In order to protect our employees, customers, partners, and company,  we need to have a good view of the information security risks in our organization.

Therefore we need to have and maintain an information security management system, with clearly defined and documented policies, processes, procedures, and organizational structures.

To implement that system, we use ISO 27001:2013, an international standard designed for companies like ours, to use as a reference and guideline. Effective security is a team effort, and a successful ISMS requires participation and support from all employees and partners. Only then can we assure our colleagues, customers, and partners that their information is safe with us.

General Introduction

Information Security Management System (ISMS)

When it comes to keeping information assets secure, Sofico relies on the ISO/IEC 27000 family.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

Using them enables us to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Acceptable Use Policy

We handle a lot of proprietary and sensitive information. To keep that information safe, we need to protect it from unauthorized use and misuse.

That is why ISO 27001 requires Sofico to have and enforce an acceptable use policy. One that restricts access to authorized users only. And ensures that those users know their security responsibilities, and act accordingly.

At Sofico, we take the necessary precautions to secure our devices and protect our systems against security breaches. And we ensure incidents get reported when information security could be compromised.

Document Classification System

We handle a lot of documents every day. Some can be shared freely, even on social media. But others contain information that could damage our company, colleagues or customers if it got into the wrong hands.

That is why ISO 27001 requires us to have a document classification system that clearly defines the different classification levels, according to a risk rating.

Each level takes into account legal requirements, business needs, and the potential consequences if the document was leaked.

The system also includes clear guidelines on how to handle and protect each document according to its classification level.

Network Security

A security breach can happen in many ways. And our network is a likely target. That is why ISO 27001 requires Sofico to have and enforce a clear network security policy.

At Sofico, we take many precautions to protect our network from unauthorized access. And authorized users only have the bare minimum of access and privileges that they need to perform their job.

In addition, we ensure that our information is protected when it’s being transferred, used in electronic messaging, or involved in application services passing over public networks.

Human Resources Security

Sofico has many employees and contractors. Each one of them has the potential to cause a security breach. That is why ISO 27001 requires companies like ours to enforce a clear HR security policy.

We perform a background check for every candidate before employment and include security responsibilities in their contract.

During employment, our management ensures that every employee understands and follows security policies and procedures. If someone would commit an information security breach, we have processes in place to take the necessary steps.

And after employment, access rights are promptly revoked and the security, privacy, and propriety responsibilities remain valid.

Security in Development

As a software development company, we use many different systems, applications, and services. If our software is not up to information security standards, it could lead to a security breach at our customers.

That is why ISO 27001 requires companies like ours to enforce a secure development policy.

We establish a secure software development lifecycle and apply security engineering principles throughout the process. We test security functionalities during development and protect our test data, particularly personal information.

We closely monitor changes to software packages and follow strict acceptance testing procedures when updating our systems or implementing new ones.

Compliance

We have many legal and contractual obligations. Failing to meet these obligations could affect our information security.

That is why ISO 27001 requires companies like ours to ensure compliance with clear policies and procedures.

At Sofico, security responsibilities are clearly defined and allocated. We take the necessary measures to protect our records, particularly personal information.

Every agreement with a supplier or external party addresses security requirements, and we monitor compliance with those requirements.

We also have regular independent compliance reviews within our company, and routinely review our information systems.

 

Equipment

We use a lot of equipment, and if it gets lost, stolen, or compromised, it could threaten our information security.

That is why ISO 27001 requires Sofico to assess the risks of unauthorized access and environmental threats and to protect our equipment accordingly.

We not only perform regular maintenance, but we also prepare for possible power failures or other disruptions caused by supporting utilities.

In addition, we safeguard our on- and off-site equipment closely. Before disposing of or reusing storage media, we double check that it is wiped clean.

​​​​​​​Incidents

We do everything we can to ensure our information security.  But incidents might still happen. That is why ISO 27001 requires Sofico to have and enforce a clear security incident policy.

Employees and contractors report any observed or suspected security weaknesses in our systems. Once an incident is reported, we have procedures in place to ensure a quick, effective response, and to gather the necessary information to serve as evidence.

In addition, the gained knowledge from security incidents is used to reduce the likelihood or impact of future incidents.

Physical Security

We take many digital security measures to keep our information safe. But the physical security of the Sofico offices and facilities is just as important.

That is why ISO 27001 requires companies like ours to define clear security perimeters. And to protect areas where sensitive or critical information is handled.

We monitor every access point and restrict entry to authorized personnel only. Employees that work in secure areas follow clear rules and procedures.

In addition, we take the necessary precautions to protect our locations from malicious attacks, accidents, and environmental damage.

Precautions

A good information security means preventing security breaches, accidents, and more. But it also means being prepared for the worst. That is why ISO 27001 requires companies like ours to take the necessary precautions.

At Sofico, we take the necessary steps to detect and defend against malware. We have backup copies of our information, software, and system images, and we know and address the technical vulnerabilities of our information systems.

In addition, we ensure the availability of our information processing facilities through redundancy. And we have processes in place to ensure business continuity in case of crisis.

User Security

At Sofico, information is handled by many different users. Each of these users could pose a risk to our information security. 

That is why ISO 27001 requires companies like ours to monitor access rights closely. And to ensure that each user knows their security responsibilities when it comes to passwords and authentication.

Sofico enforces a clean desk and clear screen policy. And we have clear rules for the installation of software.