Featured
Case Study:
Contour
ISO 27001 Certification with Privasec
With great expertise and a commendable proven track record of implementing an Information Security Management System (ISMS) that is certifiable to ISO 27001, we are glad to assist and support Contour in their journey of adopting a risk management framework and implementation of ISMS that is certified to ISO 27001.
The first by a blockchain-based digital trade finance network, Contour was awarded the ISO 27001 Certification, an internationally recognised standard for their secure technology and processes. This includes a notable achievement of zero findings flagged in the external audit by the certification body, British Standard Institute (BSI).
The implementation and certification of Contour’s ISMS allows them to better protect and manage their operational technology and information security risks. Furthermore, it demonstrates the ability and commitment to ensuring secure technology and unique data privacy features for its clients and partners in highly regulated industries.
Read on to find out more about Contour ISO 27001 Certification Journey with Privasec.
Contour is the world’s leading digital trade finance network that enables seamless and secure collaboration in real time. It uses the power of decentralised block-chain based technology to provide a common network to help banks, corporates and trade partners digitise and streamline their trade finance workflows in a secure and efficient way, without any one party owning the transactional data or being a single point of failure.
Key Objectives
Provide Assurance to Partners and Clients in highly regulated industries
With partners and clients like banks and financial institutions that have high regulatory safety and compliance standards, Contours looks to provide assurance with the implementation of a risk management framework that is certified to ISO 27001, an internationally recognised standard.
Robust Information Security Management System to support organisational goals
With information and technologies forming the core of Contour’s systems, ensuring information security and uplifting its security capabilities is key to supporting the organisation’s expansion goals. Furthermore, the implementation of an ISMS can provide a structure and framework for Contour to better optimise the allocation of their security resources.
Why privasec
Privasec is an ISO 27001 and ISO 9001 certified independent cyber security consulting firm with a Governance, Risk and Compliance (GRC) team of highly experienced and certified professionals, with an average of 10 years of cyber security consulting experience between them. We have great expertise and a proven track record of implementing an Information Security Management System (ISMS) that is certifiable to ISO 27001.
To provide the Contour Team with further insights from a client’s perspective about the ISO 27001 engagement with Privasec, our Regional Channel Sales Manager, Loyi Toh arranged for them to join reference calls with past clients. With a good understanding of Privasec’s engagement approach and commendable recommendations from our past clients, the Contour Team decided to engage Privasec as a partner to provide professional guidance for their implementation of ISO 27001.
the results
Contour was awarded the ISO 27001 Certification, with a notable achievement of zero findings flagged in the external audit by the certification body, British Standard Institute (BSI).
This serves as a recognition of its secure technology and processes, and a proof of Contour’s comprehensiveness in addressing their risks with an ISMS.
With the establishment of its ISMS, Contour was able to implement policies, processes, and controls for proper risk management, incident response, process improvements and continuity management. This helps to demonstrate Contour’s accountability and information security posture in managing risks in accordance with their risk profile, which provides assurances to relevant stakeholders.
The risk management framework also helped Contour to effectively manage and allocate its information security resources.
As the leading digital trade finance network, complying with the highest standards of information security management is imperative for our corporate and banking clients.
Privasec supported our entire journey to achieve ISO 27001 certification, with their team demonstrating deep industry experience and providing constant guidance, ensuring our company not only complies with the standards, but has plans to continually improve.Aaron Seabrook, COO of Contour
Our approach
ISO 27001 is an international standard that sets out the specification for an information security management system ISMS. It contains a set of best practices that allow organisations to implement a world- class risk management system, to strategise and coordinate their security investments whilst getting marketable recognition for it.
Establishment of Governance Framework
The establishment of an information security governance framework is foundational in an ISMS, which provides the strategic direction to achieve the security objectives and goals determined by management.
By establishing the authority and outlining the accountability and responsibility related to information security in the organisation, the governance framework provides Contour’s management with a high-level overview of how information security risks are adequately addressed and the allocation of security resources. This is essential for efficient decision making, especially in times of cyber incidents.
Through a set of facilitated meetings to understand the security objectives and goals, Privasec assists Contour to establish an information security governance framework that aligns with its corporate governance. This is to ensure that organisational goals can be supported by the information security program outlined by the governance framework. The roles and responsibilities are then assigned to relevant business units and committees.
Some of the examples include:
- The appointment of a Data Protection Officer (DPO),
- The formation of the Information Security Management System (ISMS) Committee and,
- The Audit Risk Committee (ARC),
which are key delegates responsible for the different aspects of information security.
Formation of Information Security Policies and Procedures in accordance with Industry Best Practices
Privasec communicates closely with Contour’s internal team and business units to tailor a fully functional ISMS that aligns with their environment and operations. Comprehensive guidance was also provided to Contour in detailing the documentation of their information security policies and processes in accordance with industry best practices.
Group-level information security policies and tools were implemented to address and mitigate risks, ensuring that Contour is within levels of acceptable risk.
One example would be the implementation of tools and policies for endpoint protection, as required in Annex A. These include:
- MDM (Mobile Device Management) tool for corporate devices,
- MAM (Mobile Application Management) for Bring Your Own Devices and
- Data Labelling for Microsoft Office 365 (MSO 365) etc.
With these tools and policies in place, Contour is able to gain more control over the number and types of access points in the network, and effectively manage any risks related to endpoint protection.
Implementation of Effective Risk Management Strategies
Contour’s ISO 27001 certified ISMS adopts a risk-based approach, in which the development of the information security strategies involves implementing risk management practices to mitigate risks to a definable and acceptable level.
In this engagement, Privasec guided Contour on the creation of a risk register, which is a risk management tool to collectively identify, analyse and address risks, with respect to the organisation’s risk appetite. By understanding the risk profile, information security policies are then developed to mitigate the risks, and security controls are implemented to create security baselines.
Also, in consideration of Contour’s resources and constraints, a roadmap for risk management is crafted to prioritise risk and allocate security investments accordingly. Critical risks are highlighted and addressed in a timely manner, along with the implementation of longer-term solutions as part of a roadmap.
Conclusion
Privasec is glad to support Contour on its journey of implementing a risk management framework certified to ISO 27001, an internationally recognised framework. It is a mark of commitment that demonstrates Contour’s effort in ensuring information security and aiming for excellence to secure its technologies and systems. We are looking forward to supporting Contour on their compliance journey.
Our Credentials
Want to Become ISO 27001 Certified?
Get on your way to obtain the IEC 27001 certification today. Just contact a Privasec consultant to get a detailed understanding of the Plan-Do-Check-Act ISMS cycle.