Did you see that Ping Identity just achieved ISO 27001:2013 certification? You can check out the details here, but I wanted to take a few minutes to explain the how and why of our ISO certification path and, more importantly, why you should care.
It’s a given today that a risk-based approach is key to managing an effective security program. Our ISO program reinforces that approach, but takes it a step further. Rather than settling for our own internal validation, we have third-parties coming in to review every element of our security program. Combined with the SOC 2 report we’ve had for the past five years, which reviews the secure development and hosted environment internally, we can now give our customers a third-party validated, comprehensive view of Ping’s security practices.
Implementing the ISO program has helped us to significantly broaden the scope of our security activities. Yes, we’ve always worked hard to review our security practices across our systems development lifecycle, IDaaS environment, IT and financial practices. But we’ve used the ISO program as the impetus for us to review practices in areas that might not otherwise have eyes on them from a security perspective, like marketing and sales activities, human resources and other back-office services.
A Common Language Internally
Pursuing ISO certification has given us a common language to use as we discuss security practices, both internally and externally. Key stakeholders from all over Ping now understand concepts like user entitlement reviews, user provisioning/deprovisioning and the importance of their asset inventories. It’s fantastic to be able to talk about the nuances of their department’s new employee provisioning with individual contributors from accounting, HR and marketing, and have those stakeholders understand the risk implications of the conversation.
Driving External Discussions
Similarly, being able to discuss our program in terms of the ISO framework and the standard’s Annex A controls makes our conversations with customers much easier. As an internationally recognized standard, customers from all over the world are comfortable discussing security practices in the context of an ISO program.
Finally, ISO creates the expectation and requirement that Ping’s security program is continuously improving. We cannot simply set these practices in place and let them run. We must always be looking at our top risks, creating a plan to address them and executing on that plan. Further, we are now accountable to sharing those plans with an external auditor who will review our activities and make sure we’re continually pushing forward.
Our ISO certification is not an end in itself, but it is one key milestone along Ping’s security maturity journey. We will continue to invest in and enhance our security program, and we are excited to share the journey with you all. Check out more about Ping’s security program.
And reach out to our support team with any questions about Ping’s security practices or to learn more about how Ping’s products and services can help your organization create a world-class security program.