What ISO 27001 certification is, and why we need it

What exactly was certified and how the certification was performed

Recently, TÜV AUSTRIA confirmed that the information security management system we apply using Kaspersky Security Network (KSN) infrastructure is in line with the ISO/IEC 27001:2013 standard in the delivery of malicious and suspicious files. TÜV also affirmed the safe storage and access to these files in the Kaspersky Lab Distributed File System (KLDFS). Here is what ISO/IEC 27001:2013 certification is all about.

What is ISO 27001?

ISO 27001 is an international standard with requirements for the creation, maintenance, and development of information security management systems. Essentially, it’s a collection of best practices addressing security management measures to protect information and guarantee customers protection of their data.

To conduct certification , an independent entity — in our case, TÜV AUSTRIA — sends auditors whose main goal is to check how the processes that provide cybersecurity comply with best practices. During the audit, they evaluate processes in various departments including HR, IT, R&D, and Security) and compile a comprehensive report, which other independent experts then analyze to confirm the impartiality of the auditors. Finally, the independent organization issues a certificate, which in our case confirms that the information security management system complies with best practices.

What’s “certified”?

Our customers are interested primarily in whether we provide the greatest possible level of security for processes of delivery of malicious and suspicious objects (files) for additional automatic and manual analysis by our experts, and whether we then store those objects reliably. This area is a central one for any antivirus company. Therefore, we pursued certification of the delivery mechanisms for malicious and suspicious files using the infrastructure of Kaspersky Security Network and their safe storage in the Kaspersky Lab Distributed File System. However, the auditor was not restricted to this area only. Many services in the company are arranged in a similar way.

Many factors affect the safety of any process, and information security management systems can help define those factors and provide timely protection. Many questions in cybersecurity management can be considered fundamental. Who has access to information systems and critical data? How did their job application process go? How do employees work with documents and information systems? How does the security team handle revoking access rights when an employee leaves? How aware are employees of possible cyberthreats and means of protection against them? How do administrators work with computers running critical operations?

The protection system also considers new types of threats and counteraction, for example, protection against APT attacks, countering the possible risks of using new technologies, including using machine-learning algorithms.

With the above in mind, the auditors analyzed documentation, talked with employees from various departments, and analyzed the technical and organizational aspects of data protection, such as the processes of recruiting, dismissal, and training. They studied how the IT service maintains the corporate network, and they visited our data centers. They also watched how employees work, checked whether they left printed documents and removable media lying around the office and if they locked their computers when away from their desks, as well as what their monitors and dashboards displayed and what kinds of programs they used to work. In other words, they analyzed the practices that apply to the entire company, paying special attention to the verification of information security management system processes: security analysis by management, risk management, incident management, corrective actions, audits, ensuring employees’ cybersecurity awareness, and maintaining business continuity.

What’s next?

Now, concerned customers can familiarize themselves with the certificate, which represents the opinion of independent experts. Questions about ISO 27001 certification come up pretty frequently, especially when an enterprise company is choosing a security provider, because certified services are involved in most of our solutions.

The work does not stop here. We recertify every three years. That means more audits to prove certificate ownership. In addition, the auditors do spot checks yearly.

You can find additional information about the certificate at https://www.kaspersky.com/about/iso-27001.