardoq’s ISO 27001:2017 Certification Fit Into Our Bigger Security Picture?

ISO 27001:2017 certification is a welcome addition to Ardoq’s security optimization culture, adding to our SOC 2 Attestation and membership in the Cloud Security Alliance.

Customers expect us to take security seriously. Having ISO 27001:2017 certification means speaking the same language, communicating what we are doing, and sharing a common understanding to demonstrate how we manage security risks.

iso 27001 2017

What Is the Value of an Independent Third-Party Opinion on Security?

Maintaining both ISO 27001:2017 certification and SOC 2 (Type II) attestation requires Ardoq to undergo regular audits by independent third-party auditors. These audits don’t just provide us with validation that our ISMS is operating appropriately and that relevant security controls are implemented; they also provide us with an opportunity to look for ways to improve further. Ardoq’s annual SOC 2 (Type II) and ISO 27001:2017 audits are spaced almost six months apart, giving us a good cadence as part of our annual ISMS cycle.

Having an independent third-party opinion lets customers make informed decisions about to who they entrust their data. ISO 27001:2017 provides a common language and nomenclature of security assurance and can help make procurement processes smoother.

How Does Ardoq Manage Security Risks?

Nick warns that ISO 27001:2017 is not a magic wand, and compliance does not equate to 100% security. But, he explains that it provides a framework for identifying and managing security risks. “We have ways of identifying potential threats, risk assessing them, and treating them accordingly. Completely preventing a risk from ever being realized is often infeasible, so we also need to have the capability to identify and respond when necessary.”

It’s also about transparency. Ardoq’s HackerOne Bug Bounty Program provides results-driven, hacker-powered security testing on a continual basis, providing us with excellent data when measuring the effectiveness of our security activities. Ardoq also does annual penetration tests, and we share the reports with customers who want to see that we have someone independently review our platform’s security.

What’s in Store for the Future?

Security is a top priority for Ardoq, as exemplified by us prioritizing SOC 2 (Type II) attestation and ISO 27001:2017 certification during a period when we have more than doubled in size. We’ve chosen to prioritize both aggressive growth and security. As we have grown and scaled, we have changed how we manage risk. While it’s difficult to say what the future has in store, we believe implementing an ISMS in line with ISO 27001:2017 enables us to embrace the evolving risk landscape and continually improve. We also believe participating in networks such as the Cloud Security Alliance, the Norwegian Information Security Forum, as well as threat intelligence sharing communities help us to stay prepared.