Hello everybody, and welcome to our new blog post series where we will share our experience of working towards the certification of our information security management system.
I would like to introduce myself briefly. My name is Andrés Méndez Barco and I am the Chief Information Security Officer (CISO). I’ve been working in the cybersecurity arena for over 20 years in different positions and countries, and now my main goal is to bring Event Store to the best position on cybersecurity in support for our core business: the EventStoreDB.
Event Store has always considered information security as a must-have from it's inception. In fact, our database allows companies to record everything that happens in their business. It’s similar to a log system, and that itself is a crucial element on information security: keeping evidence.
If we have always had security in our DNA, do we really need a certification? What has changed?
To ease EventStoreDB adoption, we have started to offer our database as a managed service, where we keep the system up and running (with all the parts that it requires) and our customers just have to use the database, enjoying all the benefits of a managed service solution.
But once we do that, we are involved in our customers’ data confidentiality, integrity and availability. Those are the three pillars of information security. Because of that, our customers ask us to comply with the same security requirements that they must fulfil, for business, regulatory or legal reasons.
How can our customers trust that we are following the security best practices? There are different approaches here, one being to perform an audit of our security model, but the best one is to have an independent third party who conducts that audit, and then we can share those results with our customers.
We've taken the second approach as it has the most benefits:
- we can assure our customers that we are applying the security best practices,
- we don’t have to go through an audit every time a new customer wants to check our security posture,
- both us and our customers do not have to invest so heavily in audits,
- the customer benefits from a quicker response,
- the customer can trust that our security system is maintained over the years,
- and many more.
Which certification is the best one for us?
When we talk about being reviewed by a third party, there are multiple options available. They depend on the market, the country, the business…
For example, there is ISO 27001, which is well recognised internationally, but mainly in EMEA and APAC.
For the US, the one which is more widely used is SOC 2, as its audit is performed by the regular accountant firm that audits companies bookkeeping.
To better satisfy our customer requirements, we have decided to obtain both ISO 27001 certification and SOC 2 report by the end of 2021.
SOC 2 is not a certification, but to make this more simple we will consider “certification” as passing both ISO 27001 and SOC 2 audits successfully and obtaining the certificate and the report.
What have been our initial steps?
We want to share with you all the process we've gone through to achieve our goal, hoping that this will be useful for other companies who wish to do the same.
There is no unique road to achieving the certification. The path can be different for each company, as each company is different, but many steps can be shared sooner or later.
Define an ISSB
In a company, you must protect the information. This can mean different things depending on the company. For Event Store, even before creating Event Store Cloud, this included:
- Our employee’s personal data: Yes, as a company, the first data you have to take care of is that of your employees according to the GDPR.
- Our user’s personal data: A user is someone who has no paid relationship with our company. For example, those users of our forum or GitHub. Yes, according to GDPR, we have to treat their personal data appropriately.
- Our customer’s personal data: A customer is someone who has a paid relationship with our company. For example, those with a Support contract. Yes, again, according to GDPR, we have to treat their personal data appropriately.
- Our source code: Yes, our software is open-source, but that doesn’t mean that we can allow anyone to modify whatever they want in our code and introduce malware.
- Our confidential data: There are other data within the company which is not public or confidential such as business plans, salaries, etc.
And once we decided to offer EventStoreDB as a managed service, we add to that list our customer’s data; that is the data they store in their EventStoreDB hosted in our Cloud.
As you can see, we just started talking about the data that we handle, and we’ve raised data that is managed by the Engineering Team (developers), Human Resources, the Customer Support Team, etc.
This happens because in a company, the information flows from one team to another, and then multiple teams are involved in its security. That’s why the Information Security Steering Board (ISSB) was created.
The ISSB is composed of those Team Managers relevant to information security and the CEO.
Hire a CISO
Once the ISSB decided that the objective for 2021 was to achieve the certifications, they realised that the process of certification would affect the entire company.
Achieving certification requires having a clear path towards the certification and then organising the different teams, so the next thing that Event Store did was hire an experienced cybersecurity professional as CISO, with expertise on the certification who would be focused on achieving this objective.
Buy the framework books
I have been an ISO 27001 Lead Auditor for many years, and believe it or not, I’ve audited lots of companies that didn’t have the ISO 27001 document. Those companies just trusted what their consultants told them that they had to do. But that approach, while you are discussing with the external auditor about a non-compliance, puts you in a fragile position, because when you want to prove that your approach is correct the only thing you can say is “the consultant told me to do it this way”.
I have also seen companies that only had the ISO 27001 document, and they implemented the Annex A controls without having access to their details described in the ISO 27002. That is not a good idea.
A common phrase used by cryptocurrency enthusiasts nowadays is DYOR, which stands for "Do Your Own Research". The acronym is not a piece of advice exclusive to the cryptocurrency ecosystem. So following that advice, the next thing we did was purchase the ISO 27001 (which is the body of the ISMS) and the ISO 27002 (which details what is required by each control), as that is our source of truth regarding the requirements.
But, if you read the small print, you will realise that you can’t share the ISO documents with other company members, meaning you can’t post the documents in your Intranet.
For us it is enough that the CISO has those documents, as he can explain to each team what the requirements are. But if in your company different people need access, then you should contact your local ISO representative and ask for a solution for that.
For example, in the UK it is the BSI (British Standards Institution), and has the British Standards Online (BSOL) solution when multiple employees need to access ISO documents.
Once you have the documents you can be sure of which are the real requirements to achieve the certification. As we said before, they are our source of truth.
For the SOC 2 we downloaded the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSC), which includes March 2020 updates, for free. Here the same thing happens as between ISO 27001 and ISO 27002, as the TSC enumerates the controls from COSO (Committee of Sponsoring Organizations of the Treadway Commission) but doesn’t describe them.
To be able to read the description of each control, and for the same reasons as before, we decided to buy COSO Internal Control - Integrated Framework, which is dated 2013.
Also we purchased SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, to see an example of the SOC 2 audit and report process.
I hope you found this information useful. In the next blog post, we will continue talking about the initial steps taken towards certification.