Obtaining the ISO 27001 security certification: PayFit’s experience

Given that security is such an important topic for companies, the process towards achieving ISO 27001* certification can be a lengthy and complicated one, particularly for a young company. Often seen as a lengthy and costly endeavour, many companies are put off the task before even giving it too much serious thought.

So, what do you do if there are no examples of similar organisations undertaking the process? What if there are no acceptable practices to draw on? How do you know if you need support and, perhaps most importantly, where do you start?

This was the exact situation that we at PayFit found ourselves in back in 2018. However, over two years since the project began, we finally achieved our ISO 27001 certification in September 2020.

In this piece, Guillaume Gohin, Head of Information Security – the person responsible for spearheading the project – provides us with insight and advice for those who wish to embark on a similar adventure.

Why did PayFit decide to get the ISO 27001 certification?

At PayFit, security is one of our significant development challenges. It is an integral part of our product and, due to the nature of our business, we handle sensitive, personal and confidential data. As a result, we must guarantee and deliver a safe product.

As a company, we have grown and are continuing to grow quickly. Today, we are in five European countries that each operate under different legal systems. We are also constantly adding customers of ever-increasing size and this means that we need a framework that will allow us to organise all our operations with a standard security level.

How did the process start?

We started researching the possibility of obtaining the certification at the end of 2018. Talking about it was no longer enough—we wanted to go beyond vague statements and vouch for our safety systems' reliability with a standard.

The ISO 27001 certification is internationally recognised and covers more than 150 control points. What made it particularly appealing for us was that it certifies all of the company's products and services—not simply the security of an individual application or product.

We made a "benchmark list" of companies that would have taken this approach and could advise us. Unfortunately, there is not a lot of information available on this topic and, as a result, we knew that we would need the support of a third party.

At the beginning of 2019, BSI Group, a certification body, started to provide us with their support.

What were the main steps in this process?

There were five main steps:

• in-house training;

• creating and filling in the basic documentation;

• practising with a mock audit;

• passing the level 1 documentation audit, called "stage 1";

• passing the level 2 audit, called "stage 2".

Step 1 — In-house training (five days)

To begin with, in-house training was our priority. The recommendation is for at least one person in the company to undergo training to perform an audit.

At PayFit, two of us completed the five-day training with BSI Group. Anne-Flore de Belenet (Legal Director) and I obtained the highest security certification, "ISO 27001 Lead Auditor".

Step 2 — Documentation phase: completing the strategy and operational checks (18 months)

From June 2019, we created the documents that formed the basis for our day-to-day security following the ISO 27001 certification. In concrete terms, these documents include 114 specific and highly operational checks, divided into nine major policies:

• general security policy;

• security of operations;

• development security;

• incident response plan;

• information system manual;

• business continuity;

• relations with suppliers;

• access and resource management;

• physical and equipment security.

This involved setting up a procedure for the arrival of new employees and creating a security training plan for existing employees.

To move to the next stage, a company has to tick off these 114 checks while also defining the safety policy and carrying out a complete risk analysis for all roles and operations.

Step 3 — The mock audit, comparing our documentation with reality (after six months of audit preparation)

Before the level 1 audit, we organised a mock audit with BSI Group. We then simulated a level 2 audit to assess our progress. Until then, we had focused a lot on documentation; however, it was still very theoretical and we wanted to test ourselves in practice. This simulation proved extremely useful and allowed us to take stock of our progress. We subsequently took and passed level 1 in June 2020.

Step 4 — The "level 1" audit, presenting sufficiently solid documentation (six months)

We started to get ready for the level 1 audit in January 2020. This initial step had two specific goals:

• to improve processes, see what was missing and make a new plan to reach the required level. Along with the auditor, we looked through all the essential documents that had been created to make sure that they matched the requirements of the standard;

• presenting the results of all the work carried out to management during a "Management Review" (including the mock audit). This was a meeting with all the department heads where we presented the different policies and performance indicators. The success of the actions implemented until now and everything that still needed to be done was also discussed.

At PayFit, we had the full support of senior management. As they work closely with the teams, the project has been driven by a shared will to implement the proposed changes. Agility and adaptability are two things that are very much ingrained in PayFit's DNA.

Step 5 — The "level 2" audit, obtaining certification through 150 checks (four months)

The second audit was run at the end of July. It took place across all company sites, which meant the four territories where we hold physical office spaces (Germany, Spain, France and the UK).

As required by the standard, the auditor compared the documentation with the work in the field to assess the company's practices across the 150 checks. We looked at the evidence together, step by step. 

For example, we analysed our processes and security measures throughout the development cycle of a feature. We also reviewed the access and materials available to an employee, selecting a few employees at random.

If I'm honest, these were stressful times. For two years, we worked on putting all the processes in place to get the certification, and we would have been very disappointed had our efforts not borne fruit. We finally obtained it in September 2020.

Once obtained, what can be expected from the certification?

Getting the ISO 27001 certification is fantastic news. First and foremost, it has an incredible external impact. Being able to display the certification demonstrates that PayFit is growing while becoming stronger and more mature. We moved from having vague assertions to very concrete evidence of our commitments. 

The certification guarantees all the company's stakeholders (customers, service providers and partners) that they are working with an operator fully committed to security.

This will undoubtedly have an impact when it comes to winning over new customers as they now know that when they choose PayFit to manage their payroll, security will be the No. 1 priority.

From an internal perspective, being certified demonstrates a strong will to make a long-term commitment to security issues.

What is required to keep the certification in the long term?

While the information system has now been audited, that doesn't mean that we won't continue our efforts and guarantee security. In fact, we set ourselves objectives during the audit, such as increasing the use of certain tools.

Each year the system is checked to ensure all is well and every three years there is a full audit.

Today, all our employees are trained in security. New employees receive training on their first day and everyone else receives it at least once a year. It is a mandatory process that I think is both healthy and positive.

Having specific training in security and usage highlights its importance within our organisation. It becomes an issue for not just the IT team but the whole company and every employee. We make sure that everyone understands how a breach of procedures can affect the entire company and how we are responsible for ensuring security.

What was the most complicated step?

The initial documentation step was the most difficult for us. We had to write down all the actions that the company was going to implement to comply with the full standard. We were faced with a mountain of documentation and theory. Setting up this kind of project is a long and tedious process, especially as we had little experience in this area!

In general, the "change management" stage is hugely complicated in companies, particularly for those with thousands of employees. If there is any internal pushback, the whole process of obtaining the standard becomes a lot more difficult. You are asking some teams to add or change their processes and daily habits, so you need the management team and all the managers to back the project fully.

Do compromises have to be made to be certified?

Clearly, when you decide to strengthen security processes, you have to give up some of your agility. More processes are put in place, especially for relationships with third parties—e.g. providers and partners. Now, when we work with a new service provider, we need to be assured of the security guarantees they provide. If they are certified, the process is speedy. If they aren't, then it takes longer.

I actually believe that this is hugely positive and I don't see it as a sacrifice. First of all, including security in your growth activities and in the company's organisation is essential, especially when handling sensitive data such as PayFit does.

Second, you have to know how to find the right balance between agility and security. For us, the balance is leaning towards agility and innovation but with total security.

People need to take steps as quickly as possible, but not at all costs. Before starting any project, there is now a very clear line that we toe.

Guillaume's advice for a smooth start to the certification process

1. Do things in the correct order: do not start the certification process if security has not been a strategic issue before. The standard is there to approve an already-existing system. If you go ahead without a system in place, you'll have too much catching up to do.

2. There must be a will to commit the company to security issues on a long-term basis:

- involving the founders and management in the process enables all the teams to be involved;

- make security a structural challenge for the company. These are not just boxes to be ticked; security is a daily issue that is integral to all operations.

3. Provide for an adequate budget: real and mock audits, support, tools, etc.

4. Put in place the tools necessary to receive the standard: a centralised management tool for managing equipment securely (JAMF at PayFit) or background checks for new employees that may not have been done previously (diploma, identity, previous experience).

5. Carry out a mock audit: this allows you to take stock of your situation and identify what needs to be improved before the big inspection.

6. Train your teams:

- have at least one person certified as an ISO 27001 auditor;

- train all employees in security.

7. Provide communication on security issues: generally, people think that security only means confidentiality. For developers and tech roles, it means integrity. However, not many consider the last part: availability.

Ensuring that our application, product and service is available is very much part of guaranteeing security. The ISO27001 certification also includes a business security and incident response section.

8. Make your certification visible:

- display the logo in email signatures;

- dedicate a page to security guarantees on your site;

- make sure your sales teams know about it. This is an asset that can be a key factor when potential customers are choosing their provider.