ISO 27001 Certification: What it is and why it matters

Last updated at Thu, 18 May 2023 16:40:15 GMT

Did you know that Rapid7 information security management system (ISMS) is ISO 27001 certified? This certification validates that our security strategy and processes meet very high standards. It underscores our commitment to corporate and customer data security.

What is ISO 27001?

ISO 27001 is an internationally recognized standard for information security management published by the International Standards Organization (ISO). It details requirements for establishing, implementing, maintaining and continually improving an ISMS.

ISO 27001 is focused on risk management and taking a holistic approach to security. Unlike some standards and frameworks, ISO 27001 does not require the implementation of specific technical controls. Instead, it provides a framework and checklist of controls that can be used to develop and maintain a comprehensive ISMS.

It is one of more than ten published standards in the ISO 27000 family. It is the only standard among them that an organization can be certified against.

To become ISO 27001 certified, an organization must:

• Systematically examine its information security risks, taking account of the threats, vulnerabilities, and impacts.
• Design and implement a coherent and comprehensive suite of information security controls and risk avoidance measures.
• Adopt an overarching management process that ensures the information security controls continue to meet the organization's information security needs over time.

Then, the ISMS must be audited by a third party. This is a rigorous process, which determines whether the organization has implemented applicable best practices as defined in the standard. Certified organizations must undergo annual audits to maintain compliance. Rapid7’s ISMS was audited by Schellman.

Why does ISO 27001 certification matter?

Rapid7 is committed to helping our customers reduce risk to their organizations. ISO 27001 certification is one way that we demonstrate that commitment. It is worth noting that certification is not a legal requirement, rather, it is proof that an organization’s security strategy and processes meet very high standards. Rapid7 believes that maintaining the highest standards of information security for ourselves and our clients is essential.

As noted above, ISO 27001 provides a framework to meet those standards. That framework is based on three guiding principles to help organizations build their security strategy and develop effective policies and controls: Confidentiality, Integrity, and Availability.

• Confidentiality means that data should be kept private, secure, and accessible only by authorized individuals.
• Integrity requires that organizations ensure consistent, accurate, reliable, and secure data.
• Availability means systems, applications, and data are available and accessible to satisfy business needs.

Rapid7’s security strategy reflects these principles. Our platform and products are designed to fit securely into your environment and your data is accessible when you need it—with full visibility into where it lives, who has access to it, and how it is used. When you partner with Rapid7, your data stays safe. Period.

For more information about the policies and procedures Rapid7 has in place to keep our data, platform, and products secure, visit the Trust section of our website.