We’ve done it!

After a long and grueling year of analyzing business processes, how we develop our product and the way we work as a company, CounterCraft is really (really) pleased to announce we’ve been granted ISO 27001 certification!

ISO 27001 is an international standard for the management of information management systems. In terms of CounterCraft it means we’ve had to define a framework of policies and procedures covering all legal, physical and technical controls for the process of managing risk.

Over the last eighteen months we’ve undertaken a massive project that has made us stop and think about things we take for granted and set up a standard-based set of procedures to detect, analyse, and mitigate risk. It has been a long and strenuous effort, but we’ve done it, and anyone says you can do it in ‘only’ a couple of months is lying…

What this covers

The scope of our ISO 27001 certification is as follows:

“Certification of the product lifecycle process including design, development, sales, installation and support within the scope of Cyber Security.”

This is what appears on our certificate and defines exactly what the certification covers. As you can see the scope is very broad and covers everything from the security controls we apply to our laptops to the way we handle confidential information — all under the umbrella of cybersecurity.

What this means to CounterCraft and you

This certification is a very important step in our development. We’re a growing company — we have global reach with offices in three countries and a widespread development team that normalized remote working before even the COVID-19 pandemic. The ISO process has given us the opportunity to streamline our business processes and look at the risks inherent in how we operate. We’re a company staffed with talented and experienced security professionals, and our vision and product development and development reflects our understanding of the cybersecurity industry, but as the saying goes, familiarity can breed contempt. Jokes aside, luckily we haven’t had to change much in the way we work, but it has been a great opportunity to formalize good habits and make a couple of workflow modifications.

As a start-up, expediency is king, leading to an “it ain’t broke, don’t fix it” style. Unfortunately, this can lead to taking risks that would be unthinkable in a more established company. An example of this is that, as we have grown, the same people have been responsible for many day-to-day operational tasks. One of the cool effects of the ISO 27001 process is that we’ve had the chance to identify these single points of failure, and mitigate the risk.

Secure development

Another of the effects of the ISO 27001 analysis of every aspect of our process is the enhanced focus on secure development. It’s not just code, and we have risk assessed our supply chain and the very structure of our development.

Nowhere is this better exemplified than in the way we have been able to react quickly to the U.S. government-led drive to demand a full Software Bill of Materials (SBOM) for security products. As part of the ISO process this is something we have already addressed.

Secure business processes

As with many start-ups, the product comes first and the business processes grow in an organic manner. We have been able to take advantage of the ISO 27001 process to analyze whether the tools and processes we use are as secure and compliant as possible. This has been formalized in an iron-clad set of processes and procedures based on risk analysis of every aspect of our business workflow; from the tools we use and the way we handle data to how we address the physical security of our employees and offices.

Customer Confidence

“Yay for CounterCraft!” I hear you cry, but so what? What does this mean for me as a customer? Well, the ISO 27001 certification is a clear demonstration that CounterCraft is a reliable, secure and risk-aware business partner. You can be sure that your dealings with us comply with a rigorous set of standard-based processes and procedures. There is security and transparency in all aspects of how we do what we do.

NIST 800-53

How does the ISO 27100 certification stack up against NIST 800-53 “Security and Privacy Controls for Information Systems and Organizations” certification? Both systems are complimentary, and where NIST leans more to specific technical controls, the ISO is more based around a risk mitigation approach. However many of the controls overlap. NIST have published a mapping that shows how the controls implemented under the ISO27001 specification relate directly to similar NIST controls. That said, CounterCraft is actively pursuing NIST certification to simplify product approval by US federal and enterprise customers.

Continuous Improvement

The process is one of continuous evaluation and improvement, and it is a sign that CounterCraft is maturing into the world-class cybersecurity company we want to be. You can trust that our goal to provide the best defensive tech on the planet is backed by a secure and robust business platform.

Next steps

To find out more about what we do, or to discover how our new ISO 27001 protects you as a customer, please feel free to get in touch!

Richard Barrell is the Product Manager at CounterCraft, as well as managing projects in the Government sector. You can find him on LinkedIn.