Online banking solutions provider Corillian (Portland, Ore.) recently attained certification to ISO 27001, a stringent globally recognized information security standard. According to Greg Hughes, Corillian's chief security officer, security of information, data and operations is a necessity and should be tackled in a proactive manner. "The ISO framework is the underpinning of all we do," he says. "It gives us an internationally accepted and recognized way of doing things across the board."
As reported in the June issue of Bank Systems & Technology, ISO 27001 is an information security standard designed to give organizations a means for providing clients, partners and regulators with proof that they adhere to an internationally recognized set of information security controls. Its sister document, ISO 17799: 2005, describes 133 best practices for information security, along with implementation best practices. Together, the two standards create a certifiable framework for protecting information assets.
Although it is not necessary to certify to 27001 across an entire enterprise, Corillian opted to do so. Part of 27001 is reviewing a statement of applicability to see which recommended measures are relevant to a particular company's operations. Hughes says since everything Corillian does deals with security, it was only natural to certify the whole company. The move, he claims, will engender a great deal of trust with Corillian's financial institution clients. "Confidence with compliance and best security practices is critical to our clients," he comments. "Our doing an exceptional job of security breeds trust with our clients. Trust provides us with a strategic advantage."
Corillian was working toward certification for about three years, explains Hughes. But it was not until the past year and a half that its efforts were in earnest. The company was already certified to BS7799-2, ISO 27001's predecessor. The actual 27001 certification process started last October, Hughes relates. "Achieving ISO certification is no easy task," he says. "It's ... one step along a never-ending road. Getting certified is one thing, maintaining it is another."
Despite the arduous work involved with staying ISO certified, Hughes says it is well worth the effort. "It's a very detailed third-party analysis," he relates. "Having an objective third party come in and hold you to a standard gives real value and teeth in the eyes of the people who rely on you."
The Growing ISO Trend
Barry Kouns, VP with risk mitigation consultancy Churchill & Harriman (Princeton, N.J.), thinks Corillian's announcement is just the beginning of a trend in financial services. "Corillian's recent upgrade of its BS7799-2 certification to ISO 27001 demonstrates the value of the international standard and the beginning of an accelerated acceptance in the U.S.," he comments. "Pursuing certification to ISO 27001 is currently voluntary, but soon, I think, you will see corporations requiring their key partners to be certified and eventually their entire supply chains."
Corillian joins an exclusive club in the U.S. - there are about 40 American companies certified to 27001 compared with hundreds elsewhere. That figure is even lower for U.S. firms in the financial services space. "Anybody dealing in information and systems that need to be protected should have a security framework against which they should be held accountable by a third party," asserts Corillian's Hughes.