Stitch secures ISO 27001 ISMS certification

What is ISO 27001?

ISO 27001 is the globally recognised international standard that outlines best practices for an Information Security Management System (ISMS). This certification ensures that compliant businesses take necessary steps to protect their information systems and the data they work with - which is particularly critical in the payments space.

The standards follow a risk-based approach, where everything done to protect data is based on a comprehensive risk assessment and prioritisation framework.

Why is ISO 27001 important?

There are several reasons businesses should consider ISO 27001 compliance, including:

Practical security benefits: The risk-based approach of ISO27001 encourages businesses to think about information security risks across all aspects and helps identify security gaps that might otherwise be ignored.

Building trust with customers: Especially in the payments space, trust is critical. This certification demonstrates Stitch’s commitment to security at a globally recognised standard, which can significantly enhance customer confidence and means the enterprise clients we serve can feel safer sharing their personal and financial information. 

Regulatory compliance: ISO 27001 is not a requirement for regulatory and compliance certifications in South Africa, but it helps in establishing a comprehensive Information Security Management System (ISMS) while providing a framework that aligns with international regulatory requirements, particularly across EMEA.

For example, key elements of the recent SARB Directive in respect of cybersecurity and cyber-resilience within the national payment system are largely aligned with ISO 27001. This means that with this certification we are already aligned with this future SARB directive.

0-3. General information: Introduction, scope, normative references, terms and definitions 

4. Context of the organisation: Create the ISMS Scope that sets the boundaries of your system and the applicability of the controls 

5. Leadership: Top management to document a Policy Statement with employees and clients 

6. Planning: Establish, measure and monitor objectives based on risks and opportunities

7. Support: Establish, implement and maintain the ISMS based on: Competence, Awareness, Communication, Documented Information and Records (that must be kept) 

8. Operation: Risk treatment plan and risk assessment report to mitigate the risks that might arise as a result of your company’s scoped operations 

9. Performance evaluation: Establish a procedure for monitoring and measurement of records. Documented process for the performance of internal audits and management reviews 

10. Improvement: Improvement follows up on the evaluations covered in Clause 9 

What does this certification mean for Stitch’s ability to better serve our clients?

The ISO 27001 certification is a testament to our focus on information security at Stitch;  maintaining high security standards remains a key aspect of our culture, not an add-on.

When a merchant selects a PSP, as part of the evaluation process, due diligence reviews must be performed to minimise supplier risk. This certification makes it simpler for merchants to perform due diligence checks on Stitch because it shows that a rigorous external security audit has already been performed on our business, and that we will be reviewed annually.

However, not all ISO 27001 certification audits are the same. It’s possible that some auditors might provide an ISO 27001 certificate more easily than others. We purposely partnered with a globally recognised and leading certification body that rigorously audits the standard. This ensures that we’ve built a high-quality information security management system.

What is the impact these certifications have on the industry as a whole?

The ISO 27001 standard is fundamentally a risk-based framework for information security management systems. These certifications help all organisations in the financial services industry decrease the risk of information security compromise.

It takes cooperation across the industry to keep financial information safe. Many organisations are involved in enabling even a single payment to be processed. All these organisations represent possible points of compromise and therefore need to implement security measures to protect the processes they are responsible for. Broadly adopting standards like ISO 27001 in the industry will significantly help protect the end users we are serving with security excellence.