At ML6, security is in our blood. Our security program is embedded in all the business processes. Starting from the first sales contact, delivering a proof of concept, up until the delivery of production applications.
To prove our dedication towards information security, our security program is certified against the ISO/IEC 27001:2017 standard. This internationally accepted standard provides requirements for establishing, implementing, maintaining and continually improving information security within an organization.
In this blogpost, we explain the why, what and how behind our ISO 27001 certification.
Building robust ML solutions means that we put a big emphasis on security. Furthermore a lot of our solutions rely on very valuable datasets, requiring even a bigger commitment to security, especially with the ever increasing amount of cyber attacks.
To clearly showcase our focus on security and our commitment to build not only functional but also secure ML solutions, we started the process to become ISO 27001 certified.
ISO 27001 is a standard for Information Security Management Systems (ISMS). This standard is internationally agreed by experts in the information security field as the best way of managing information security.
However, being certified is not an end in itself. The ultimate goal of our ISMS is to have a structured and reliable approach to protect valuable information from all sorts of risks. The certification is just a manner to showcase to our customers, employees, partners etc. that they can trust ML6 to handle their data in a responsible and secure manner.
Implementation of an ISMS can be mapped on the PDCA circle of Edwards Deming. This circle is typically used in quality management to control and optimize processes and products. Mapping the ISO 27001 standard to the 4 steps of the PDCA circle gives a clear overview of how the ISMS can control and continuously improve security within ML6.
The planning phase requires you to first establish the context of the organization. This context includes external and internal factors that are relevant to the ISMS. Being aware of the context helps to have a clear understanding of what the requirements and objectives for the ISMS will be, who needs to be involved, which resources will be needed etc.
After identifying the context, the standard requires to identify and assess information security risks that are relevant to the organisation. The internal and external factors defined in the context of the organization serve as input for the risk assessment.
Once the risk assessment is completed, the organization defines a risk treatment plan to reduce the risks to acceptable levels.
The Do-step exists out of executing the risk treatment plan to reduce security risks in various areas of the organization like human resources, asset management, supplier management, software development, compliance, access control etc. The ISO standard puts forward 114 controls that can be implemented to reduce risks.
This is where it was important for ML6 to avoid bureaucratic processes that limit the flexibility and agility of a scale up.
Especially for our development teams this was a major point of attention. Customers want to work with ML6 because we can deliver projects in a fast, effective and efficient way, not because we need 10 days and 30 mails to set up basic infrastructure before the project can actually start.
Our approach is to make sure that the secure way is the easiest way to work by sticking to security-first best practices for all our internal tooling & boilerplates. All our chapters [ Blogpost : Organizing your team for innovation ] are consistently striving to make our agents as effective as possible by providing building blocks or boilerplates for different types of ML challenges. Having these leverage infrastructure as code best practices & making them well adhered to strict Google Cloud Organizational Policies, has as a consequence that our joint codebase is not only the best way to kickstart new projects, but also the most secure and easiest way given that the security best practices are already included.
After implementing the risk reducing measures it is important to track if the measures that were taken are actually effective in reducing the security risks and if the entire ISMS runs as expected.
Monitoring of information security KPIs can help measure the performance of ISMS and if security objectives are achieved.
An Internal Audit is a great way to verify that the ISMS is following the ISO 27001 standard and if internal policies and procedures are being followed.
The standard also requires the management involved in the check phase. Management should review the organization’s ISMS to ensure its continuing suitability, adequacy and effectiveness.
The goal of the Check phase is to bring up points where the ISMS has failed to meet the ISO standards or to reduce the information security risks.
In the Act phase, corrective actions can be defined to further improve the ISMS. These actions will translate into updating the context of the organization and the risk assessment.
This brings us back to the Plan phase and therefore completing the PDCA circle. In this manner ML6 has set up a continuous improvement cycle to manage information security.
Do you have questions or would you like to get more information about our certification? Our Head of Security, Rob Vandenberghe, is happy to help.