- Why did PayFit decide to get the ISO 27001 certification?
- How did the process start?
- What were the main steps in this process?
- Once obtained, what can be expected from the certification?
- What is required to keep the certification in the long-term?
- What was the most complicated step?
- Do compromises have to be made to be certified?
Becoming certified is always a difficult task, especially for a young company. Often seen as a lengthy and costly endeavour, the process is also not straightforward: where do you start? Do you need support? It's a complicated process given that security has now become a crucial issue for companies, whatever their size and however long they've been around.
At PayFit, we started obtaining the ISO 27001 certification in 2018*. We received it two years later, in September 2020. It took us some time to understand how to get started on such a complex subject. There was no feedback from companies similar to ours or acceptable practices that we could draw on at the time.
In this piece, Guillaume Gohin, Head of Information Security, the person responsible for spearheading the project at PayFit, provides us with his experience and advice for those who wish to embark on a similar project.
*What is the ISO 27001 certification?
The ISO 27001 certification is an international standard for information system security from the ISO (International Organization for Standardization). Its purpose is to protect companies from any loss, theft or corruption of data, by safeguarding computer systems from breaches or damage. In addition to technical measures, it also provides best practices for 360-degree security.
Why did PayFit decide to get the ISO 27001 certification?
At PayFit, security is one of our significant development challenges. It is an integral part of our product. Due to the nature of our business, namely payroll processing, we handle sensitive, personal and confidential data. As a result, we must guarantee and deliver a safe product.
"Since safety is part of our product, it must be an integral part of all of our work projects and corporate culture."
Guillaume Gohin, Head of Information Security @ PayFit
PayFit continues to grow strongly in Europe. Today, we are in five countries and work under different legal systems. We are also serving more and more customers, of ever-increasing size. This meant that we needed a framework that would allow us to organise all our operations with a standard security level.
How did the process start?
We started researching the possibility of obtaining the certification at the end of 2018. It wasn't enough to just say it anymore – we wanted to go beyond vague statements and vouch for our safety systems' reliability with a standard.
The ISO 27001 certification is internationally recognised and covers more than 150 control points. It certifies all of a company's products and services without exception – not only the security of an application or product but also the entire organisation. This made it particularly appealing.
We made a "benchmark list" of companies that would have taken this approach and could advise us. Unfortunately, there is not a lot of information available on this topic and, as a result, we knew that we would need support from a third party. At the beginning of 2019, BSI Group, a certification body, started to provide us with their support in this process.
What were the main steps in this process?
There were five main steps:
- in-house training;
- creating and filling in the basic documentation;
- practising with a mock audit;
- passing the level 1 documentation audit, called "stage 1";
- passing the level 2 audit, called "stage 2".
Step 1 — In-house training (five days)
To begin with, in-house training was our priority. The recommendation is for at least one person in the company to undergo training to perform an audit.
At PayFit, two of us completed the five-day training with BSI Group. Anne-Flore de Belenet, Legal Director, and I obtained the highest security certification, "ISO 27001 Lead auditor".
Step 2 — Documentation phase: completing the strategy and operational checks (18 months)
From June 2019, we created the essential documents that formed the basis for our day-to-day security following the ISO 27001 certficiation. In concrete terms, these documents include 114 specific and highly operational checks, divided into nine major policies:
- general security policy;
- security of operations;
- development security;
- incident response plan;
- information system manual;
- business continuity;
- relations with suppliers;
- access and resource management;
- physical and equipment security.
For us, this involved, for example, setting up a procedure for the arrival of new employees and creating a security training plan for employees.
To move to the next stage, a company has to tick off these 114 checks to move on to the next step while also defining the safety policy and carrying out a full risk analysis for all roles and operations.
Did you know?
To be certified, you must pass two audits. The first one concerns the company's documentation and constitutes level 1, known as "stage 1". Then, the level 2 audit, known as "stage 2", will check whether the company's processes and organisation correspond to the established documentation.
During these inspections, there are 3 types of anomalies:
- Observations: the auditor gives the advice to improve a point, but this remains informative.
- Minor anomalies: the audit is not compromised, as long as the company commits to correcting the anomaly, giving a plan for fixing it (who will be involved, when, how, etc.). Several minor anomalies can turn into major ones.
- Major anomalies: the company does not pass the audit.
Step 3 — The mock audit, comparing our documentation with reality (after six months of audit preparation)
Before the level 1 audit, we organised a mock audit with BSI Group. We then simulated a level 2 audit to assess our progress. We had focused a lot on documentation until then, but it was still very theoretical and we wanted to test ourselves in practice. This simulation proved extremely useful and allowed us to take stock of our progress. We subsequently took and passed level 1 in June 2020.
Step 4 — The "level 1" audit, presenting sufficiently solid documentation (six months)
We started to get ready for the level 1 audit in January 2020. This initial step had two specific goals:
- to improve processes, see what was missing and make a new plan to reach the required level. Together with the auditor, we looked through all the essential documents that had been created to make sure that they matched the requirements of the standard;
- presenting the results of all the work carried out to management during a "Management Review" (including the mock audit). In concrete terms, this was a meeting with all the department heads, where we presented the different policies put in place and the performance indicators, the success of the actions implemented until now and everything that still needs to be done: everything that may require their validation as well as their support.
At PayFit, we had the full support of management who have been proactive in helping us. As they work closely with the teams, the project has been driven by a shared will to implement the proposed changes and the agility that is ingrained in PayFit's DNA. Therefore, it turned into a company-wide project with top management and a project for the teams with clearly defined objectives.
Step 5 — The "level 2" audit, obtaining certification through 150 checks (four months)
The second audit took place at the end of July. It took place across all company sites, which meant the four countries where we are present (Germany, Spain, France and the United Kingdom).
The auditor compared the documentation with the work in the field to assess the company's practices across the 150 checks, as required by the standard. We looked at the evidence together, check by check.
For example, we analysed our processes and security measures throughout the development cycle of a feature. We also reviewed the access and materials available to an employee, randomly selecting a few employees.
If I'm honest, these were stressful times. For two years, we worked on putting all the processes in place to get the certification, and we would have been very disappointed had our efforts not borne fruit. We finally obtained it in September 2020.
Once obtained, what can be expected from the certification?
Getting the ISO 27001 certification is fantastic news. First and foremost, it has an incredible external impact. Being able to display the certification allows us to change our image by showing that PayFit is growing while becoming stronger and more mature. We moved from having vague assertions to very concrete evidence of our commitments.
The certification provides a guarantee to all the company's stakeholders that they are working with an operator who is fully committed to security: customers, service providers and partners.
This will undoubtedly have an impact when it comes to winning over new customers as they now know that when they choose us to manage their payroll, security will be the No. 1 priority.
From an internal perspective, being certified demonstrates that there is a strong will to make a long-term commitment to security issues.
What is required to keep the certification in the long-term?
While the information system has now been audited, that doesn't mean that we won't continue our efforts and guarantee security. In fact, we set ourselves objectives during the audit, such as increasing the use of certain tools.
Each year the system is checked to make sure all is well and every three years there is a full audit.
Today, all our employees are trained in security, on their first day and at least once a year. It is a mandatory process that I think is both extremely healthy and positive.
Having specific training in security and usage highlights its importance within our organisation. It becomes an issue for not just the IT team, but the whole company and every employee. This is how we support and improve the company's level of security.
We make sure that everyone understands how a breach of procedures can affect the whole company, how everyone contributes to our product's availability, etc.
What was the most complicated step?
The initial documentation step was the most difficult for us. We had to write down all the actions that the company was going to implement to comply with the full standard. We were faced with a mountain of documentation and theory. Setting up this kind of project is a long and tedious process, especially as we had little experience in this area!
In general, the "change management" stage is hugely complicated in companies, particularly for companies with thousands of employees. If there is any internal pushback, the whole process of obtaining the standard becomes a lot more arduous. You are asking some teams to add to or change their processes and daily habits, so you need the management team and all the managers to support the project.
At PayFit, with 500 employees, we didn't have this problem. In fact, the security team has a job to do and plays an equal part in the company's success just as much as any other role does.
"The information security team doesn't just have a control role, but it participates in the strength of the product and growth, in the interest of the business and the employees".
Firmin Zocchetto, CEO & Co-Founder @ PayFit
Do compromises have to be made to be certified?
Clearly, when you decide to strengthen security processes, you have to give up some of your agility. More processes are put in place, especially for relationships with third parties (providers, partners, etc.). For example, when we work with a new service provider, we need to be assured of the security guarantees they provide. If they are certified, the process is speedy. If they aren't, then it takes longer.
I actually believe that this is extremely positive and I don't see it as a sacrifice. First of all, including security in your growth activities and in the company's organisation is essential, especially when handling sensitive data such as PayFit does.
Second, you have to know how to find the right balance between agility and security. For us, the balance is leaning towards agility and innovation, but with full security.
People need to take steps as quickly as possible, but not at any price. There is now a very clear line that we consider in every new project right from the design stages.
Guillaume's advice for a smooth start to the certification process
1. Do things in the right order: do not start the certification process if security has not been a strategic issue before. The standard is there to approve an already-existing system. But if you go ahead without a system in place, you'll have too much catching up to do.
2. There must be a will to commit the company to security issues on a long-term basis:
- involving the founders and management in the process enables all the teams to be involved;
- make security a structural challenge for the company. These are not just boxes to be ticked; security is a daily issue that is integral to all operations.
3. Provide for an adequate budget: real and mock audits, support, tools, etc.
4. Put in place the tools necessary to receive the standard: a centralised management tool for managing equipment security (JAMF at PayFit) or background checks for new employees that you may not have been doing before (diploma, identity, previous experience).
5. Carry out a mock audit: this allows you to take stock of your situation and identify what needs to be improved before the big inspection.
6. Train your teams:
- have at least one person certified as an ISO 27001 auditor;
- train all employees in security.
7. Provide communication on security issues: generally, people think that "security" only means "confidentiality". For developers and tech roles, it means "integrity". But not many consider the last part: availability.
However, ensuring that our application, product, and service is available is very much part of security guarantees. The ISO27001 certification also includes a business security and incident response section.
8. Make your certification visible:
- display the logo in email signatures;
- dedicate a page to security guarantees on your site;
- make sure your sales teams know about it: this is an asset that can be a decisive factor for some customers.