icon

ISO27001

As our platform operates online, it is essential that investors’ information is stored securely.

ISO27001 is an internationally recognised information security certificate that Kuflink has achieved by building comprehensive security procedures into our everyday operations. We have detailed how we protect personal records and sensitive information, as well as implementing thorough risk management systems.

In short, the ISO27001 certificate:

  • Helps us to identify risks to your information and put in place measures to manage or reduce them
  • Helps us to quickly detect any information security breaches
  • Requires us to have identified all internal and external stakeholders that are relevant to our Information Security Management System (ISMS)
  • Requires us to have a clear ISMS policy and have communicated this to our workforce, who understand how they individually contribute to it
  • Gives us a framework within which we manage our legal and regulatory requirements
  • Requires us to continually review and re-evaluate risks to information security, and adjust our controls appropriately

FAQs about ISO27001

How does this protect me?

  • If you give us information or data in any format (email, verbal, letter etc) it is protected by our systems that have the highest level of sophisticated protection
  • This protection includes but is not limited to: office security, alarmed and CCTV monitored, encrypted PCs, hacker-proof servers, back-ups to easily retrieve your data should you request it, vetted staff to ensure personal security
  • It’s a model of working for frameworks surrounding the legal, physical and technical controls that are used when processing an organisation’s information risk management
  • One of the most obvious benefits is that this shows that Kuflink takes it information security management seriously. Having an independent assessment adds extra weight to this.
  • Hourly backup to protect your information from loss of data
  • Protection is not isolated to IT only. All sensitive information is handled in the same high level of care and attention to ensure no breach of confidentiality occurs

What threats does ISO27001 help Kuflink plan for?

ISO27001 is a developed set of requirements and helps us to plan for a wide array of potential threats, including cybercrime, data theft, data loss, data breaches, misuse of information, cyber attacks and viral attacks.

Why does Kuflink need ISO27001?

Our certification shows customers that we can be trusted with your information. In some industries, companies will not select partners that do not have the certificate and it is often a requirement of governmental data-related contracts. Whilst we don’t work with the government, this example is a great way of demonstrating just how seriously we take information security.

What does this tell me about Kuflink?

ISO27001 tells you that Kuflink understands its security risks and has a solid framework in place to handle them. Our organisation has provided evidence to prove this at our last audit, and will continue to do so going forward.

What did Kuflink need to do to be awarded the certificate?

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
  • Maintaining the certificate means we go through quarterly audits to ensure the standards needed to gain ISO27001 are still exceeding minimum requirements.
  • The ISO/IEC 27001 certification,[ like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021[6] and ISO/IEC 27006[7] standards:

Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.

Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS).

Stage 3 is the certification audits, which are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.

How many checks did Kuflink have to perform to be certified?

There are 114 controls in 14 clauses and 35 control categories;

What are they?

A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security – 6 controls that are applied before, during, or after employment
A.8: Asset management (6 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (15 controls)

Is it a globally recognised standard?

ISO 27001 is recognised internationally and is used by a variety of companies, including non-profits, major corporations, boutique security firms, small e-tailers and even state and federal organisations. The standard comes from the ISO and IEC, two organisations who have made a name in standardisation as well as information security.
Both organisations came together to create a special system that builds worldwide standardisation. The ISO and IEC have members from all over the globe who participate in standards development. ISO/IEC standards have become the preferred credentials for manufacturers, IT companies and customers across the globe.

A copy of our certificate can found here