Click to see how Integreon and FT are encouraging forward-thinking and innovative approaches for shaping the legal services sector

Security Matters

Is ISO 27001:2005 certification enough?

Integreon’s answer is “no”. While ISO 27001:2005 certification is an essential indicator of a service provider’s operational maturity, certification alone is not sufficient for information security management.

International standards like ISO 27001:2005 are highly valuable. They provide a foundation, a set of minimum standards for physical and procedural security that every BPO company must meet. Customers rightly demand official ISO 27001:2005 certification to verify the trust the place in a global sourcing partner.

ISO 27001:2005 certification helps ensure that a service provider’s physical and procedural security are adequate, including restricted access to premises and networks, data encryption, storage and retention practices, login and access control policies, firewall monitoring, virus protection systems, incident response SOPs, redundant infrastructure, and business continuity plans.

In spite of the widespread adoption of ISO 27001:2005 certification by the global BPO industry, customers continue to question whether global sourcing providers have adequately addressed their information security needs. The customers are right.

What more should be done?

To go beyond the minimum set by ISO 27001:2005, a global sourcing service provider must follow management practices that create a “culture of security” throughout the entire organization.

Whether you call it “culture” or “organizational psychology” or “company values”, the bottom line is the same: a comprehensive security management system requires that each employee has the awareness, motivation, and support environment required for them to take personal ownership of security issues.

Easier said than done.

Awareness:

Does each employee understand that security is the most important customer service concern?
Does each employee understand why security is “mission critical?
Does each employee understand how the customer defines security?
Does customer feedback reach employees at all levels?
Has each employee received and read a copy of the service provider’s code of conduct?
Has the code of conduct been explained and reinforced by all managers?
Are employees rewarded and recognized for delivering superior customer service?

Motivation:

Does each employee know that their actions are traceable, even when the customer is anonymous and 10,000 miles away?
Are the disciplinary consequences of all security breaches well-defined and strict?
Are the disciplinary consequences of security breaches consistently enforced?

Support environment:

Are specific security risks and responses explained to all employees as they arise?
Do all employees work in teams that are accountable for delivering world-class customer service and security?
Do managers instruct employees how to behave should they become suspicious of a security breach, including access to confidential/anonymous feedback channels?

Risk can be managed

Any new industry or technology brings new security management risks. While security risk is an inherent, enduring part of doing business anywhere in the world, new industries and companies have a special burden of proof to satisfy before customers extend their trust.

While it is clearly impossible to guarantee perfect security, the combination of physical/procedural security and a culture of security established and reinforced by management, can greatly reduce the risks.

BPO customers want to see a comprehensive, thoughtful security management system before they “certify” a service provider. In BPO, the most important certification is the customer’s.