CityShob achieved the ISO 27001 certification!
We are proud to announce that CityShob has recently achieved ISO 27001:2013 (ISO 27001) certification, one of the most globally recognized information security standards.
Working towards gaining ISO 27001 accreditation not only demonstrates our strong focus on providing our customers with the highest level of products and service, but also our commitment to investing in the latest technology and developments in our C-Insight platform for Smart City management solutions.
In continuation to our ISO 9001:2015 certification, to become ISO 27001:2013 compliant, we underwent an evaluation process that included quality management system development, a management system documentation review, an external audit, and a full assessment.
ISO 27001 certification not only demonstrates the company’s commitment to continual improvement but also the opportunity to provide more opportunities to conduct business in the global marketplace.
To achieve the certification, CityShob security compliance was validated by an independent audit firm, conducted penetration tests and after demonstrating an ongoing and systematic approach to managing and protecting the company and customer data was finally certificated by SII.
This milestone is very important for us, almost every team in the company came together to get this job done, including DevOps, Engineering, QA, and the entire Executive staff.
How we worked towards ISO certification
About nine months ago, we began working towards ISO-27001 certification in earnest to confirm our security efforts.
As part of the preparation for the certification, we went through the 7 management requirements and 14 control objectives as defined by the ISMS.
Here are our milestones as we defined and successfully accomplished:
- Project Planning & Preparation, defining the scope and timeline.
- Information Gathering and Analysis. Taking inventory of all information assets (servers, databases, etc.).
- Building asset mapping registry to include inventory, ownership, acceptable use, and returning of assets.
- Risk assessment management and mitigation plan. Determining which existing controls are applicable to the identified risks
- Penetration tests are executed by a certified external company (COMSEC).
- Analyzing the founding and defining the actions. Solving the issues.
- Deciding what actions to take to address the remaining risks.
- Internal audit with an external company (Cyber-Ex).
- Finalization and Certification (by SII) that took three extensive days of meetings and reviews.
What we learned during the certification process
We learned a lot in this process. Along the way, we identified several areas that could be improved. Our development team worked hard to improve the security and reduce the risks.
Even with the last nine months of work behind us, we are not done yet. We are continuously working on improvements, preparing the design, and developing the new products and features while taking into mind all security aspects. The certification means we have formalized IT Security policies and procedures, improved our development procedures, instructions, and our Quality Assurance procedures, etc. We have implemented several security measures that protect our products from unauthorized access or compromise. It also means we remain committed to improving our ISMS and our security posture.
How we’re moving forward
Achieving our certification is significant and took a decisive effort. The most important benefits will come from maintaining our ISO-27001 certification.. We will ensure that our products grow more reliable and secure with time. The idea of continual improvement rests at the core of ISO-27001 and at the core of how we operate here at CityShob.