Cookie Settings

Request a demo

Get access to all the tools and information necessary for the customer's life cycle at Odigo by heading to our client portal

My Odigo

ISO 27000: why data security requires continuous improvement

ISO 27000: why data security requires continuous improvement
Bertrand Deroubaix
Bertrand Deroubaix Risks, Quality & Security Director

When choosing a Contact Centre as a Service (CCaaS) solution, the importance of data security cannot be overstated. ISO 27000 is more than a certificate; it’s a comprehensive data security framework that fosters continuous improvement. Learn how ISO 27001 helps protect your data.

October 5, 2021 3 min of reading

Data security breaches bring disastrous consequences to reputations, profitability and the ability of organisations to carry out core functions. Today it’s not enough for organisations to manage their own data security – to safeguard their customers they must extend the same standards to their data. ISO 27000 compliance is one of the key ways for IT directors to ensure that customers also receive the highest data security standards.

Read on to learn about ISO 27000 compliance and other measures that ensure the protection of you and your clients’ data.

The need for ISO 27000 compliance

In 2018, a major data breach at British Airways (BA) affected both staff and customers’ personal and payment details. On top of a £20 million fine from the Information Commissioner’s Office (ICO) BA have this year settled a legal claim which at the time was said to be the largest group-action personal-data claim in UK history. There has been no admission of liability and the ICO have said the incident was a result of customers being redirected to a fraudulent site. 

Lapses in data security will be exploited. In March 2020, Virgin Media announced a data breach that was the result of an incorrectly configured marketing database being left unsecured for 10 months. Today more than ever before in history, small oversights in data security can exact a devastating price. According to an IBM study including 17 countries, the average cost of a data breach in 2020 was about £2.9 million, which doesn’t include reputational damage and ruined careers. To make matters worse, organisations today have to worry about more than their own personal security hygiene – weaknesses in subcontractors’ security provide backdoors into the most carefully guarded systems. This is one of the primary reasons why standards such as ISO 27000 are so important: they give organisations a way to gauge their partners’ threat readiness. So what is ISO 27000, and how does it support data security?

The ISO 27000 framework

ISO 27000 standards is a series of best practices that help organisations improve their information security and compliance standards. Created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the series lays out a methodology to implement information security best practices in the form of information security management system (ISMS) requirements. These requirements address the three pillars of information security: people, processes and technology. ISO 27000 consists of 46 standards all together, but the key areas of interest to many organisations are ISO 27001 and ISO 27002.

ISO 27001 is the central standard in the ISO 27000 series. It contains a set of steps to take to build up an information security management system. More than a checklist for compliance, what makes ISO 27001 a powerful tool is its support for continuous improvement. An ISO 27001 certification is the midpoint of a journey – it is optional but shows that an organisation has reached a sufficient base level of data protection and is committed to following an ongoing data security enhancement plan. This can set an example to partner companies, a standard for sub-contractors and engender trust in customers. 

ISO 27002 is a supplementary standard that provides an overview of information security measures and controls that organisations might choose to implement. Some examples include: carrying out regular risk assessments, following up on findings, creating a high-level data security committee and the assessment and monitoring of access to sensitive data.

One useful additional standard is ISO 9001, which presents the criteria for a quality management (QM) system, based on a number of QM principles including customer focus, the involvement of management, the process approach and continual improvement. Together the resources of ISO 27001, ISO 27002 and ISO 9001 help organisations create their individual data security systems.

How ISO 27000 compliance supports continuous improvement

Continuous improvement within the ISO 27000 framework consists of a few main components. The first, and most straightforward, is simply keeping up with evolving threats. Organisations can support this process by taking measures to tighten security – for example updating password requirements and data-sharing protocols. Of greatest importance to lasting improvement is expanding the scope of data security, from infrastructure to software to services. This is especially critical for large organisations, for whom any weak spot is likely to be exploited. A company could be ISO 27000 certified with only an infrastructure-level of security, and for some purposes, that may be adequate. But for CCaaS providers, strict attention to data security, at the levels of software and services, is an absolute must.

As organisations progress further along their ISO 27000 compliance journey, data security concerns play a greater and more integrated role, impacting everything from communications to software development. For example, software developers with more cursory security concerns may design a program, and then layer security measures on top. More advanced is a security by design model, in which security is built into the design from the ground up. The result is more resilient, reliable solutions.

Beyond ISO 27000

Odigo has been proudly ISO 27000 certified for 7 years. In that time Odigo has expanded the scope of data protection from infrastructure through software to services, and all software is built on a security design model. Beyond compliance with ISO 27000, Odigo also has a PCI-DDS certification, certifying the payment services modules of Odigo at delivery points of presence (POP). Odigo is committed to providing a security-first cloud-based platform that clients can trust. 

Would you like to find out how Odigo can help you provide the best experience for your customers while ensuring the highest level of data security?

Bertrand Deroubaix
Risks, Quality & Security Director

Read more
May 16, 2023 3 Bring Odigo’s Workspace app for MS Teams to banking 

Modern banking relies on in-branch standards of care and expert advice from a distance. Find out how Odigo’s Workspace app for MS Teams involves experts from outside the contact centre in the drive for customer satisfaction.

Read more
April 27, 2023 3 Contact centre NLP use cases

Natural language processing (NLP) is an applicable everyday contact centre technology. Discover how to harness it with these six practical NLP use cases. 

Read more
April 18, 2023 3 Harnessing Odigo’s Microsoft Teams connector in insurance contact centres  

When details matter, Odigo’s Microsoft Teams connector can help maintain case continuity and accuracy.

Read more