Wednesday, August 5, 2020
From the very beginning of the Self-Provisioning service our Microsoft Dynamics Partners were asking various detailed and specific questions regarding information security. Our commitment to protecting customer data is clearly defined in the agreement we sign with each Dynamics Partner, but understandably, many want to learn more about the controls we have in place to fulfill these contractual obligations. They want to be sure that their data is secure. This topic became even more relevant after GDPR came into effect back in 2018.
The implementation of 1ClickFactory’s Information Security Management System (ISMS) started at the beginning of 2019. In April 2020 we successfully underwent the external certification audit and received the ISO 27001 certificate. It is worth mentioning that from the very beginning we decided to carry out this project on our own i.e. without any third-party consultancy. It was a hard decision since we were not sure if our processes met all the requirements or how long the certification would take from start to finish. However, now we can clearly say that it was a wise move – implementing the ISMS by ourselves means that we know the ins and outs of our ISMS. We are very proud of this as we successfully completed the audit requirements not only for the piece of “paper”, we did it to highlight gaps and improve the security of our services to provide the utmost assurance and confidence to our Dynamics Partners and customers.
Why did 1ClickFactory Decide to get the ISO certification?
One of 1ClickFactory’s top priorities is to always ensure that the Self-Provisioning service is secure by design and that all the processes supporting the service adhere to strong information security controls. However, it wasn’t always easy to explain to different Dynamics Partners and clients how information security is ensured due to different understanding of available technologies and processes.
1ClickFactory decided to get an internationally recognizable information security management certification to help provide more assurance to Dynamics Partners and customers. The International Organization for Standardization (ISO) was chosen for this purpose. ISO sets global standards for information security and quality. ISO 27001 is part of the ISO 27000 standards family, all of which relate to information security. ISO 27001 sets the requirements for an Information Security Management System (ISMS) which requires documented processes and procedures as well as technical controls for managing information and IT systems in a secure manner.
What is an Information Security Management System?
An ISMS combines policies, procedures and technical controls into one integral framework. ‘How do you know what policies to create and what technical measures to implement?’ I hear you ask. Well, there are two approaches for selecting the controls: one is compliance based and the other is risk based. Following the compliance based approach, you have to implement everything that the quality standard requires (here we talk not about the ISO 27001 standard but of any regulation which can be governmental for example). ISO 27001 is more of a risk-based approach, so 1ClickFactory’s ISMS is implemented in exactly this way.
Risk assessment is the biggest part of the whole project. First, you evaluate the risk level for every asset/threat pair and set the threshold for a non-acceptable risk. It takes a lot of effort to identify all the assets and evaluate their impact on the service. For each unacceptable risk, you implement the necessary controls to reduce the risk to an acceptable level. This approach lets us keep the balance of good security levels and cost. Risk management is a continuous process, so this balance is continuously maintained.
What Does this Certification Mean for Our Dynamics Partners and Customers?
Having successfully undergone the certification audit doesn’t mark the end of the journey for our information security management system. Really it’s just the beginning as we conduct regular internal and external audits to guarantee that we sufficiently maintain and continuously improve our ISMS.
Our DRP (disaster recovery plan) is mostly related to the availability of Microsoft Azure services. We’ve suffered some issues on the Microsoft end several times and are familiar with what to expect and how to react. However, there are a lot of different scenarios which can happen beyond the scope of Microsoft Azure. Implementing an ISMS in accordance with ISO 27001 requirements gave us a good opportunity to review and update our DRP and find ways to improve it. We started testing some less probable incident scenarios which are not necessarily related to Microsoft Azure which provided us with useful insights on what and how to improve the overall disaster recovery processes.
While there isn’t a security framework nor certification in existence that can guarantee an organization won’t suffer an incident, the ISO 27001 certification process has really helped us to prepare for a multitude of situations and mitigate risks as soon as possible. It’s important for our Microsoft Dynamics Partners and customers to understand that all the links in the chain of the Self-Provisioning service (Microsoft – 1ClickFactory – Dynamics Partner - Customer) must also take their own information security responsibilities seriously.
Stay tuned for more details on how the information security responsibilities are shared in the Self-Provisioning service, which will be covered in our next blog post on information security.
About 1ClickFactory Self-Provisioning for NAV/Business Central on Azure Service
With 1ClickFactory Self-Provisioning for NAV/Business Central on Azure service, Microsoft Dynamics Partners can easily deploy Dynamics NAV/Business Central solutions on Microsoft Azure through our platform in 1 hour or less. It’s self-service and available 24/7 on a highly secure and readily supported environment.
Find out more about the 1ClickFactory Self-Provisioning for NAV/Business Central on Azure service or contact us at firstname.lastname@example.org about this topic if you are a Microsoft Dynamics Partner.