A journey of trust: Why C3 Solutions has gained its ISO 27001 information security certification?
C3 Solutions is proud to announce we have received our ISO 27001* certification. This certificate demonstrates that our organization meets the highest standards for information security.
Why is this important? Cyber attacks are quickly becoming one of the principal threats facing businesses. In 2022 cyber attacks increased by 38 percent around the world, according to Checkpoint Research. Their research found that attacks are being driven by smaller, more nimble hacker groups who try to exploit work-from-home environments and the collaborative tools people use to make them work.
Proactive approach
It didn’t take this piece of news for C3 to start being proactive about security, however. The journey to achieving ISO 27001 started about five years ago, says Pascal Landreville, our vice-president strategic planning, compliance and chief information security officer.
At that time security threats were growing and new data security regulations like the General Data Protection Regulation (GDPR) in the EU were coming into effect, in addition to the California Consumer Privacy Act and the Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – which were in place already. Landreville explains that these developments really highlighted for C3 that it was time to be proactive and put their security processes to the test by gaining the certification.
Becoming ISO 27001 certified was an involved process of assessing risks, documenting policies, making sure they were meeting needs, and then ensuring that staff are all onboard and aware of their importance. The process also included an inventory of all assets involved, along with an assessment of any vendors. It took about two years of intensive effort to get it all done, he says. After everything was done, there was an internal audit, and when that passed, the official audit was conducted by the certifying organization.
Big rewards
And the rewards are huge. Primarily, the certification is a clear demonstration to customers and prospective customers that C3 is serious about security. It means that they can have every confidence that their data, and their business will be protected when they deal with C3 and use its products.
“It gives us a competitive edge,” says Marie Couture, C3’s security analyst. “For a customer having to choose between two companies, if one is ISO certified, they are most likely going to go with that one.”
In addition to the risk management processes that the certification guarantees, it also ensures business continuity by requiring a disaster recovery strategy, Couture notes. And when customers have the confidence in the company’s abilities, it makes for better relationships. “It provides evidence that the company takes security seriously and can be trusted with sensitive data, which can lead to like an increased collaboration or better business opportunities,” she adds.
The certification also helps C3 avoid extra work when completing security questionnaires for proposals and project bids, Couture says. Having ISO 27001 can automatically let the company skip over hundreds of questions in these surveys, saving hundreds of hours a year.
Recipe for growth
Having certified processes in place also sets C3 up for growth Landreville says. “Putting all of those policies, procedures, and processes in place allows you also to bring in new people more easily. It makes the onboarding process easier, and it ensures everyone follows the same processes because they're documented. And it helps us grow by having better defined processes in general.”
And well C3 has just received the certification after all the preparation and audits, everyone knows it’s an ongoing process, with annual reviews and constant vigilance that procedures are being followed. A security and compliance team, composed of senior execs and Couture meets every two weeks to review progress, and staff is regularly given refresher training to keep them up to date.
When C3 embarked on the journey to achieving the certification, it was always about doing things properly, he adds: “We do like to stay ahead of what's happening in the industry, thanks to our visionary people. We were not doing it for the paper, we're doing it because we wanted to be secure, and reduce our risk of exposure to security attacks.”
The ISO 27001 is a third party validation that “we are doing the right thing,” Landreville says. “And it works. We haven't had an incident in the last five years since we've started that journey.” Ultimately, it means “customers can kind of rely on this independent validation as evidence of our company's commitment to information security,” Couture concludes.
*The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is made up of over 12 standards that are meant to help organizations bolster their information technology security by establishing a robust information security management system (ISMS). Once implemented, the ISMS helps to reduce and remove risks associated with people, processes and technology.