Xait has been ISO/IEC 27001 certified since 2016. This demonstrates our ongoing commitment to proactively manage and protect our customers’ assets and data, ensuring compliance with legal requirements.
As a global software vendor for enterprise companies, having the ISO/IEC 27001 certification is critical. It proves that Xait as a software provider has well-established routines and procedures for handling and safeguarding sensitive and confidential data – including that of our customers.
– We have an internal audit team actively dedicated to information security management, ensuring the necessary levels of confidentiality, integrity and availability of our own and our customers’ data, says Roy Olsen, Operations & Security Director in Xait.
– As the benchmark software solution for winning bids and proposals, we are deeply committed to investing in enterprise-grade security and compliance that our clients can trust.
ISO/IEC 27001 is the international standard that describes best practices for an ISMS (information security management system). It ensures that a business has stringent processes to identify, manage, and reduce risks to information security.
The Standard takes a risk-based approach to information security. This requires organizations to identify information security risks and select appropriate controls to tackle them.
Those controls are outlined in Annex A of the Standard. There are 114 ISO/IEC 27001 Annex A controls, divided into 14 categories.
Read more: Xait receives ISO/IEC 27001 re-certification
To fulfill both internal and external security requirements, Xait maintains and continually improves an information security management system (ISMS) in compliance with international standards.
An ISMS is a systematic approach for protecting and managing company information, which helps ensure data remains secure at all times. It covers people, processes and IT systems, with risk assessment at its core.
Olsen explains why Xait’s ISMS system is rock solid:
– Companies aren’t required to implement all 114 of ISO/IEC 27001’s controls. They’re simply a list of possibilities that you should justify based on your organization’s requirements. However, Xait has chosen to implement all 114 controls, and this makes our ISMS very comprehensive and mature. For every control we have implemented, we’re subject to a continuous cycle of audits carried out by an accredited third-party certification body.
An ISMS enables Xait to be compliant with a host of laws and regulations – including the EU GDPR (General Data Protection Regulation) – and focuses on protecting three key aspects of information (both our own and our customers’ data):
1) Confidentiality: The information is not available or disclosed to unauthorized people, entities or processes.
2) Integrity: The information is complete and accurate, and protected from corruption.
3) Availability: The information is accessible and usable by authorized users.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is demanded from vendors and business partners by organizations concerned about the security of their information, and about data security throughout the supply chain or network.
Roy Olsen elaborates:
– Possessing the ISO/IEC 27001 certification is an important signal for companies that work with Xait. It means that this industry-leading certification body has audited our security controls, and found that they meet their strenuous compliance standards. We’re audited annually by external and independent auditors, validating that we’re continuing to meet the highest international security standards.
The ISO/IEC 27001 standard is typically associated with maintaining information security within an organization and not necessarily within the services the organization delivers. Xait, however, has implemented ISO/IEC 27001’s security controls to do both – safeguard our own data as well as our customers’ data.
Through ISO/IEC 27001, Xait is required to continually improve its information security management system. Our ISMS is a ‘living and breathing’ system, and we assess, test, review and measure its performance as part of the broader business-led strategy.
Establishing a culture of information security within Xait is a key part of continually improving our ISMS, says Alexander Larsen, Lead Systems Administrator in Xait.
– Our employees are our first line of defense, and it’s essential to empower them with the right security mindset. This is why all employees are enrolled into a security awareness program that provides weekly training. This increases their awareness of information security issues and the purpose of the ISMS.
One of the critical criteria for ISO/IEC 27001 compliance is ensuring that appropriate measures are in place to manage the security within the organization’s supply chain. Third-party security risks are often a weak link for many companies. For this reason, Xait has defined an information security policy for supplier relationships that addresses the risks associated with vendors’ access to our information.
– We look for suppliers that have achieved ISO 27001 certification, as we work only with suppliers able to demonstrate that maintaining information security is a “continual business as usual” activity. This means we continually assess our suppliers to establish that they meet the appropriate level of information security and information assertion required for the services they provide to us, says Larsen.
Data centers are part of the supply chain. Xait’s ongoing commitment to security also means that the data centers we use adhere to ISO/IEC 27001. They are assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained continuously.
Alexander Larsen urges businesses to beware of software vendors and technology partners sailing under false colors in terms of ISO/IEC 27001 compliance:
– It’s not uncommon for companies to state on their websites and in their marketing materials that they are ISO/IEC 27001 compliant… without actually being certified. This can pose a significant security risk for clients and business partners, as it creates the impression that these companies have the ISO/IEC 27001 certificate in place.
Our customers’ data is one of our most valuable assets. Being ISO/IEC 27001 certified allows us to handle this data with both care and confidence. Through ISO/IEC 27001, we have developed and implemented processes and procedures in order to provide requirements for maintaining and continually improving our information security management system.
Furthermore, Xait continuously focuses on «actual» security, measuring how our systems and processes prevent security incidents and ensure full commitment from all Xait employees.
Does ISO/IEC 27001 make us immune from data breaches? No. As much as the Standard helps organizations stay secure, no solution is 100% breach-proof in today’s ever-changing risk landscape. Everyone suffers data breaches at some time or other. The point of maintaining an information security management system is to get better at identifying data breaches and reduce the risk of them occurring.
– Our implementation of all 114 security controls in the standard enables us to detect and mitigate security risks in time, says Roy Olsen.
As an Xait customer or partner, you can therefore operate with complete confidence, resting assured that we securely manage your data to protect your organization and your business partners.
– We’re committed to following a high-quality and consistent security management system, backed by an independent, expert assessment of whether all the data we process is adequately protected, concludes Olsen.
We write professional blogs worth a read. Follow the blog for a sneak peek of the future!
* By subscribing to our newsletter, you agree to receive digital communications. You may withdraw this consent at any time.
One Solution for All Routes-to-Market Businesses sell directly to customers via their sales team, or they may..
We conclude our series of time-saving tips with the fourth part. Whether you use proposal writers or not,..
The time-saving benefits of centralized, proposal management-specific tools go far beyond secure team,..