March 31, 2016

Last Updated on January 13, 2024

As an ISO 27001 Certified Lead Implementer living in Atlanta, GA, I hear a lot of people talking about Financial Technology (FinTech) companies, but I don’t hear enough discussion about ISO 27001. I’d like to change that by illustrating how the ISO 27001:2013 standard can be used to provide some key capabilities to minimize risk for FinTech companies as recommended by Alyne, a security, risk management and compliance service provider.
In this Part 2, I’ll cover how ISO 27001 addresses Alyne’s three tips for risk mitigation: vendor management, penetration testing and business continuity management.
Tip 1: Vendor Management
Alyne says: Formalize your contracts, make sure you are using secure vendors and regularly check that their security capabilities haven’t changed.  Also, make sure you clearly understand the “Shared Responsibility” limitations of your particular service providers and for which security controls you remain fully or partly responsible and you cannot hold them liable.
How ISO 27001 Compliance Can Help
Security controls category A.15 Supplier relationships
The controls in this category provide guidance for the following:

  • Information security policy for supplier relationships: Information security requirements for mitigating the risks associated with suppliers’ access to the organization’s assets should be agreed with the supplier and documented.
  • Addressing security within supplier agreements: All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.
  • Information and communication technology supply chain: Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.
  • Monitoring and review of supplier services: Organizations should regularly monitor, review and audit supplier service delivery.
  • Managing changes to supplier services: Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Tip 2: Penetration Testing
Alyne says: Highly recommend having a security professional penetration test your application(s). For this check, the tester will act as a hacker and try to gain access to your service with either no prior knowledge (black box test) or some prior knowledge of the system setup (white box test). The test report will provide transparency of current weaknesses with recommendations on how to mitigate them. This approach should be formalized in further development cycles and extended to such topics as secure development training for your development team and secure source code analysis.
How ISO 27001 Compliance Can Help
Control A.18.2.3 Technical compliance review
This control provides guidance on how systems should be reviewed for technical compliance using software and automated tools; how vulnerability assessments and penetration tests should be planned, documented and repeatable; and how competent, authorized persons should perform or supervise technical compliance reviews.
Tip 3: Business Continuity Management
Alyne says: FinTechs should develop plans to deal with more basic disruptions such as, what to do if a provider fails, you have been hacked, an executive’s laptop is lost, half your staff quits or part of your platform fails. Understanding the impact to your company and having continuity strategies defined can significantly reduce your risk. For these processes to be effective, you will also need to test and train your responses to incidents.
How ISO 27001 Compliance Can Help
Security controls category A.17 Information security continuity
The controls in this category provide guidance for the following:

  • Planning information security continuity: The organization should determine its requirements for information security and the continuity of information security management in adverse situations; e.g. during a crisis or disaster
  • Implementing information security continuity: The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
  • Verify, review and evaluate information security continuity: The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

To discuss how ISO 27001 certification could help your FinTech firm reduce security and compliance risk, as well as explore scope and cost considerations, contact Pivot Point Security.