Top Cybersecurity Tips for FinTech Companies—and How ISO 27001 Can Help (Part 2 of 3)

March 31, 2016

Last Updated on January 13, 2024

As an ISO 27001 Certified Lead Implementer living in Atlanta, GA, I hear a lot of people talking about Financial Technology (FinTech) companies, but I don’t hear enough discussion about ISO 27001. I’d like to change that by illustrating how the ISO 27001:2013 standard can be used to provide some key capabilities to minimize risk for FinTech companies as recommended by Alyne, a security, risk management and compliance service provider.
In this Part 2, I’ll cover how ISO 27001 addresses Alyne’s three tips for risk mitigation: vendor management, penetration testing and business continuity management.
Tip 1: Vendor Management
Alyne says: Formalize your contracts, make sure you are using secure vendors and regularly check that their security capabilities haven’t changed.  Also, make sure you clearly understand the “Shared Responsibility” limitations of your particular service providers and for which security controls you remain fully or partly responsible and you cannot hold them liable.
How ISO 27001 Compliance Can Help
Security controls category A.15 Supplier relationships
The controls in this category provide guidance for the following:

Information security policy for supplier relationships: Information security requirements for mitigating the risks associated with suppliers’ access to the organization’s assets should be agreed with the supplier and documented.
Addressing security within supplier agreements: All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.
Information and communication technology supply chain: Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.
Monitoring and review of supplier services: Organizations should regularly monitor, review and audit supplier service delivery.
Managing changes to supplier services: Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Tip 2: Penetration Testing
Alyne says: Highly recommend having a security professional penetration test your application(s). For this check, the tester will act as a hacker and try to gain access to your service with either no prior knowledge (black box test) or some prior knowledge of the system setup (white box test). The test report will provide transparency of current weaknesses with recommendations on how to mitigate them. This approach should be formalized in further development cycles and extended to such topics as secure development training for your development team and secure source code analysis.
How ISO 27001 Compliance Can Help
Control A.18.2.3 Technical compliance review
This control provides guidance on how systems should be reviewed for technical compliance using software and automated tools; how vulnerability assessments and penetration tests should be planned, documented and repeatable; and how competent, authorized persons should perform or supervise technical compliance reviews.
Tip 3: Business Continuity Management
Alyne says: FinTechs should develop plans to deal with more basic disruptions such as, what to do if a provider fails, you have been hacked, an executive’s laptop is lost, half your staff quits or part of your platform fails. Understanding the impact to your company and having continuity strategies defined can significantly reduce your risk. For these processes to be effective, you will also need to test and train your responses to incidents.
How ISO 27001 Compliance Can Help
Security controls category A.17 Information security continuity
The controls in this category provide guidance for the following:

Planning information security continuity: The organization should determine its requirements for information security and the continuity of information security management in adverse situations; e.g. during a crisis or disaster
Implementing information security continuity: The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
Verify, review and evaluate information security continuity: The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

To discuss how ISO 27001 certification could help your FinTech firm reduce security and compliance risk, as well as explore scope and cost considerations, contact Pivot Point Security.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Top Cybersecurity Tips for FinTech Companies—and How ISO 27001 Can Help (Part 2 of 3)

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security