Last Updated on January 13, 2024
As an ISO 27001 Certified Lead Implementer living in Atlanta, GA, I hear a lot of people talking about Financial Technology (FinTech) companies, but I don’t hear enough discussion about ISO 27001. I’d like to change that by illustrating how the ISO 27001:2013 standard can be used to address the top cybersecurity fundamentals for FinTech companies recommended by Alyne, a security, risk management and compliance service provider.
In this Part 1, I’ll cover the top 3 tips: awareness, service architecture and basic controls.
Tip 1: Awareness
Alyne says: FinTech organizations need to manifest a culture of security awareness that values both your firm’s and your customers’ information assets. This is underscored by the legally binding non-disclosure agreements and employment contracts that are commonplace in the industry.
How ISO 27001 compliance can help
Clause 7.3 Awareness
Compliance with this clause of the standard requires organizations to ensure employees and contractors are aware of the information security policy, their contribution to effective information security management, the benefits of improved information security performance and the implications of not complying with the information security management requirements.
Control A.7.1.2 Terms and conditions of employment
This control provides organizations guidance on how to state information security responsibilities in contractual agreements with employees and contractors.
Control A.7.2.2 Information security awareness, education and training
This control provides guidance on how organizations should provide employees and contractors appropriate awareness, education, training and updates in policies and procedures relevant to their job functions.
Control A.7.3.1 Termination or change of employment responsibilities
This control provides guidance on how information security responsibilities that remain valid after separation or change of employment should be defined, communicated and enforced with employees and contractors.
Control A.13.2.4 Confidentiality or non-disclosure agreements
This control provides guidance on identifying, reviewing and documenting requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information.
Tip 2: Service Architecture
Alyne says: With all the “as-a-Service” options out there these days, you don’t need to build and operate services that aren’t within your core competency. This applies specifically to security capabilities. Payments, server and database hosting and access management are some services to consider outsourcing. Moreover, “Smart service architecture dramatically reduces complexity of your cyber security and compliance requirements.”
How ISO 27001 compliance can help
Clause 4.3 Determining the scope of the information security management system
Compliance with this clause of the standard requires organizations to determine the boundaries of their information security management by considering interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
Security controls category A.15 Supplier relationships
These controls provide guidance on documenting an information security policy for supplier relationships, addressing security within supplier agreements, addressing security risks in the information and communication technology supply chain, monitoring and review of supplier services, and managing changes to supplier services.
Tip 3: Basic Data Protection Controls
Alyne says: Your basic data protection controls should identify your most critically important data assets, as well as your policies and procedures that enable you to meet your legal requirements for data privacy. Basic controls should also define key roles and responsibilities for protecting data, as well as foundational protections like secure passwords, two-factor authentication and mobile device controls.
How ISO 27001 compliance can help
Clause 6.1.3 Information security risk treatment
Compliance with this clause of the standard requires organizations to produce a Statement of Applicability that defines the necessary controls and whether they are implemented or not.
Control A.8.2.1 Classification of information
This control provides guidance for classifying information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.
Control A.18.1.4 Privacy and protection of personally identifiable information
This control provides guidance on how to ensure privacy and protection of personally identifiable information as required in relevant legislation and regulation where applicable.
Control A.6.1.1 Information security roles and responsibilities
This control provides guidance on how information security responsibilities for assets and information security processes should be defined and allocated.
Control A.9.3.1 Use of secret authentication information
This control provides guidance on how users should be required to follow the organization’s practices in the use of secret authentication information (e.g. passwords).
Control A.9.4.3 Password management system
This control provides guidance on how password management systems should be selected and configured to be interactive and ensure quality passwords.
Control A.6.2.1 Mobile device policy
This control provides guidance on how to adopt a policy and supporting security measures to manage the risks introduced by using mobile devices.
To discuss how ISO 27001 certification could help your FinTech firm reduce security and compliance risk, as well as explore scope and cost considerations, contact Pivot Point Security.