According to an ISO27001 Global Report 2016, over half (56%) of the respondents indicated that gaining a competitive advantage was a major motivation for them to acquire certification. SpecPage’s ISO27001 certification will definitely be a push for customers to implement SpecPage products and services, including the Product Lifecycle and Data Management (PLM, PDM) software and services. A key fact to point out is that ISO certifications are granted to companies rather than specific products or services.
While ISO27001 certification pertains to cyber security practices and security management within the company, it can also help businesses achieve and maintain the required level of regulatory compliance. This can be of direct competitive advantage, and can even be a requirement within some markets and market segments. The purpose of the certification is to confirm and vet a company’s security management systems, verifying that they are indeed functioning, and that controls and practices are in place, without specifying mandates for specific techniques or methods of how to implement such security measures. As such, the certification is flexible enough to be compatible with different types of companies and to meet various requirements specific to the market segment, while forming a common ground and accepted framework for interorganizational trust and cooperation. For the Food & Beverage industry, this means that product master data management systems are maintained, for example, and that the software provided by a company is transparent and has audited security mechanisms in place.
The certification is not to promote or require any specific security solutions or technologies, but simply to provide assurance of organizational capabilities, culture and processes to verify that the organization is able to respond and maintain a planned level of security. For end-users of software provided by a certified company, this means at a minimum that the company producing the software has a wide array of security practices and controls in place. Furthermore, certification helps to obtain assurance that the organization is committed in maintaining the software and services in a coherent, planned and transparent manner.
How does the ISO27001 certification process work?
The certification process for each company can be vastly different depending on the particular aspects of that company. However, one thing is certain: there will be a set of process descriptions, a lot of risk analysis work and control systems to verify that the processes remain up-to-date and that any improvements are implemented to keep the company on track with its strategic business targets. This will all kick-start a development process geared toward creating a managed, transparent and predictable organization – key changes which must occur within the information security culture and practices of the target organization if it is to move away from ad-hoc responses and “putting out fires” to implementing true safeguards against possible cyberattacks.
It is understandable that changes like these, which go deep into the core of an organization, won’t happen overnight. The length of time it takes to acquire ISO27001 certification, for that matter, has been said to take an average of 6-12 months. It is therefore likely that during that time, any old habits and new processes might need to be readjusted to improve the organizational capability. The goal is, however, that once certification is acquired, any management routines and controls are verified to be in place so that the information security culture and practices are “maintained” in a manageable, audited and transparent manner.
This process of developing more stable organizational capabilities will give any organization immediate leverage when competing in the Food & Beverage industry and in other industries as well. This is why our customers, when they are able to implement PDM services and software provided by SpecPage, are sure to enjoy a privileged position in the market. Information and data security are critical factors for many customers when choosing supply chain partners. In fact, as much as 71% of respondents in an industry-wide global survey reported having received at least occasional requests from customers to provide proof their ISO27001 certification status. According to the same study, the certificate is widely considered to be a globally acceptable indication of effective organizational security practices.
Business resilience through improved data breach management
Cyberspace today is more challenging than before. In particular, supply chain data security in the Food & Beverage industry as well as their regulatory compliance requirements can be a pressing issue for companies.
ISO27001 certification for SpecPage as a professional PLM/PDM provider contains still another specific improvement that can improve organizational capability to operate in global cyberspace. Business resilience is a key issue, because no company can completely avoid facing a data breach, downtime, or any other incident that may disrupt service delivery. ISO27001 addresses this resiliency requirement by ensuring that the organization has a managed and well prepared means to recover from just about any incident, including data breaches, hacking or hardware failures of any kind.
Problems with business resiliency can incur heavy costs, not only for companies providing the services, but in the case of a SaaS service like SpecPage’s product lifecycle management service, for customers using the service as well. For a company like SpecPage, downtime due to a local hacking or infrastructure incident could potentially mean that a client organization does not have tractability in its product delivery and manufacturing process. In the Food & Beverage industry, timely responses and focused delivery processes are essential, and due to the nature of the industry, even a slight delay could lead to causing whole batches of products to expire if accurate and real-time product data ceased to be accessible or reliable for even a short amount of time.
ISO27001 addresses this issue by formalizing recovery routines for the organization, so that company management may be aware of the actual capabilities of the organization. This capability also provides a sound interface for client organizations to align with, whereby the processes reflect agreed service levels within the contractual framework between the companies. Agreed and transparent service levels, along with resiliency capabilities, can be of direct competitive advantage, since most of the companies either lack these capabilities completely or fail to deliver when service disruptions occur. ISO27001 certification will give a good indication that the organization has planned and audited processes in place for effective and transparent service resiliency capability – bringing real value to global Food & Beverage supply chain markets which rely heavily on timely delivery.
Featured Image: © fotolia / sikov