As a SaaS company, it is crucial that Ardoq is on the front foot when it comes to security. In an ever-shifting security landscape, security can be neither static nor paper-based. Ardoq’s Chief Information Security Officer (CISO) Nick Murison chats about what our recent ISO certification means for our customers and how this ties into the bigger security picture at Ardoq.
What Is ISO 27001:2017?
ISO 27001:2017 is an internationally recognized standard for Information Security Management Systems (ISMS). The standard advocates for continuous improvement, something we believe in strongly at Ardoq. At its core, the ISO 27001:2017 standard defines an ongoing loop of activity. They require us to assess, plan, implement, measure and look for ways to improve. Nick explains how Ardoq’s approach to security is continuous, “it's not like we just want to tick the box, which can be a tempting approach when it comes to compliance. We're keen not to have that. Compliance, in our mind, cannot be paper-based and static.”
How Does Ardoq’s ISO 27001:2017 Certification Fit Into Our Bigger Security Picture?
Customers expect us to take security seriously. Having ISO 27001:2017 certification means speaking the same language, communicating what we are doing, and sharing a common understanding to demonstrate how we manage security risks.
What is the Value of an Independent Third-Party Opinion on Security?
Maintaining both ISO 27001:2017 certification and SOC 2 (Type II) attestation requires Ardoq to undergo regular audits by independent third-party auditors. These audits don’t just provide us with validation that our ISMS is operating appropriately and that relevant security controls are implemented; they also provide us with an opportunity to look for ways to improve further. Ardoq’s annual SOC 2 (Type II) and ISO 27001:2017 audits are spaced almost six months apart, giving us a good cadence as part of our annual ISMS cycle.
Having an independent third-party opinion lets customers make informed decisions about who they entrust their data to. ISO 27001:2017 provides a common language and nomenclature of security assurance and can help make procurement processes smoother.
How Does Ardoq Manage Security Risks?
Nick warns that ISO 27001:2017 is not a magic wand, and compliance does not equate to 100% security. But, he explains that it provides a framework for identifying and managing security risk. “We have ways of identifying potential threats, risk assessing them, and treating them accordingly. Completely preventing a risk from ever being realized is often infeasible, so we also need to have the capability to identify and respond when necessary.”
It’s also about transparency. Ardoq’s HackerOne Bug Bounty Program provides results-driven, hacker-powered security testing on a continual basis, providing us with excellent data when measuring the effectiveness of our security activities. Ardoq also does annual penetration tests, and we share the reports with customers who want to see that we have someone independently review our platform’s security.
What’s in Store for the Future?
Security is a top priority for Ardoq, as exemplified by us prioritizing SOC 2 (Type II) attestation and ISO 27001:2017 certification during a period when we have more than doubled in size. We’ve chosen to prioritize both aggressive growth and security. As we have grown and scaled, we have changed how we manage risk. While it’s difficult to say what the future has in store, we believe implementing an ISMS in line with ISO 27001:2017 enables us to embrace the evolving risk landscape and continually improve. We also believe participating in networks such as the Cloud Security Alliance, the Norwegian Information Security Forum, as well as threat intelligence sharing communities help us to stay prepared.
3 Ways Ardoq’s ISO Certification is Security Assurance for Customers
- Continuously assessing the risk landscape, including ourselves
- Independent third party opinion
- Speaking the language of security to our customers
View our ISO 27001:2017 Certificates
Whether it's writing her own storybooks or contributing to social justice blogs for NGOs, Elspeth sees writing as a powerful communication tool that can change perspectives and connect people.