In today's digital world, we often worry about “information overload”. Our lives are increasingly spent in the digital realm, wading through endless streams of content and information. In this environment, remaining secure is more important than ever. As individuals, we want to protect ourselves. We change our passwords regularly, and we investigate suspicious login attempts when they occur. Today, there are many methods of authentication to help keep us safe and secure.
Companies worry about security too. In the field of IT, the importance of information security is well understood. At Nota, security is of paramount importance. In the course of my research, I came across a security certification method known as ISO 27001. I vaguely remembered reading something about it in the past, but that was the extent of my knowledge. What exactly is ISO 27001? And why does it have such a specific numbered name that looks like it needs rounding out? To find out more, I spoke with Hyunho Shin (Infra Team), Hayoun Jun and Suna Lee (ILC (IP/Legal/Compliance) Team).
Thank you for meeting with me today.
Frankly speaking, I am still a little bit in the dark. What exactly is ISO 27001?
Hayoun: ISO 27001 is an international standard for information security. It sets out the specification for an effective information security management system, or ISMS. It helps organizations to best manage and protect their information assets in the digital world.
How would you explain this in layman's terms?
Hyunho: You can think of it like a visa. When we travel abroad, we often need a visa to enter a specific country. To obtain a visa, we have to prepare documents and certifications that meet specific criteria. Once this threshold is met, we are given a visa to indicate we can be trusted and that we are traveling legally. ISO 27001 certification works in the same way. Once a company obtains ISO 27001 certification, it has proven that it has met specific information security management standards. But just like visas, certifications have expiration dates, and need to be renewed periodically.
So, if a company obtains certification, it can streamline information security validation?
Hayoun: Exactly. I'll give you a real-world example from our business unit. When someone makes a new application to the Ministry of Science and ICT, or local government, the administration there requests various company security documents. Without prior certification, there is a laborious back and forth with numerous documents and other corroborating pieces of evidence, much like when we first apply for a travel visa. ISO 27001 certification bypasses all of this, making new applications easier, and allowing us to work more efficiently, focusing on what really matters.
Where does the name come from?
Why is it 27001, and not 27000, which appears more logical?
Hyunho: It's simply down to the order of things. ISO 27001 belongs to the ISO/IEC 27000 family, which comprises international standards for information security. ISO 27001 is simply one certification in a long line of many. After ISO 27001, there is ISO 27002, ISO 27003 and so on.
So, it all works together as one?
Hayoun: Precisely. Information security is directly linked to personal data protection, and so on. In the field of AI, it is crucial for all employees to be aware of the importance of personal data, and to be able to develop diligently with this in mind. This is the value of ISO 27001, it prevents the leak of any personal information to the outside world, maintaining security at all times.
Do these certificate acquisitions aid Nota's credibility and reputation regarding information security?
Hayoun: Yes. At Nota, we primarily manage our security reinforcement around two principles. i) How well prevention measures are implemented, and ii) How quickly we can respond to an incident. As mentioned earlier, Nota's AI solutions often deal with a lot of sensitive personal information, and we do everything we can to keep that data secure. ISO 27001 is the recognized gold standard for security, and helps protects us against any potential intrusion. In the unlikely event that a security incident or data breach occurs, our rapid response team is always on hand to minimize the damage and quickly reestablish our security.
Why did you decide to use ISO 27001 certification above all others?
Hayoun: Nota operates in the global market, so it made sense to opt for an internationally recognized certification. ISO 27001 satisfies the requirements for 93 different security items, from organizational, to personnel, physical and technical control. In each instance, it passes rigorous assessment and verification by certification bodies.
💡 At a glance, four categories of ISO27001 certification, provided by Suna.
1️⃣ Organizational Controls
We assess how information security procedures are performed within our organization. (including, but not limited to, establishing information security policies, role and responsibility assignments, incident management plans, etc)
2️⃣ People Controls
We ensure that every staff member understands, and complies with, information security regulations. (including, but not limited to, reviewing the qualifications of information security personnel, drafting information security agreements, conducting information security awareness training, etc.)
3️⃣ Physical Controls
We verify whether our organization's physical facilities and hardware meet security requirements. (including, but not limited to, installing CCTV at entry points, implementing access restrictions to server rooms, equipping emergency response devices, etc.)
4️⃣ Technological Controls
We confirm that our organization's systems and technology operates securely. (including, but not limited to, checking server security vulnerabilities, performing data backups, verifying security solutions and firewall configurations, etc.)
93 different items?!
Suna: It's a lot, isn't it? It goes to show why it's such a sought-after certification. But in fact, not many domestic IT startups have obtained it, it's primarily held by large corporations or companies engaged in large-scale businesses.
So why did Nota, an IT startup, decide to obtain it?
Suna: We have big plans! We want to be a globally recognized company. We already operate subsidiaries in the United States and Germany, and have worked with NVIDIA and ARM. Though there are domestic certifications like ISMS in Korea, with our ambitions it made more sense for us to think globally, and to obtain the internationally recognized ISO 27001.
I agree. It sounds like ISO 27001 is a worthwhile investment.
Are there any other areas of your business that you believe will benefit going forward?
Hayoun: I would have to say NetsPresso. Our obligation to protect information begins the moment a lightweight model is uploaded to our platform. Models could potentially contain sensitive customer information, or even trade secrets, so we are aware of our security responsibilities at all times, applying rigorous security at every stage. Additionally, Nota's DMS and ITS solutions also handle private personal data on drivers, pedestrians and vehicles. Going forward, it stands to reason that these services will benefit from ISO 27001.
The more I learn about ISO 27001, the more I realize how comprehensive it is.
Was it a challenge to get everything up and running?
Suna: It helped that Nota was already compliant with the General Data Protection Regulation (GDPR) in Europe, so a lot of the leg work had already been internally implemented. That said, it wasn't all plain sailing, there was a lot of preparation to complete before we could obtain the certificate. Our work at Nota involves managing a lot of sensitive personal information and data, so it was crucial that we took our time to diligently work through what needed to be done in order to meet the required safety standards.
If you have any further insights or comments, please share them.
Hyunho: Throughout the process of obtaining our certification, the awareness of security within the company has increased. I've witnessed more proactive interest and participation in information security matters, which I expect to proliferate as we continue to share information and work together to improve our organization.
Hayoun: I have also noticed a change. Not only in R&D, but throughout the company, which helped us achieve the required criteria for ISO 27001 certification. It's important that everyone at Nota is aware of our responsibilities, and the importance of information security.
Suna: This is just the beginning. There are ongoing security challenges and processes we need to maintain, not to mention certification renewal down the line. As Hayoun and Hyunho have noted, everyone at the company is increasingly aware of our security responsibilities, so I am positive about the future. Let's work together to help Nota's technology spread around the world.
.
.
As I confessed at the beginning of today's interview, I didn't have a clear idea about the significance of ISO 27001. I knew that it pertained to security, but that was the extent of my knowledge. Thanks to Hyunho, Hayoun and Suna, I am now much more informed, and I understand the importance of security and security certification as it relates to the day-to-day work at Nota.
Wrapping up, I would like to express my gratitude once again to Hayoun, Hyunho and Suna for talking to me today, and for breaking down difficult technical concepts and language into something I could easily understand. Thank you!