If you’re in the technology industry, chances are you’ve come across a few companies who have recently announced their ISO 27001 certification. If you’re deeply engrained in this space, you may know all about this. But many of us don’t realize the true impact of this certification. What does it mean?  How does this help employees and customers feel more secure in doing business for and with Polycom? We caught up with Lucia Milica Turpin, CISO of Polycom, to dig down deeper on this certification.

Can you give a description of what the ISO/IEC 27001:2013 certification means?

The ISO/IEC 27001 is the most widely accepted international standard for information security best practices.  It helps organizations implement a systematic and proactive approach to managing information security risks.

Why is this certification critically important to Polycom and its customers?

The ISO/IEC 27001:2013 certification assists Polycom in providing assurance to existing and potential clients that Polycom has established and implemented best-practice information security processes (covering people, processes, and technology) to safeguard company’s internal/confidential data, intellectual property, and customer information.

The certification is often a prerequisite for suppliers and customers to show that we have a mature security program and that we are proactively managing our information security posture.

What are some of the key benefits of the ISO/IEC 27001:2013 certification?

The ISO/IEC 27001:2013 certification not only reinforces Polycom’s commitment regarding information security practices and controls, but also provides assurance on the systematic and ongoing approach of managing information security risks that affect the confidentiality, integrity, and availability of company’s internal/confidential data, intellectual property, and customer information.

In addition, this certification is an important foundation for adopting other security standards and frameworks as we go to market with existing and new unified communication and collaboration solutions.

Is this certification a must-have for Polycom and other audio and video conferencing vendors?

Yes, Absolutely.

The ISO/IEC27001:2013 is a key differentiator for Polycom because Polycom’s ISMS also includes the Product Development Process for designing, developing, and implementing Polycom’s Unified Communication and Collaboration Solutions.

Understanding the cybersecurity threats, it is important for providers of Unified Communications and Collaboration Solutions and Services to assure their customers that their data is adequately protected. ISO/IEC27001:2013 certification emphasizes Polycom’s continuous commitment to information security and implementation of industry best-practice.

How rigorous is the testing process?

Polycom implemented an Information Security Management System (ISMS) that consists of company-wide policies, procedures, and controls in areas of Information Security, Human Resources Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations & Communications Security, System Acquisition, Development and Maintenance, Supplier Relationships, Information Security Incident Management, and Business Continuity Management.

The compliance audit process included an initial review of Polycom’s ISMS, followed by an in-depth and formal audit to test adherence of Polycom’s ISMS to ISO/IEC 27001:2013 standard’s requirements.  The auditors validated the effective implementation of administrative, technical, and physical security controls that assist in maintaining confidentiality, integrity, and availability of customer information, company’s confidential data, and intellectual property.  The audit process also ensured the effectiveness of applicable controls in Polycom’s Product Development Process.