With security as their number one priority, MoreApp is assisted by a team of three Security Officers from Avisi to guide them along the way. This blog will show you how these Security Officers provide guidelines and how MoreApp implements them. We will go into internal audits, the ISO 27001 standard, and ways to keep employees on their toes when it comes to security.
With an international team of 20 young and hard-working professionals, MoreApp helps companies in over 140 countries with their state of the art data processing tool.
Denise Ermes, Product Owner at MoreApp: “Once a year, we are visited by Avisi's Security Officers to perform an internal audit to determine if our processes are in line with the Information Security Management System (ISMS). They make sure that we have performed our yearly risk analysis and verify our up-to-date overview of sub-processors. The Security Officers are also always interested in how we create awareness around security within the team.”
How does MoreApp make sure that security is top of mind in their team? “Every 2 weeks, we have a team meeting where everyone presents what they have been working on in the last two weeks. In this presentation, we highlight a part of the Information Security Management System (ISMS). Also, all of our offices have Security first! posters hanging on the walls with the 10 key points when it comes to security (see the example below). Once a quarter, we send out a satisfaction survey - using MoreApp of course - to all employees with questions such as ‘why do you think security is important to MoreApp?'”
As Denise explained above, security awareness is an important topic at MoreApp. We at Avisi find it important that our customers can rely on our expertise and awareness of all aspects of information security. We have helped MoreApp to set up a process to ensure that they also meet the ISO 27001 standard. This has now resulted in MoreApp being ISO 27001 certified! But it doesn't end there. To ensure that MoreApp stays compliant with the ISO standard, we support MoreApp in carrying out the aforementioned risk analyses and supplier assessments and by conducting internal audits.
During an internal audit, we always investigate a part of the ISO standard to see where MoreApp can further improve their ISMS. In the overview below, you will find the aspects that we consider important during an internal audit:
But how does an internal audit actually work? Over a period of three years, we ensure that we go through all chapters of the ISO 27001 standard (and its annex, ISO 27002) together with the MoreApp team. In an informal setting, we conduct an interview where we ask questions about the information security policies in place, how processes have been set up, and whether procedures have been documented. Examples include the policy for logging and monitoring, the process for reporting incidents, and the procedures for hiring a new colleague.
At the end of each internal audit session, we compose a report in which we summarize the conversation and make the most important issues explicit. These are the strong points, observations, improvements, and non-conformities, all in light of the ISO standard. When improvements and/or non-conformities are observed, we create JIRA tickets that the MoreApp team can pick up. This is how we work together to ensure that the MoreApp team continues to improve and is hands-on with security within its organization.