14.06.2023 | Featured News

Evitec’s journey towards ISO 27001 certification: raising the bar of information security

Evitec is on its journey to achieve the Information Security Management System certification in compliance with the ISO/IEC 27001:2022* standard. Target is to obtain the certification during H1 of 2024.

Purpose with the ISO 27001 standard is to enhance the overall security posture as well as provide the company a 3rd party assurance of how information security is governed. In the financial sector, where security and bank secrecy have always been paramount, coupled with GDPR requirements for personal data protection, the importance of information security is well recognized.

– We can see EU (EU’s Digital decade**) putting pressure on this matter together with directives and initiatives such as DORA and NIS2. The eyes are directed towards the critical industries, and after that towards operators’ such as us. We need to meet these demands, and ISO 27001 standard is a good and straightforward way to do it. Moreover, the certification helps us to demonstrate our commitment to customers and stakeholders, states Harri Inkinen SVP, Information Security in Evitec.

Identify risks, and then treat them

The ISO 27001 is a standard, that defines the requirements for an information security management system. The challenge lies in determining the most optimal approach to meet those requirements.

– In practice, we estimate the company’s intellectual property as well as customers’ data we want to keep safe and available, what the possible threats and risks are, and then adopt appropriate measures to manage or minimize these risks, adds Inkinen.

Complying with an ISO standard is a process that requires continuous actions from the company.

Inkinen clarifies: – Risk management is a collective responsibility. With this I refer to the fact that every piece of our intellectual property has an owner, and owners should be able to constantly identify and report threats. ISO 27001 is a risk-based standard; what should be accepted and what should be mitigated. When that is acknowledged, we have a foundation to build on.

Looking ahead to 2024

The target is to obtain ISO 27001 certification during H1 of 2024. Prior that there will be external audits conducted by accredited auditors.

– Ultimately, putting effort in information security keeps us safe, of course, but it also makes us more trustworthy partner in the markets, opening up new exciting opportunities, concludes Inkinen.

*) ISO 27001 is an information security standard created by the International Organization for Standardization (ISO).

**) More information: Europe’s Digital Decade