Featured Case Study:
STACS ISO 27001 Certification with Privasec
Privasec is an ISO 9001 and ISO 27001 certified independent cyber security consulting firm with a Governance, Risk and Compliance (GRC) team of highly experienced and certified professionals, each with an average of 10 years of cyber security consulting experience.
With great expertise and a commendable proven track record of implementing an Information Security Management System (ISMS) that is certifiable to ISO 27001, we are glad to assist and support Hashstacs Pte Ltd (STACS) in their standards adoption journey, along with the certification body, TUV SUD PSB Pte Ltd.
Read on to find out more about STACS ISO 27001 Certification Journey with Privasec
A leading Singapore-headquartered FinTech company that focuses on Environmental, Social, and Governance (ESG) FinTech, and is in partnership with the Monetary Authority of Singapore’s (MAS) Project Greenprint for ESGpedia, the Greenprint ESG Registry.
Serving as the Nexus of ESG Finance, STACS’s live blockchain infrastructure enables effective Sustainable Finance, and unlocks value in Asset and Wealth Management and Digital Securities. Its clients and partners include global banks, stock exchanges, asset managers, corporates, and SMEs. STACS’s ESG FinTech solutions expand on the firm’s good work in the capital markets since 2019, delivering digitalisation and automation for the financial sector.
Key Objectives
Proactive Compliance
With clients and partners from global leading financial institutions and corporates, STACS is committed to operating in accordance with international standards to provide both quality and information security assurance.
The implementation of the ISO 27001 Information Security Management System (ISMS) allows STACS to ensure that its security controls meet the required international standards on an ongoing basis, facilitating the firm’s global scale-up.
Establishment of Robust Risk Management Framework
STACS flagship platforms – ESGpedia and Vetta – are powered by Blockchain technology, which STACS has deep expertise in.
With technology at the core of the organisation, the implementation of ISO 27001 fortifies the fintech firm’s security, enhancing its ability to protect the organisation’s assets and reduce the likelihood of a breach.
Engaging privasec
As part of regulatory compliance, the STACS first engaged Privasec as a third-party assessor to conduct a gap assessment to review their cyber security posture against the MAS Technology Risk Management guidelines. During discussions with our Senior GRC consultant Angela Yuen, it was identified that many of the security controls required in the guidelines can be mapped to the ISO 27001 standard.
With a prior good understanding of STACS’ internal environment, proven track record, and expertise in implementing ISO 27001-certified ISMS, Privasec was the preferred partner to work on this engagement, to act as STACS’s Consultant and Internal Auditor in its pursuit of ISO27001 certification by assessment body, TUV SUD PSB Pte Ltd.
the results
STACS managed to achieve a fully-functional Information Security Management System and was awarded the globally-recognised ISO 27001 certification in less than four months.
STACS being awarded the ISO 27001 Certification is a testament to the fintech firm’s ongoing commitment to its customers and stakeholders in managing information safely and securely.
With this global risk management framework in place, STACS is able to effectively uplift its security posture and maturity and provide a greater level of assurance to clients and stakeholders. Security controls were embedded within the organisation, with a commitment to an actionable security improvement roadmap to guide their risk management efforts.
This elevated trust and reliability also empower them to further pursue their vision of being the Nexus of ESG Finance, unlocking value in sustainability across all sectors via technology and ESG data.
As a leading FinTech expanding rapidly in the region, we seek to continually provide our full suite of ESG solutions to enable access to holistic ESG data and sustainable finance, in accordance with international information security standards. STACS is happy to partner with Privasec to ensure that the required security protocols are in place and maintained moving forward, to guarantee the immutability and security of our platforms for financial institutions and corporates.
Joanne Koh, Operations Director at STACS
Our approach
ISO 27001 is an international standard that sets out the specification for an information security management system ISMS. It contains a set of best practices that allow organisations to implement a world- class risk management system, to strategise and coordinate their security investments whilst getting marketable recognition for it.
ISO27001 certification mark provides a clear and unambiguous assurance of a company’s commitment to information security. Privasec helped STACS, through the ISO27001 certification mark, achieved these business benefits:
- Risk Management
Minimise risk through a structured and globally recognised information security methodology that identifies and mitigates threats according to risk profile to a defined and acceptable level; - Establishment of incident response and business continuity plans
Ensure the continuity of company’s operations in the event of man-made and natural disasters. - Protection of Company and Clients’ confidential information
From the threat of hacking, data loss and breach of confidentiality, and ensure the company can recover faster from such attacks
A continuous improvement cycle – Plan-Do-Check-Act (PDCA) – must also be established for the certification.
- Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets
- Do – Put relevant controls in place
- Check – Audit the implementation for efficiency and effectiveness
- Act – Improve ineffective or inefficient controls
Risk-Based Approach
The Risk Management Framework (RMF) is a methodology for implementing risk management by STACS,
The RMF identified seven distinct steps that provide a disciplined and structured process to manage risks in the company. The RMF particularly addresses security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate. It also looks at other risks relating to financial, operational, or reputational risks.
Privasec conducted initial information risk assessments with STACS through interviews to identify and understand the actions and priorities for managing information security risks, and the responsibilities assigned to respective risk owners and business units.
An associated and tailored risk treatment plan was subsequently crafted based on the major gaps and areas for improvement.
Tailored, Fully Operational ISMS
Privasec worked with the STACS team to design an ISMS, where each methodology is tailored to meet the precise needs of STACS and its operations. This is crucial in building a functional ISMS that is well-integrated with the existing operations, to minimise business disruptions.
As part of the engagement, a proprietary ISMS portal developed by Privasec over years of practical security operations and auditing was also provided. Together, the teams worked on establishing the documentation of policies and processes; Through assessments and interviews with relevant stakeholders, a suite of information security policies and procedures according to industry best practices was crafted, with detailed implementation and solutions for STACS to follow.
Privasec also helped STACS set up an internal audit plan for the company to plan, do, check, and act to continuously ensure that its security controls stay effective and relevant to meet the stringent requirements of ISO 27001 Statement of Applicability on an ongoing basis.
Our Credentials
Want to Become ISO 27001 Certified?
Get on your way to obtain the IEC 27001 certification today. Just contact a Privasec consultant to get a detailed understanding of the Plan-Do-Check-Act ISMS cycle.