What is ISO 27001 accreditation?
In short, it is an international standard for information security; a set of policies, procedures, standards and guidelines that together provide a systematic risk management framework for organisations to manage information security risk. It is well respected within the industry as it is determined by international experts who set a code of best practice from lessons learned in operating controls protecting core information assets.
Why is this important?
Information, particularly the sensitive and confidential information Link Group manages on behalf of clients, is one of the most valuable assets we hold. Additionally, the growing threat of security risks and its consequential business costs are on the rise. In 2021 for example, the average data breach cost for a business impacted by a major incident is $6.47M AUD with companies experiencing around 270 sophisticated attacks.
By achieving certification and maintaining ISO 27001 controls, not only is Link Group providing tangible evidence that we are following global best practices and recognised risk management practices – we are proactively doing everything we can to ensure the growing threat of information security risks is managed in a systematic manner. We also believe it sets a common language and minimum standard for other providers in the industry as it heavily aligns with APRA’s CPS234 standard.
What is unique about our accreditation?
It is rare for a company of our size and scale to have achieved accreditation across the entire organisation. Many businesses focus on a single data centre, department or product line, but this only addresses certain aspects of the organisations' data security leading to a compliance-based approach, leaving information assets in other areas exposed or vulnerable.
In contrast, Link Group are all-in to ensure our information security protocols are of the highest standard. This means around 94% of our entire global operations have achieved ISO 27001 certification. Everyone in the organisation is aware of the information security policies and procedures and undertakes regular, comprehensive training and awareness. We recognise our responsibility and believe all of us play an important part in keeping information and financial assets safe, not just the information security team.
What is included in our framework?
There are 114 controls in the ISO27001:2013 version (93 in the 2022 version) set out by the international framework that companies can use to guide their approach to managing information security risk. Link Group have chosen to implement all the recommended controls plus the seven mandatory clauses which make up the information security management system.
This covers business areas such as IT, internal audit, management roles, human resources, facilities, finance, operations and administration. The controls are continuously reviewed and responsive to new developments in our business as well as changes to the information security environment.
How is it maintained and checked?
To achieve accreditation as we did in 2015, you must first undergo two comprehensive audits to prove you meet the standard and that you ‘say what you do and do what you say’. Following this, the business undergoes a recertification audit every three years with intermittent surveillance audits in between to ensure everything is up to date and aligned with the standard. For example, when we add new office locations such as the new office in Parramatta, Sydney or Pune, India, certification of the physical and logical environment is required.
How does it help our business?
Implementation of these controls means our teams can confidently manage security risks and assess if our security and privacy protocols are effective. Everyone from the contact centre analysts to our executive management team knows how to protect the information assets which helps reduce the risk of potential data breaches and human error. This robust framework allows us to deliver continuous improvements and most importantly, ensures that information and financial assets stay protected.
How does it benefit your register and shareholders?
We believe implementing the ISO 27001 accreditation across our business gives our clients and your shareholders comfort that we are making every effort to protect their valuable information and financial assets.
As an independent verification, it provides further reassurance that it is not easily achieved or retained. We also intentionally try to be as transparent as possible with our clients about what we are doing to manage these security risks and the compensating controls deployed to protect shareholder data.
If you would like to learn more about our ISO 27001 accreditation or our information security framework, please contact your Client Relationship Manager.