Whispli Is Certified ISO 27001
Since early February 2018, Whispli is ISO 27001 certified – the global standard for Information Security.
In a context of constant threat where data of businesses can be exposed, we are committed at Whispli to make our processes and services evolve and not only follow with best practices but exceed them by going the extra mile.
We are well aware of the risks linked to sensitive data and we protect our customers and users’ information.
What is ISO 27001?
ISO 27001, it’s a global standard that empowers our business to improve its overall information security posture.
Our friend at Aptible, Chas describes it particularly well: think of ISO 27001 as a baseline for good security management processes. “We take security seriously” is a cliche. Many developer teams know they would benefit from an organized approach to security, but don’t know where to start. Hiring someone full-time for security is a stretch for small teams, and managing security just gets more complex as you scale.
Teams seeking ISO 27001 certification need to be organized. Like most of the major information security protocols (SOC 2, HIPAA, PCI, etc.), ISO 27001 requires:
✔︎ Proactive risk management, instead of just reacting to bad things as they happen
✔︎ Planning ahead for security and setting appropriate security improvement goals
✔︎ Writing down the rules for how security is supposed to work for your system (in policies and procedures)
✔︎ Training your workforce on those rules, with advanced training for those with more security responsibilities
✔︎ Training for and responding to security and availability incidents, including breaches
Most teams will end up investing in secure software development practices, such as test coverage, continuous integration/continuous deployment, code review, vulnerability scanning, penetration testing. On a practical level, you’ll probably get serious about MFA, require everyone to use a password manager, start using mobile device management to secure laptops and phones, do criminal background screenings, etc.
How does Whispli’s ISO 27001 certification benefit you?
Some organizations claim to be ISO27001 "compliant". Beware of the scam: anyone can claim they “comply” or are “consistent” with any of the ISO standards.
The gold standard is a certification performed by an “accredited” certification body, or auditor. Being “accredited” means the auditors have themselves been audited against an ISO standard for how they conduct audits and certifications.
You can download our ISO27001 Certificate.
Getting organized about security helps us protect your data.
It is above all a set of process: it is constantly put back into play, it’s an ongoing mission. With developer teams, big issues can arise from seemingly little things – ISO 27001 certification means we’ve thought this through, put controls in place and mitigate any pending risks.
Every day, we improve our platform to satisfy our customers’ needs. This doesn’t change the way you use Whispli – but for us, it means a permanent involvement in risk control and security.
✅ Oh – and we're also GDPR compliant. There are not yet certification body for GDPR ; once it's available, we have no doubt we'll easily get certified.
What does it mean for Whispli?
At Whispli, we are protected from loss, theft or alteration of data – not only by securing our IT systems against intrusions and threats. We put in place good practices to complement these technical measures, for a 360° security:
✔︎ A set of IT Security policies covering all items of the Statement of Applicability of the standard + Incident and Asset Registers
✔︎ Risks and threats for Whispli are identified, assessed and managed. Risk mitigation strategies are set for all residual items & our workforce is trained and knows how to respond to security and availability incidents, including any sort of breaches
✔︎ Audits – both internal and external. 3rd party audits are carried out on a regular basis and they including penetration testing minimum once a year (+ sometimes on requests from our clients), code review, vulnerability scanning
✔︎ General best practices, such as clean desk policy, session timeout, logout from computer whenever an employee leaves it, etc
