ISO/IEC 27001: Ensuring the integrity of digital identity verification

March 30, 2022

header_banner_triangle

Identity Verification Digital Onboarding Cybersecurity PXL Vision ISO 27001

ISO 27001: Ensuring the integrity of digital identity verification

PXL Vision is officially certified to the ISO/IEC 27001:2013 standard! This is great news for all of our new and existing customers.

What is ISO/IEC 27001:2013?

As recorded in the official Press Release of PXL Vision’s ISO 27001 certification:



“ISO 27001:2013 is the globally recognized standard for information security. It requires numerous processes for the establishment and operation of an information security management system (ISMS). The certification attests that PXL Vision has appropriate and comprehensive organizational structures, guidelines and processes for planning, implementing, monitoring and improving its information security.”

The acronyms ISO stands for the International Organization for Standardization and IEC stands for the International Electrotechnical Commission. Ownership of ISO/IEC 27001 is actually shared between the ISO and the International Electrotechnical Commission (IEC), which is a Swiss organization body that focuses primarily on electronic systems.

Even though the official name of the standard is ISO/IEC 27001, it is often shortened to ISO 27001 for simplicity.

The numbers coming directly after the ISO/IEC (in our case 27001) represent different facets of the company that need quality checks. These different facets have different management systems associated with them. Hence, the ISO website entry for ISO/IEC 27001:2013 continues as follows:

“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

The colon followed by the year (in this case :2013) is for the year that the standard was published.

What exactly is an information security management system (ISMS)?

In order to help divide up and understand a little better what is implied by information security consider the acronym CIA. Not the Central Intelligence Agency of the United States, but the confidentiality, integrity and availability of information.

3 key objectives and considerations of information security

  1. Confidentiality – Not available or disclosed to unauthorized people, entities or processes. Data is confidential only when those people who are authorized to access it can do so. In order to ensure confidentiality, you need to be able to identify who is trying to access the data and to block attempts by those without authorization. Unique usernames and strong passwords along with two-factor authentication provide an important level of defence against penetration attacks. Confidentiality is also achieved through encryption measures for data in motion, in use and at rest.

  2. Integrity – Information is complete and accurate, and protected from corruption. Implies maintaining the data in its owner-defined state as well as the prevention of attacks or accidental mishaps that could lead to unsanctioned modification. Many of the techniques that ensure confidentiality will also protect data integrity. Data that is protected by strong passwords, signing technologies and other similar infosec techniques is more likely to retain its integrity.

  3. Availability – Information is accessible and usable as and when authorized users require it (need to know principle). While it is important to protect your data from unauthorized access, you also need to ensure that it can be accessed by those who have the proper permissions. Information should be made available to those who have the username and password.

How PXL Vision became ISO 27001 certified

So important is the ISO 27001 certification to PXL Vision that we decided to follow-up with members of the trust team at PXL and allow them to reflect on the certification process.

First, the idea to get certified was a top-down directive from the executive level at PXL Vision. The decision was clear given how important it is for companies that process personally identifiable information (PII) to have a solid ISMS in place.

Once the directive was received, the trust team at PXL Vision was scaled up and got down to brass tacks. A shining attribute of the entire certification process was the excellent teamwork not just from the core team itself but also from the wider PXL team. Intensive weekly sessions were held to discuss and plan the stages of the certification process. The wider PXL organisation also came together for security training sessions around information security and data security.

_____________________________________

We reached out to members of the PXL trust team to follow up on the process and provide them some space to reflect:

Marko Krstić, PXL Vision's Head of DevOps provides understanding for the concept and reasoning behind the ISO certification. The certification is to: “Ensure that there are standardized processes for handling data at our organization such that individuals can safely and securely access our systems. The ISO certification does not tell us how but rather what an organization should do … While there is an ISO framework, it is up to the team to figure it out and implement it. Apply best practices and seek external guidance to help guide the process.”

Throughout this process, Marko himself became a better data engineer and even had a perspective shift after seeing everything from above. Furthermore, working closely with the security team helped forge relationships with PXL Vision and gain a better understanding of individual roles at PXL.

Nevena Shamoska, PXL Vision’s Chief Technology Officer (CTO) was often seen burning the midnight oil. Nevena led the ISO certification process and was happy to note that all of team PXL was onboard and in-sync from day one. Reflecting on the process later, Nevena believes that the ISO certification has provided us useful insight for further certification processes. In her own words Nevena shares with us that: “There were loops within loops and it would have been easy to lose track. We went with the mantra: define, review, test, repeat… define, review, test, repeat… define, review, test, repeat.”

Dieter Renken, PXL Vision’s Head of Information Security reflected on the process by dividing the certification process into a before, during and after phase.
Before the process started, Dieter quipped that the ISO 27001 certification was a really big deal for smaller organizations – calling it the gold standard for security. He saw it rather as something that only larger companies would do, on the road to international expansion.

During the process, Dieter reflected on the incredible spirit of team PXL throughout the stressful audit process. The audits, of which there were three in total, were like studying for exams: “you always want to learn enough to pass but you are never sure until you receive the results”.

After the process was finished and the ISO 27001 certification was awarded, Dieter continued to be amazed by the cooperation at PXL Vision. In Dieter’s words, speaking towards the ISO 27001 audit process: “You build a relationship with the auditor, where it is important to engage with trust and friendliness. Not to influence the audit process of course but to be able to work together.”

Last but not least, Timo Neumann, who was sourced through an external partnership to help drive the ISO certification process forward. Timo was primarily responsible for structuring and documenting the process as well as leading the security training sessions for all PXL Vision employees.

Timo’s reflections on PXL’s ISO 27001 certification:
"In the past at other companies, I often had the experience that people did not have time because they had other important tasks; you had to fight to keep them in the project or you had a management who was like this is all unnecessary, why do we have to do this. None of this was true with PXL Vision. Everyone did their work reliably and management fully supported the project.

Thanks for the kind words, Timo!

Visit our Trust Center for more detailed information on the security standards that PXL Vision is putting in place.

Don’t miss the latest news, trends and insights in digital identity

Related insights

Get 2 Know - Team PXL: Aaron Schröder

Read more

Related posts

Identity verification

Read more

Cybersecurity in Germany 2022

Read more

Get 2 Know - Team PXL: Aaron Schröder

Read more

Don't be shy! Sign up for our newsletter.