Cookie Settings

Request a demo

Get access to all the tools and information necessary for the customer's life cycle at Odigo by heading to our client portal

My Odigo

ISO 27000: why data security requires continuous improvement

Bertrand
Bertrand Deroubaix Risks, Quality & Security Director

When choosing a Contact Centre as a Service (CCaaS) solution, the importance of data security cannot be overstated. ISO 27000 is more than a certificate; it’s a comprehensive data security framework that fosters continuous improvement. Learn how ISO 27001 helps protect your data.

ISO

Data security breaches bring disastrous consequences to reputations, profitability and the ability of organisations to carry out core functions. Today it’s not enough for organisations to manage their own data security – to safeguard their customers they must extend the same standards to their data. ISO 27000 compliance is one of the key ways for IT directors to ensure that customers also receive the highest data security standards.

Read on to learn about ISO 27000 compliance and other measures that ensure the protection of you and your clients’ data.

The need for ISO 27000 compliance

In 2018, a major data breach at British Airways (BA) affected both staff and customers’ personal and payment details. On top of a £20 million fine from the Information Commissioner’s Office (ICO) BA have this year settled a legal claim which at the time was said to be the largest group-action personal-data claim in UK history. There has been no admission of liability and the ICO have said the incident was a result of customers being redirected to a fraudulent site. 


Lapses in data security will be exploited. In March 2020, Virgin Media announced a data breach that was the result of an incorrectly configured marketing database being left unsecured for 10 months. Today more than ever before in history, small oversights in data security can exact a devastating price. According to an IBM study including 17 countries, the average cost of a data breach in 2020 was about £2.9 million, which doesn’t include reputational damage and ruined careers. To make matters worse, organisations today have to worry about more than their own personal security hygiene – weaknesses in subcontractors’ security provide backdoors into the most carefully guarded systems. This is one of the primary reasons why standards such as ISO 27000 are so important: they give organisations a way to gauge their partners’ threat readiness. So what is ISO 27000, and how does it support data security?

The ISO 27000 framework

ISO 27000 standards is a series of best practices that help organisations improve their information security and compliance standards. Created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the series lays out a methodology to implement information security best practices in the form of information security management system (ISMS) requirements. These requirements address the three pillars of information security: people, processes and technology. ISO 27000 consists of 46 standards all together, but the key areas of interest to many organisations are ISO 27001 and ISO 27002.

ISO 27001 is the central standard in the ISO 27000 series. It contains a set of steps to take to build up an information security management system. More than a checklist for compliance, what makes ISO 27001 a powerful tool is its support for continuous improvement. An ISO 27001 certification is the midpoint of a journey – it is optional but shows that an organisation has reached a sufficient base level of data protection and is committed to following an ongoing data security enhancement plan. This can set an example to partner companies, a standard for sub-contractors and engender trust in customers. 

ISO 27002 is a supplementary standard that provides an overview of information security measures and controls that organisations might choose to implement. Some examples include: carrying out regular risk assessments, following up on findings, creating a high-level data security committee and the assessment and monitoring of access to sensitive data.

One useful additional standard is ISO 9001, which presents the criteria for a quality management (QM) system, based on a number of QM principles including customer focus, the involvement of management, the process approach and continual improvement. Together the resources of ISO 27001, ISO 27002 and ISO 9001 help organisations create their individual data security systems.

How ISO 27000 compliance supports continuous improvement

Continuous improvement within the ISO 27000 framework consists of a few main components. The first, and most straightforward, is simply keeping up with evolving threats. Organisations can support this process by taking measures to tighten security – for example updating password requirements and data-sharing protocols. Of greatest importance to lasting improvement is expanding the scope of data security, from infrastructure to software to services. This is especially critical for large organisations, for whom any weak spot is likely to be exploited. A company could be ISO 27000 certified with only an infrastructure-level of security, and for some purposes, that may be adequate. But for CCaaS providers, strict attention to data security, at the levels of software and services, is an absolute must.

As organisations progress further along their ISO 27000 compliance journey, data security concerns play a greater and more integrated role, impacting everything from communications to software development. For example, software developers with more cursory security concerns may design a program, and then layer security measures on top. More advanced is a security by design model, in which security is built into the design from the ground up. The result is more resilient, reliable solutions.

Beyond ISO 27000

Odigo has been proudly ISO 27000 certified for 7 years. In that time Odigo has expanded the scope of data protection from infrastructure through software to services, and all software is built on a security design model. Beyond compliance with ISO 27000, Odigo also has a PCI-DDS certification, certifying the payment services modules of Odigo at delivery points of presence (POP). Odigo is committed to providing a security-first cloud-based platform that clients can trust. 

Would you like to find out how Odigo can help you provide the best experience for your customers while ensuring the highest level of data security?


ccaascyber-securityiso-27000
Bertrand Deroubaix
Risks, Quality & Security Director

Read more
November 25, 2022 3 min Invest in seamless CX with secure IVR payment options

Despite the development of omnichannel payment methods, customers still expect to be able to make secure payments via telephone. This is not surprising given it remains the most popular channel for customer service. How do IVR payments meet this need?

Read more
November 24, 2022 3 min BFCM and CCaaS: using Black Friday and Cyber Monday to your advantage 

Is your brand is looking to maximise its potential revenue during the Christmas shopping season, starting with Black Friday and Cyber Monday (BFCM)? Combine your planned promotions and delivery options with AI-led, promotional communications with customers to provide so much more than run-of-the-mill customer service.

Read more
November 15, 2022 3 min NLP challenges in the contact centre industry

There may be hype surrounding AI but many organisations have already made NLP investments in their contact centres. How have they found the experience and what are the motivations driving them? Davies Hickman and Odigo reveal the reality and perceptions of European business executives in the second eBook in the 2022 AI for CX series.

Read more