News Digging into Inntopia’s ISO 27001 certification with our in-house security expert, Njama Braasch.

We recently announced that Inntopia had achieved ISO 27001 certification. This is a concrete example of our commitment to the security of our customers’ data. But another example of that commitment is sometimes less obvious: the fact that we have a Director of Security and Compliance in the first place. More rare than that should be in tech companies, I sat down with Njama Braasch, our in-house Certified Information Systems Security Professional (CISSP), to talk about his role in this company and what it took to get certified.

—

Gregg: Let’s start with you Njama. What is your role at Inntopia and what is your role at Inntopia as it relates to ISO 27001?

Njama: First, I appreciate the opportunity to share what Inntopia has been doing internally to create world-class security around our systems and partner data.

My role at Inntopia is Director of Security and Compliance. This means that I’m in charge of creating security and compliance strategies for Inntopia, making sure those strategies are implemented, measuring their effectiveness, and course-correcting based on input from inside and outside the organization. ISO 27001 is one of those strategies.

Gregg: Some folks have seen ISO27001 mentioned before, but most may not know what it is. Give us just a simple, high-level overview.

Njama: ISO 27001 is one of the most widely recognized and internationally accepted information security standards. Simply put, it defines how an organization should manage and treat information more securely.

Gregg: Give me a little backstory on ISO27001. Who created it, who manages the certification process, etc?

Njama: Sure. I’ll start with the “ISO” part: ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems. The ISO as an organization has external certification bodies who do the actual audit work. These bodies are governed by the standard they are certifying as well as a set of standards for doing the actual audit itself – a kind of “audit certification” if you will.

A well-known ISO standard that almost everyone has heard of is ISO 9000. Where ISO 9000 defines and certifies quality controls in the manufacturing process to a high standard, ISO 27001 defines and certifies a high level of organizational information security maturity.

Gregg: So, let’s talk about our side. First, how long have we been working on this?

Njama: We’ve been implementing the ISO standard since September of 2018.

Gregg: What are some of the steps that go into achieving this certification?

Njama: There’s quite a bit to this program; it’s comprehensive. There are 11 charters, which I like to break up into the “Plan Do Check Act” model.

At the “Plan” level, we are documenting business objectives, creating a written security program, identifying and classifying our business risk, and writing or reviewing policies to establish controls for those risks.

At the “Do” level, we implement standards and procedures which follow those policies and directly address the identified risks where appropriate.

At the “Check” level, we carefully monitor the Security Management system including incident reports, inaccurate policies, vulnerability reports, penetration test results, business risk item status changes, and success or failure of internal and external security audits.

Finally, at the “Act” stage, we take all that feedback and we tweak our system to be better. Then we begin the cycle all over again.

Gregg: What comes after the 11 charters?

Njama: In addition to the 11 charters, there is an Annex of controls. There are 114 ISO 27001 Annex A controls, divided into 14 categories. Each of these controls must be implemented within the business to satisfy the standard.

I tell you, it’s a lot of detail, but it all fits together quite nicely! I’m very pleased with the results we’ve seen while following the standard over the last year plus.

Gregg: Now let’s talk about our customers. From their perspective, what does this mean?

Njama: From the beginning, this has been partner-focused. As we began looking at ISO 27001, we quickly realized that getting certified is a way to show our customers that we are taking their information security seriously. We have always understood the importance of the controls in 27001 – and, as a result of our PCI Level 1 compliance requirement, we had most of them in place beforehand – but we did find gaps during the process. What 27001 prompted us to do was to document our process and make it more traceable and measurable.

And we’re giving our customers that added level of confidence that we’re a secure organization, not just by requirement, but by choice. The cool thing about 27001, is that, unlike some security accreditation, it’s not just about the tech. This is about the way Inntopia, our employees and infrastructure, are operating safely and securely as well. It becomes a re-assurance, backed by verified third-party audit, that “We’ve got your back.”

Gregg: We’re one of the only companies in hospitality ecommerce or CRM to have this certification. Why don’t more companies do it?

Njama: That’s a great question. There are actually a couple of interesting stories here.

One of the really interesting things about hospitality ecommerce and CRMs, is that they are mostly in the “stone ages” when it comes to technology growth and adoption. The standard technology mind-set in this industry generally is “if it ain’t broke, don’t fix it.”

Consider also that this standard can require change to large parts of the way the business runs. For many businesses, this much change is just not worth the effort.

Gregg: What’s the other hurdle?

Njama: The other issue is that with security standards, especially ISO standards, the big players tend to adopt first, with the smaller ones coming behind. Inntopia is technically a SaaS provider that happens to specialize in hospitality ecommerce and CRM.

When you look at the larger SaaS world, most of the big players are ISO 27001 certified – SaaS providers like PayPal®, NetSuite®, eBay©, to name a few. The smaller SaaS players simply haven’t taken that step yet. The bottom line is that this is a Big Dog certification, and we are ahead of the curve.

Gregg: Anything final thoughts?

Njama: It’s hard to overemphasize how significant and challenging this level of certification is. There are many organizations who adopt the ISO 27001 standard but do not certify. To adopt the ISO 27001 standard demands a mindset dedicated to organizational security excellence, backed by the full support and commitment of Inntopia’s leadership.

To actually achieve certification means that an outside certifying body has confirmed that we execute on that mindset and hit the rigorous marks set by the standard every single day. This translates to a strong, stable, secure foundation for the Inntopia platform and we’re very proud of that accomplishment.