ISO 27001 certification confirms FAIRTIQ's unwavering commitment to information security
FAIRTIQ takes data protection and data security extremely seriously. On 08.12.2023, we received official confirmation that our information security management system (ISMS) meets the requirements of the world's leading ISMS standard ISO 27001:2013. We spoke to Manuel Jeckelmann, CISO (Chief Information Security Officer) and Head of Security at FAIRTIQ, about what the ISO certification process entailed, what certification means for FAIRTIQ, and what data and information security plans the company has in the pipeline.
FAIRTIQ: Let's start with a very basic question: What is ISO 27001 and who wants it?
Manuel Jeckelmann: ISO 27001 is an internationally recognised standard that defines the requirements for the establishment and operation of a documented information security management system (ISMS). According to the ISO survey, there were a total of 36,362 valid ISO certificates worldwide in 2019. Most of the companies who are ISO-certified work in the Banking, Financial Services, IT, service, transport, and communications sectors.
FAIRTIQ: Why did FAIRTIQ decide to pursue ISO 27001 certification?
Manuel Jeckelmann: Data and information are at the core of our business. Our partners and users trust us to keep our data and information security management systems up-to-date and effective. No one grants this kind of trust blindly, and rightly so. Instead, they expect clear and transparent proof from us and ISO 27001 certification gives them this proof. The certification process involved exhaustive testing and analysis of our information security structure. The centrepiece of the process was a wide-ranging audit conducted by an officially accredited body, in our case TÜV Rheinland (Germany), a respected global leader in auditing and security.
FAIRTIQ: How long did the certification process take and what did it entail?
Manuel Jeckelmann: The auditors looked not only at the technical components of our system but also evaluated our internal guidelines and the team responsible for implementing them. The multi-stage process began with an assessment of our existing ISMS by the external auditors that led to suggestions for improvements. The recommendations were then implemented as part of the process.
This process ran for a year with some stages being more work-intensive than others. Fortunately,FAIRTIQ already had many of the key processes and activities in place and we were able to build on these and further optimise our ISMS, while continuing to build our knowledge.
FAIRTIQ: What did the audit look at specifically?
Manuel Jeckelmann: The aim of the audit is to verify compliance with three main criteria. The first is data confidentiality. In other words, does our ISMS guarantee that only authorised parties have access to the data? The second is information integrity. This means that the data are stored securely and safely and cannot be accidentally changed, damaged, or deleted. The third and final criterion is availability: do we and our customers enjoy round-the-clock reliable access to the data we/they need, and is the system protected from outages due to circumstances like server problems, hacker attacks or faulty back-ups?
FAIRTIQ: Is FAIRTIQ more secure now that it is ISO 27001-certified?
Manuel Jeckelmann: FAIRTIQ already had a robust risk management system in place before it applied for ISO 27001 certification. However, we used the certification process to harmonise our existing risk management system with the ISO standard and upgrade it. Our processes are now more standardised, structured and evidence-based.
FAIRTIQ: What does FAIRTIQ certification mean for our partners and customers?
Manuel Jeckelmann: Thanks to certification, our partners can be sure that we have a coherent and highly performing system in which technology, processes and employees strive through collaboration to minimise risks to data security. As a result, we are now in an even stronger position to protect the 'new gold of the digital era', as data and information are often, and rightly, referred to these days.
FAIRTIQ: Now that FAIRTIQ is ISO-certified, the security team's work is all done, isn't it?😉 Seriously though, what security-related plans are in the pipeline?
Manuel Jeckelmann: For the data industry, compliance is NOT security. Certification is of course an important milestone along the road to optimised security processes, but it definitely doesn't mean that the job is done. As all companies in our field, we are fully aware of the need to keep developing and improving security mechanisms. Only by doing so can we ensure that our security system keeps pace with FAIRTIQ's growing business operations as well as any product and application innovations that come on stream. But it also ensures that we can meet our customers' and partners' expectations. Continuous optimisation and further development are also in line with ISO 27001, for which the standards are also being updated. Our current certification is valid until the end of 2026. Then, the new ISO standard will come into effect and a transition audit will verify our compliance with it. The accompanying standard procedure coupled with regular auditing will help us to pursue our commitment to information security in a way that is visible to the outside world.
FAIRTIQ: Looking back at the certification process, what achievements are you particularly proud of?
Manuel Jeckelmann: It was a real team effort and would not have been possible without the contribution of the whole company as data protection and data security are not just a concern for the security team. Indeed, they are also an integral part of everyone's day-to-day work at FAIRTIQ. I am also proud of the fact that we managed to keep our morale up throughout the process because, if I am being honest, some of the audit's 'mandatory exercises', such as reading through new policy documents, didn't always generate high levels of enthusiasm. But in the end, we are proud of continuing to produce concrete results and not just reams of paper.
FAIRTIQ: Manuel Jeckelmann, thank you very much for this interview!