Behind Pharos’ Decision for ISO 27001 Certification
By Team Pharos | February 16, 2023
Earlier this week, we announced that Pharos has achieved ISO/IEC 27001:2013 certification. This certification demonstrates that Pharos has met a rigorous, internationally-recognized standard to help ensure the confidentiality, integrity, and availability of Pharos Systems International information corporate assets as well as Pharos Cloud, Blueprint, and Uniprint products. One of the primary concerns of organizations with moving their critical applications to the cloud is the security of their data. With the ISO/IEC 27001 certification, Pharos customers can rest assured that their information is properly safeguarded.
The lengthy certification process involved every facet of the business. Pharos Founder and Security Manager, Paul Reddy and Vice President of Product Management, Masha Kozinets recently sat down to provide more insight on Pharos’ decision to pursue ISO 27001 certification.
Why did Pharos’ pursue ISO 27001 certification?
Paul: We decided to pursue ISO 27001 certification for a couple key reasons. First, we’ve heard from a lot of our customers and prospective customers that they wanted to see some sort of certification to show our commitment to protecting their data. A second reason for certification is to continue to enhance our company from a security perspective. A focus of the ISO standard is continual improvement. For ISO certification, it’s not just establishing these practices that is important, it’s also measuring and continual improvement of our processes. I like to say that security is not a goal or an end point, it’s a process. It’s endless and it’s ongoing. This is a wheel we’ll never get off.
Masha: Like Paul said, ISO certification helps address a lot of the security concerns throughout the customer engagement process. But the reason why this is so important is because it also provides evidence of our market leadership position in the area of security. That cannot come without having these established practices and processes. It shows that we are committed to securing our own environment, our products, and our customers’ data. That is a really important area of interest for our customers right now. Achieving this certification will also help us meet contractual, legal, and regulatory requirements that pertain to some customers. It helps establish trust in our security practices and systems for our customers and partners.
Why did Pharos select to go with ISO 27001 certification over other alternatives such as SOC 2?
Masha: We reviewed research written by one of the certifying bodies who said that the overlap between the two certifications is 96% of the controls—so from a control point of view, they’re very similar. However, after taking an in-depth look between ISO 27001 and SOC 2, we felt that ISO was the more rigorous process and the right certification for us.
SOC 2 is a set of reports intended to prove security level of systems against static principles and criteria at the specific point in time that the reports are produced—they provide a snapshot view. As Paul already mentioned, ISO is a standard that establishes requirements for an ongoing information security management system—it defines your processes throughout the organization. It’s not static, and it sets the path for continual improvement. Both also require an external audit to achieve certification. SOC 2 is attested by a Certified Public Accountant (CPA) whereas ISO requires an ISO-27001 accredited certification body to complete the certification.
Lastly, geographical applicability was important to us. SOC 2 is recognized widely in the United States, while ISO 27001 is an international standard recognized all around the world. Having global customers pushed us toward ISO. In the end, we thought that ISO certification would better suit our needs, and those of our customers and partners.
What did it require of us to achieve ISO 27001 certification?
Paul: There’s a set process to achieve ISO certification. First, you have to create an ISMS program which provides the overarching management system to reduce information security risks. It combines cyber and IT risk management and controls to ensure that information security risks are mitigated. So, the establishment of that program—which meant creating the Security Committee that provides governance, as well as scope—determines what’s in and what’s out.
We elected to have both Pharos and our products certified, which I think creates a better experience for customers. We could have left our products out and still have called Pharos certified, or conversely, some companies will just certify their product, which is much quicker. We elected not to do that.
Other steps we had to take included a gap analysis and risk analysis to determine where we already had compliance and areas we needed to improve, identify and implement security controls. Specifically, to identify areas where improvements were needed, and to complete an audit by an accredited certification body.
It was a lengthy process that required us to mindfully examine all parts of our organization and processes, and to intentionally secure or tighten up every aspect of the way we work, and to document them. And our ISMS will track and report on metrics to ensure we are improving.
What impact has ISO 27001 certification had on Pharos employees?
Paul: I would say that the biggest impact is that we’ve taken the steps to have all our processes documented. Everything is planned, checked, approved and documented, evidenced, and all data assets are protected according to the level we assigned. For example, we have a documented vendor management process that requires a security review and a partnership review for every vendor prior to being signed on, and they are reviewed annually. If you give us a new vendor, we can say, here’s their security report and here’s their overview.
Masha: From my perspective, going through the certification process increased security awareness throughout Pharos. Teams that were less impacted in the past are now much more aware on the importance of security, becoming even more a part of our fabric. It’s what we live and breathe on a daily basis. Through the increased collaboration—for example, participating in exercises and building the documentation—it just raises the level of awareness for everyone at Pharos.
Paul: I recently sat in a customer conversation, and the whole way through, they drilled in on data privacy and security. At Pharos, we want add certifications that are going to enhance processes and practices that customers view as important, such as cloud security and privacy. We’re also working to automate as many processes as possible because it removes us from the potential for human failure, and we’re doing more work hardening up our cloud infrastructure.
Masha: From a product strategy and market facing perspective, now that we have demonstrated that we are even more serious about security, we can be more confident in the way we talk about security practices that surround our products. When we expand our product offerings in the security space, we’ll have credibility because we’re knowledgeable on security.
Compliance with this internationally recognized standard confirms that Pharos’ security management program is comprehensive and follows leading best practices. This certification demonstrates Pharos’ continued commitment to information security at every level—and ensures customers that the security of their data and information has been addressed, implemented, and properly controlled in all areas of our organization.