Astalty is now ISO27001 certified

Tuesday, 11th June 2024

4 min read

Astalty is now ISO27001 certified

I am stoked to announce that Astalty is now ISO27001 certified. This certification is the world's best-known standard for information security management systems. It demonstrates our commitment to protecting our clients' data and ensuring the highest level of security.

On the 4th of June I received an email;

Dear James,

Congratulations on the successful completion of the requirements for your Certification through Global Compliance Certification (GCC).

We are pleased to confirm that your company has been certified and registered according to the following standard: ISO/IEC 27001:2022

After months of hard work and dedication, we have finally achieved our ISO27001 certification.

What is ISO27001?

ISO/IEC 27001 is an international standard and is widely known in Australia. The standard outlines the requirements for an information security management system (ISMS). To learn more about the standard you can visit https://www.iso.org/standard/27001.

The standard itself is made up of 2 main parts;

  1. Clauses 4 - 10 - These are the requirements for an ISMS.
  2. Annex A - This is a list of 93 security controls that can be implemented to help achieve the requirements of the standard.

Initially I thought the standard would be a long, boring and confusing document but after purchasing a copy of the standard and sitting down for what I thought would be a long night of reading, I was pleasantly surprised. The standard is well written and easy to understand.

Clauses 4 - 10 outline the requirements for an ISMS, and it's up to us to dictate how we address those requirements. This is both a good and a bad thing... initially we had no idea what some of the requirements meant, but after some research and help from our consultant we were able to understand what was required.

What does ISO27001 certification mean for our clients?

By implementing an ISMS that meets the requirements of the international standard, we can assure our clients that Astalty is handling their data (and our own data) in a secure and compliant manner than is acceptable to the international community. Instead of going on about what the standard is, I thought I would share some specific examples of things that we have done to meet the requirements of the standard. This is just a handful of controls that are in place at Astalty.

Risk Assessments

part of the standard dictates that we must have a risk assessment process in place that identifies the information security risks. This could include things like;

  • our servers going down (which affects information availability)
  • malicious software being installed on our servers (which affects information integrity)
  • unauthorised access to our servers (which affects information confidentiality)

Each risk that is found as part of the risk assessment process is then assessed for its likelihood and impact. This allows us to prioritise the risks and implement controls to mitigate them.

Information Security Awareness, Education and Training

Each of our team members (including myself) have undergone information security awareness training. This training covers things like;

  • how to identify suspicious emails
  • the importance of strong and secure passwords
  • how to identify suspicious activity on our servers
  • what would constitute a security incident

Adherence to our information security policies is also part of our employment agreement - this means that if a team member is found to be in breach of our information security policies, they could face disciplinary action.

User End Point Devices

We are required to have controls in place to ensure that our team members are using secure devices. In order to do this we use a combination of Mobile device management (MDM) and Endpoint Detection software - this gives us the ability to restrict installation of software, enforce encryption and remotely wipe devices if they are lost or stolen.

Security testing in development and acceptance

We have thousands of automated tests in place that ensure our software works as it should and tests for security vulnerabilities. These tests also ensure that our roles and permissions system is working as expected. Each time we want to change something in our software, we must first pass these tests before we can deploy the changes.

Not only do we have our own automated tests, but we pay an external company to perform penetration testing on our software. This means we pay someone lots of money to hack us - thankfully they have never been successful.

What's next?

ISO27001 is not a one-time thing. Part of the standard itself is about continuous improvement. We are committed to continually improving our ISMS and ensuring that we are always meeting the requirements of the standard. We must conduct ongoing internal audits and every year, GCC will come back to ensure we are still operating in line with the standard.

Image of James Mooring

James Mooring

James is a Director and Co-founder of Astalty. James has been creating innovative digital solutions for small to medium businesses across Australia and abroad for several years. After starting his own software development company, Lion Eagle Solutions, he has helped several businesses streamline their processes by building software that solves real problems.