Subscribe to Our Blog
Thanks for subscribing!
By submitting this form, you agree to the Clari Privacy Policies and Clari GDPR Agreement.
March 03, 2016
A CTO’s View of the Journey to ISO 27001 Security Certification
Today, we announced our ISO 27001 certification, a major milestone and the culmination of a company-wide effort. ISO certification validates how serious Clari is about the security of our customer’s data and provides our current and future customers with the comfort of third-party recognition.
Our Data Security Journey Started Early
Our journey to certification by the International Organization for Standardization (ISO) has been long. Our commitment to data security dates back to our founding. Because we believe in the importance of selling, we know the value of sales data. As a co-founder and CTO, I took responsibility for leading the effort and security has always been vital to our entire team. From our earliest days, we continually reviewed our infrastructure to close potential security gaps.
At the same time, customers told us they would be more comfortable if our efforts were endorsed by a neutral third party, preferably a standards body, such as ISO. So we embraced ISO 27001 certification of our Information Security Management System (ISMS) as a critical step in earning the right to serve more customers.
A New Chapter in Our Security Governance
The decision to get ISO certification opened a new chapter in our security effort. We defined a year-long plan to achieve certification. To learn from best practices, we hired a consultant to educate us, picking EKKO Consulting, a group that supported certification of several respected technology and SaaS application providers. And we created an ISMS management team to lead the process. After that team completed a thorough review of our production environment, policies, and procedures, they authored a Risk Assessment Report with a comprehensive list of security gaps and the associated risks.
The ISMS management team then drafted a plan to remediate the risks and obtained approval and support from senior management to execute their plan.
The Risk Remediation Plan … and Actions
The ISMS team’s plan had four key elements:
- Draft a master set of policies and procedures
- Train all employees in security procedures
- Create and execute mitigation plans for all security loopholes identified through manual penetration tests, automated scans, and static code scans
- Measure and continuously improve
We also established formal ISMS management team meetings, with meticulously tracking of minutes. To support the effort, Clari took advantage of the latest team collaboration tools, such as the Confluence content management system for tracking changes through multiple versions of documents and documenting the history and execution of decisions.
Turning a Disruption into an Advantage
We moved to a larger corporate headquarters right in the middle of our security certification effort. What first looked like a disruption gave us the opportunity to upgrade our physical security — a big part of ISO certification. The upgrade included a modern visitor check-in process using Envoy, an advanced security camera setup, and multi-level access control into our data center network and server room.
We Were Ready for Third-Party Security Evaluation
When our plan was complete, we invited BSI Group Inc., the leading business standards company to conduct an audit of our ISMS compliance. Their audit had two stages:
- Stage 1 audit: evaluation of policy and procedure documentation
- Stage 2 audit: deep analysis of compliance
Thanks to the efforts of our ISMS management team, our experienced consultants, and our entire team, we passed the certification audits with zero adverse findings. Kudos to the Clari team for achieving this milestone.
Looking Ahead: Data Security Never Ends
Our ISO 27001 certification is merely our first step in ensuring the most secure data environment for our customers. We established a Capabilities Maturity Model (CMM) model for each of the ISO 27001 control groups, and will strive to attain the highest CMM levels. Moreover, we expect to participate in industry-approved security initiatives such as CloudTrust security and SOC2 SSAE 16 certification.
I hope a glimpse into our data security journey and regimen inspires your own efforts and offers a useful starting point. We will be publishing a security-oriented whitepaper on various aspects of our production environment. If you would like a copy, please click here to let us know. And if data security concerns were standing in the way of you learning how advanced sales analytics and forecasting can improve your selling, our new security certification makes this an ideal time to take a look.