What is ISO Certification? ISO Meaning and BigCommerce’s ISO 27001 Achievement

At BigCommerce, we were ecstatic to receive the ISO/IEC 27001:2013 certification. However, unlike winning an Olympic gold medal in downhill skiing or a Nobel Prize in economics, not everyone may immediately know why we’re so excited about it or what the value in having an information security standard certification means to our customers.

In this deep dive, we’ll look at:

1. What ISO certification actually means,
2. Who the ISO is and what they do,
3. Who provides tests for ISO security, and ultimately,
4. What it means for your ecommerce store.

What is ISO Certification?

First of all, ISO stands for International Organization for Standardization. This is the organization that develops and publishes standards for organizations internationally. However, it is not the organization that actually does the certifying (more on that below).

The ISO was founded in 1947 when delegates from 25 countries met in London at the Institute of Civil Engineers with the intention of facilitating international coordination on industrial standards. Today, the group is composed of members from 164 countries working together to develop the ISO standards.

What exactly do we mean by standards? According to the ISO website, they create the “documents that provide requirements, specifications, guidelines, or characteristics that can be used to consistently ensure that materials, products, processes, and services are fit for their purpose.”

ISO certification means a business has:

• High quality management systems,
• Data security,
• Risk aversion strategies, and
• Standardized business practices.

ISO-certified businesses have to undergo a strict conformity assessment through testing and inspections by a third party group specializing that standard. Businesses who pass these assessments demonstrate that they have achieved the particular associated standard.

By achieving a certification, it provides consumers and other stakeholders with confidence in the business’ systems and ensures that the relevant security, health, or environmental conditions are being met.

What Does ISO 27000 Specialize In

The ISO has published more than 22,000 standards on everything from health and safety to food management to sustainable development. They give businesses in every sector something to adhere to as they align their technology and practices to ensure a measurable, consistent level of quality.

The ISO/IEC 27000 family of standards concerns best practices for managing secure data, such as financial information, intellectual property, or really any information entrusted to a business by third parties.

ISO/IEC 27001:2013, within that family of standards, specifies the requirements for “establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.” 

The ISO/IEC 27001:2013 certification is the only auditable international standard that defines the requirements of an information security management system. Businesses such as BigCommerce that are certified ISO/IEC 27001:2013 demonstrate an adherence to these best practices for stringent data security and security management systems. Here are a few examples of what that includes.

1. Secure data.

As explained above, the ISO/IEC 27000 standards creates regulations that help define what a secure information security management system looks like. Securing the data that is present throughout your systems is one of the most rigorous achievements in the SaaS industry.

2. Risk management.

Risk management for large companies is hard to fully plan out and often requires a structured approach. There are separate standards specifically dealing with risk management (ISO 31000), but ISO 27000 still applies in terms of how securing data can ensure less risk to a business from data breaches. ISO certification means that a company has laid out plans for risk management and is doing an exemplary job of maintaining security and minimizing risk.

3. Safe business practices.

Since the ISO 27000 standards deal with best practices in information security systems, compliance with IT and security related standards must be checked off across the board to achieve ISO 27001:2013 certification. Overall, this certification proves that a company is acting in a professional and ethical manner, planning for the future, and respecting data privacy and security.

BigCommerce’s ISO 27001 Certification Explained

Now that you have a general idea of what ISO certification — and particularly ISO/IEC 27001:2013 — means, let’s dive into the process for certification: what hoops were jumped through and what boxes were checked to prove that BigCommerce is maintaining the utmost in information standards.

Once you understand the whole rigorous process and the standards that must be achieved, it will become more clear why BigCommerce is one of only a very few SaaS ecommerce platforms to achieve this certification.

To get the certification, businesses must go through a six-part planning process that includes all of the following.

1. Security policies.

The business must provide specifications that detail their security policies, including  documentation, who is responsible for management, and how internal audits are conducted.  BigCommerce has met or exceeded standards for defined security policies.

2. ISMS scope.

The second part of the planning process defines the scope of the information security management system seeking certification. The ISMS needs to show continual improvement and corrective and preventive actions that have been taken to ensure the highest security. The scope and roadmap of the BigCommerce ISMS has met or exceeded the necessary standard.  

3. Risk assessments.

In order to best manage and prevent risks, the business in question must assess all potential risks. BigCommerce has assessed the risk in its organization and has met or exceeded standards.

4. Identified risks.

Again, the best way to mitigate risk is to be aware of it — to limit unknown unknowns and bring any potential liabilities out into the open. BigCommerce is currently managing identifiable risks to ensure customer security and satisfaction.

5. Select control objectives.

The 27001 standard does not mandate specific information security controls, however, it does suggest specific control objectives that should be met. BigCommerce take this seriously and has met the required security objectives.

6. Statement of applicability.

Once going through the first five steps of the process, BigCommerce applied for ISO/IEC 27001:2013 certification and received it!

What This Means for Our Customers

The reason BigCommerce chose to pursue this rigorous certification process is for the value it can then provide to our customers. This certification demonstrates our commitment to information security, compliance, and regulation practices. This provides our customers with the peace of mind in regards to all of the following:

1. World-class site security.

Ecommerce sites can’t afford to have subpar or inconsistent security. When building your ecommerce site on the BigCommerce platform, you can rest assured that your site will stay up and stay safe.

2. Safeguarded IP.

Of course, while your customer data is incredibly important to protect, it’s not the only sensitive information in your system. By working with a platform that values information security and has a proven credential for it, you can be confident that any intellectual property on your site is kept safe within BigCommerce’s systems.

3. Protection against DDoS attacks.

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic flow and functioning of a website by overwhelming the server or network. Because BigCommerce has added additional security measures and best practices in place, you don’t have to be worried about a DDoS attack on your site or ours.

Who Provides Tests for ISO Quality?

As mentioned above, the ISO provides the standards, but they do not actually provide certifications for assessments of whether or not a business has met those standards. Instead, they have a committee, CASCO, that deals with conformity assessment.

In order to actually get the certification, a business must go through a third-party certification group that meets the necessary CASCO standards.

1. Cybersecurity advisory groups.

Cybersecurity groups run websites and backend systems of companies through rigorous testing to see if there are any holes in the system that could allow a breach. BigCommerce’s certification was completed by the cybersecurity advisory group Coalfire ISO. Coalfire ISO is a qualified ISO 27001 certification body that ensures BigCommerce’s compliance with applicable security laws, regulations, and standards.

2. Third-party QA organizations.

After the cybersecurity advisory group assesses and addresses risks, a third-party QA organization can then ensure that a company has met all required standards for policies, procedures, processes, and systems that manage any kind of information flowing through the business. BigCommerce was evaluated by an independent QA organization that ensured we have “established a formal set of policies, procedures, processes, and systems that manage information risks for its digital and physical presence.”

The certification process and follow-up QA is not a one-time deal. It’s a three-year commitment of continual process audits performed every six months to make sure BigCommerce is staying in compliance and completing our risk improvement plans.

Why ISO 27001 Matters for Ecommerce Shops

The importance of data security in ecommerce cannot be overstated. Customers of online stores are relying on those stores to keep their sensitive payment and personal data safe. When their trust in a company is damaged by a security breach, it can be hard to get it back.

According to research by IBM Security and the Ponemon Institute, the average cost of a data breach to a business is $3.86 million globally. In the U.S., the average price per breach is even greater: $7.91 million.

Here are some of the things that can be lost if a business doesn’t take safety and security seriously and maintain (or work with a platform that maintains) a systematic approach to managing sensitive information.

1. Payment security.

When processing hundreds or even thousands of customers’ payments, you’ll need a system that is heavily secured so no important information slips out. There is a reason why ecommerce businesses are the most frequently attacked industry. They’re a popular target for hackers because they hold so much information like their clients’ credit and debit card data. Your site is the safekeeper of that sensitive information, and it’s vitally important that you maintain the highest security standards to protect it.

2. Customer information.

Payment information isn’t the only sensitive data you have on your customers that hackers may be interested in. Customer information like names, addresses, phone numbers, and email addresses can all be at risk when hosting on an unsecure site.

3. Customer trust.

Customer trust throughout the buyer journey is an important part of your overall customer experience. You want your customers to have a strong feeling of trust in your brand. Losing that trust can send them to your competitors. Letting customers know that you have their best interest at heart is the best way to keep long term customer relationships. By choosing a platform with ISO/IEC 27001:2013 certification, you can assure your customers that they’ll be safe throughout every part of your site.

Conclusion

BigCommerce was excited to announce our ISO/IEC 27001:2013 certification this spring because it represents a great deal of work in making sure our processes and technology are in line to mitigate risk and secure data for our customers.

More importantly, it demonstrates our commitment to make information security one of our utmost priorities. This is something that every merchant should consider when choosing or adopting a platform for eCommerce. Nothing should be left to chance, or risk, and evaluating a platform for its security posture, commitment and certification should be a requirement.

Ecommerce is a huge — and still growing — industry expected to reach $604 billion in sales by 2020. As more and more people put their faith in online stores to protect their data, you can’t afford to have an insecure site.

Keep your customer data and intellectual property safe by building on a platform that is both ISO/IEC 27001:2013 and maintains the highest levels of PCI compliance.