By Paul Carr, Security Manager, boost.ai
Boost.ai has been granted ISO27001 certification. Here’s what that means and why it’s important.
Boost.ai decided early to implement an information security management system (ISMS) compliant with ISO 27001, and certify against that standard.
The process has been ongoing for several years, and, as of May 2021,we have not only achieved the certification, but also been rated as having a high effectiveness of implementation.
The process of achieving ISO certification included the whole company, both for agreeing security related processes and mechanisms, but also for ensuring awareness, following the policies and processes, and continuously improving these.
We have been praised by auditors for our good security culture, and with this culture and the continual support from top management, it has been a pleasure being part of this journey.
ISO 27001 is a stamp of approval that means boost.ai can be trusted to manage the information security and privacy of both our own and our customers' data. Our accreditation comes from DNV, a well-respected company that is trusted globally for its certification work..
And our commitment to security doesn’t stop here. We will continue to be audited every year and, with that, prove to our customers and partners that we have a comprehensive management system for information security, reducing the need for other audits and questions about security. The security measures we have implemented are based on identified risks and reduce those risks to an acceptable level.
As a company, we now have an overall information security policy, as well as 14 other information security related policies, setting the ground rules of what we do. The ISMS holds a large scope - 110 of 114 security controls are relevant and implemented. Each control is measured annually to verify its implementation.
We have also implemented a security awareness program to raise awareness amongst employees. The security awareness program is mandatory and based upon the policy rules set for the ISMS as well as most common threats for the company and best practises to avoid them.
Processes are documented together with a process owner, process contributors and managed by a process improvement lead. Processes are set up using flow charts with role bands to clearly assign responsibilities for the specific activities. All processes are reviewed by the Security Manager and specify the security controls covered through that specific process. The processes are reviewed annually.
We have a risk manager ensuring that risks are identified annually and as part of changes, and the risks are analysed to agree risk levels. Risk treatment plans are agreed with management and followed through until any residual risk is acceptable.
Our conversational AI platform is particularly hardened and has many security features, including adherence to GDPR standards.