May 13, 2016

Last Updated on January 18, 2024

As an ISO 27001 Certified Lead Implementer living in Atlanta, GA, I hear a lot of people talking about Financial Technology (FinTech) companies, but I don’t hear enough discussion about ISO 27001. I’d like to change that by illustrating how the ISO 27001:2013 standard can be used to make cybersecurity an asset based on recommendations from Alyne, a security, risk management and compliance service provider.
In this Part 3, I’ll cover how ISO 27001 addresses Alyne’s three tips for cyber capabilities that can become an asset: social media policy, access management processes and alignment with standards.
Tip 1: Social Media Policy
Alyne says: Developing a social media policy helps prevent leakage of information and can foster positive interactions with customers.
How ISO 27001 Compliance Can Help
Control A.13.2.3 Electronic messaging
This control provides guidance for appropriately protecting information involved in electronic messaging (e.g. corporate email, faxes, voice mail, file transfer services, blogs, etc.) and obtaining approval prior to using external public services such as personal email, instant messaging, social networking or file sharing.
Tip 2: Access Management Processes
Alyne says: Having effective access management processes in place can be a real asset for growth—and can also mitigate significant risks by defining robust access revocation processes as well.
How ISO 27001 Compliance Can Help
Security controls category A.9 User access management
The controls in this category provide guidance for the following:

  • User registration and de-registration: A formal user registration and de-registration process should be implemented to enable assignment of access rights.
  • User access provisioning: A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.
  • Management of privileged access rights: The allocation and use of privileged access rights should be restricted and controlled.
  • Management of secret authentication information of users: The allocation of secret authentication information (e.g. passwords, PINs, etc.) should be controlled through a formal management process.
  • Review of user access rights: Asset owners should review users’ access rights at regular intervals.
  • Removal or adjustment of access rights: The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Tip 3: Alignment with Standards
Alyne says: One major requirement for doing business with highly-regulated financial institutions is complying or aligning with industry standards. [Growing FinTechs] can be more attractive to banks by aligning their organizations to industry standards such as the ISO/IEC 27000 family for Security Management or COBIT 5 for IT governance.
How ISO 27001 Compliance Can Help
Clause 4.2 Understanding the needs and expectations of interested parties
Compliance with this clause of the standard requires organizations to identify the information security requirements of their customers and other interested parties (e.g., business partners). Information security requirements may include legal and regulatory requirements and contractual obligations.
Control A.18.1.1 Identification of applicable legislation and contractual requirements
This control provides guidance for identifying and documenting all relevant legislative, statutory, regulatory and contractual requirements and the organization’s approach to meet them for each information system. Specific controls and individual responsibilities to meet these requirements should also be defined and documented.
Clause 4.4 Information security management system
Compliance with this clause of the standard requires organizations to establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of the ISO 27001 standard.
Clause 6.1.3 Information security risk treatment
Compliance with this clause of the standard requires organizations to determine all controls that are necessary to implement the information security risk treatment option(s) chosen to manage risk. Organizations can design controls as required, or identify them from any source such as ISO 27002, COBIT 5, the Center for Internet Security’s Critical Security Controls, etc.
To discuss how ISO 27001 certification could help your FinTech firm create business value from its cybersecurity capabilities, as well as explore scope and cost considerations, contact Pivot Point Security.