[Expert opinion] ISO CERTIFICATION - Three questions for Yann Perchec, PeopleDoc Chief Technology and Information Security Officer
As an HR service delivery cloud company, our clients manage a large amount of employee data using our platform. Protecting this customer data on behalf of our clients and their employees has always been integral to the way we operate. We know security and the trust it engenders is fundamental to our business and to our collective growth.
With this in mind, we have taken the step to audit and refine our processes and policies by earning ISO/IEC 27001:2013 (ISO 27001) certification. What is this process about? We asked 3 questions to Yann Perchec, CTO and Chief IS Officer of PeopleDoc.
1. What is ISO certification?
ISO 27001 certification is a methodology for implementing and continuously applying the policies and processes necessary to protect our assets including our customers’ data and our people. ISO 27001 is an international standard which reflects a consensus of experts in the field of information security and an ongoing commitment to best practices.
We’ve chosen a wide scope for our study in line with our overall commitment to security. Our ISO certification includes:
The physical security of PeopleDoc employees and visitors
The security of the information we manage for and with our customers for whom we want to ensure privacy, integrity and accessibility
The security of our working methods to deliver our products and services
The security and regulatory compliance of our internal and business IT systems
2. What have you put in place?
Security certification is first and foremost a process. Certification is not a one-time event; it is an on-going mission, because every day we improve our platform and the market changes and that means we have to make continual adjustments to ensure our security is sustained. To help us do that we have a Security Committee to review new investments and ensure we are staying on track, and internal and external audits that are carried out at least once a year. We regularly use "Bug Bounty" programs to help identify and correct any vulnerabilities.
Most of all, security is a collective task: it involves everyone in the PeopleDoc company. We instill a security-first culture from the top and provide the supportive and transparent environment to encourage employees to uphold our security policies and practices. Top security is the result of lots of small actions everyone takes every day. We’ve expanded our team to include a Global IS Manager and a Global Security Manager in order to provide a larger dedicated focus to this effort.
3. What does this mean for our users?
On a daily basis, our clients will not notice any changes in using our products. The security of their data and operations has been integral to our business from the beginning and our current practices are sound. ISO 27001 provides our clients with the additional confidence that we will continue to invest in security and apply best practices as we continue to grow the products, services and geographies we cover.