At JRNI, security is a top priority. From ISO to GDPR, we have strict policies in place to protect you and your teams, and equally important, your customers and your data. At the core of our commitment to security, we are dedicated to ISO 27001 compliance, safe practices, and risk management.
Since it’s also the number one topic raised by every customer and prospect, we thought it was time to tell the full story. We sat down with our Head of Engineering, Niall Giggins, to discuss the importance of ISO 27001, our internal processes and controls around security, and other compliance considerations. Our internal security and risk management processes are in place to ensure we are meeting specific standards, while our internal controls are the actions taken to ensure the accuracy of our processes. Keep reading to learn more!
How does our ISO 27001 certification benefit customers?
It gives our customers the assurance that they have security when working with us. When we have strong security and risk management processes with ongoing auditing, our customers can be sure that they have end-to-end security in place.
Why does JRNI choose this certification?
While most people believe that the standard is focused only on security, it's actually more around process and risk management, of which security is just one of the considerations that should be addressed. ISO 27001 is about building a framework within which we identify risks and requirements, and tune our business processes to operate in a manner appropriate to the needs of JRNI and our customers.
This is in contrast to some of the other certification processes out there, which while having great standards in their own right, are often interpreted as a checklist of must-do actions that give little emphasis on the reasoning behind the requirements. In some cases, these can be seen as box-ticking exercises by those that are implementing them, leading to a false sense of overall security and processes that are not as robust as that organization requires.
The first thing ISO 27001 teaches you is that you have to look at what you have (assets, data, processes, etc.), and what specific risks may affect those. Along with potential security risks, there may also be other risks to take into account, such as a process failing, or not being completed on time, or with data not being accurate.
ISO 27001 gives you a way to identify and understand these risks, and once you have done so, you can look at what you can do to reduce or eliminate those risks. As a result, you often end up implementing some of the more ‘checklist’ standards I previously mentioned. The difference being that as you’ve gone through the exercise of truly understanding your needs, you are better informed as to what those standards bring to the organization and your customers.
Repeating the process over time allows you to review and monitor your progress and determine if your controls are still effective or need to be updated, while also identifying changes in the business or risks that are emerging from outside of it.
Does JRNI have any other certifications or standards it uses?
Well aside from ISO 27001, which provides our core framework, we have also adopted two of the other ISO standards; ISO 27017 for additional cloud security measures and ISO 27018 for the protection of personal data contained on our systems.
Speaking of personal data, we are also fully compliant with GDPR, the CCPA, and several other global data protection privacy laws and regulations.
We have worked with a wide range of customers over the years and adopted or met the requirements for a number of other specific standards such as; PCI:DSS for our customers that take payments; the National Health Service N3 / HSCN requirements or HIPAA for our healthcare customers; government information security standards such as Cyber Essentials (UK), FedRAMP (USA), and AGISM (Australia).
Other areas of the organization have also adopted standards that help them deliver our product to customers. Our product and development teams have spent a lot of time working with the WCAG 2.1 accessibility guidelines and have achieved an AA rating.
That’s a lot, is it hard to manage so much?
It can seem that way, but many of them are trying to achieve the same goals, so there is a lot of overlap between them. One of the strengths of the ISO system is that it makes it easy to incorporate new standards into your management system and to identify what these overlaps are. Once you’ve done that, you can follow through to see what your existing controls are and check whether they’re sufficient or need updating.
Another benefit is that you can also leverage the security and compliance of your hosting providers’ and key vendors’ security as well. ISO makes you very aware of the concept of your scope and what is and is not within your control.
JRNI uses cloud hosting for instance, so many of the traditional information security requirements and processes aren’t ones that JRNI performs itself. Instead we ensure that our hosting providers all have the same or higher standards of information security processes and certifications, so that we can leverage these alongside our own.
Our hosting providers have standards such as ISO 27001, ISO 9001, SOC 2, and so on, and we get the benefits of all these standards as part of the service we offer to our customers.
What’s the audit process like?
Well, a lot of people get involved with auditing at some stage. There is always some part of an internal audit taking place throughout the year. We have a dedicated team that leads the effort and coordinates with stakeholders from other parts of the business.
Most of the work is spent on ensuring that key processes are working, and that those processes are still relevant to the risks or assurances they’re designed for. There’s also an element of ongoing improvement; as risks or our business needs change, processes often need updating. The auditing process is designed to identify where this change is needed, and then measure if the controls we put in place as a result are effective.
JRNI is also audited externally once every six months. At these audits, we’re visited by an independent auditor at one of our global offices, where we spend several days going over the entire management system and its controls. During these external audits, we can use the results from our internal audits as part of the evidence to show that our security controls are working as expected. This leaves the external auditor more time to focus on working with us, to ensure our controls are as good as they can be.
How long does the auditing process take?
Auditing at JRNI is always ongoing. We use a lot of automation to increase frequency and accuracy of the audits we do, often turning a few-day manual audit (per month) into a real-time monitoring process. This greatly helps to reduce the overall effort involved with specific audit tasks and allows us to focus our time on exploring new risks and improving our handling of existing ones.
There will always be new products, features, and processes at JRNI, and there will always be new threats and risks out there, so there will always be work for the Information Security and Compliance teams here.
When they’re not involved in auditing or designing and evaluating security controls, these teams are engaged in staff training. While training and staff knowledge are part of our compliance requirements, JRNI staff are our biggest assets in keeping our security processes working.
Want to learn more about appointment scheduling and providing personalized experiences at scale with the JRNI platform? Want to learn more about how we make security a priority? Schedule some time to speak with an expert!