Can you tell us about what the ISO 27001 certification is?
The ISO 27001 certification is an externally audited award that Wejo has successfully attained. It confirms that all our systems and processes comply with an Internationally recognised standard for the management of information security, this is known as an Information Security Management System or ISMS. The ISO 27001 Standard is risk based which means that Wejo has established comprehensive processes for measuring and managing risk within our ISMS.
Is this an industry standard certification?
The ISO 27001 Standard is not mandatory for any industries in terms of compliance, however obtaining and maintaining an internationally recognised Standard of this calibre demonstrates that an organisation has excellent management control over information security and the associated risks involved. It also demonstrates a level of commitment on the part of the certificate holder. So for example Amazon Web Services (AWS) and Microsoft both hold ISO 27001 certificates, so Wejo in many ways is aligning it’s standard operating practices with some of the largest global tech companies.
Wejo already has Cyber Essentials and IASME security certifications – what does ISO 270001 bring to the table?
The certifications that you mention, IASME and Cyber Essentials Plus, are both control based certifications that are externally audited. This means that they are very prescriptive in terms of the controls that auditors are checking, for example a control may be that strong passwords are enforced or that firewall rules are correctly implemented. So holding those certificates confirms that those specific controls have been adequately implemented.
ISO 27001 on the other hand is risk based, and as such a persuasive Standard. So in this case, the external auditors are not necessarily checking a pre-defined set of controls are all in place, but rather whether Wejo has defined our own control requirements to reduce risk to an acceptable level. They also assess whether there is an internal audit and risk function continually measuring the performance of those controls, assessing risk levels, driving remediation, and making Senior Management aware of the company risk posture.
So, the IASME and Cyber Essentials prescriptive control-based certifications and the ISO 27001 risk and process-based certification are very much complimentary to one another.
What does it mean for Wejo?
For Wejo it means that our Board of Directors and Executive teams can be assured that the organisation is operating an effective and efficient information security management system. It also confirms that our risk posture is known and articulated and that we are operating on a par with our global tech counterparts. Having ISO 27001 certification demonstrates that all our employees understand the importance of information security and are all aware of our personal, and the company’s, responsibilities in this space.
What does the certification mean for data buyers or providers?
All of our business partners can be assured that Wejo takes its Information Security responsibilities very seriously. Having ISO 27001 certification demonstrates that we are committed to ensuing internal excellence and that we are a trustworthy and diligent business partner in that respect.
Our technology platforms are exclusively cloud based, so we share the responsibility for security with our cloud partners, like AWS and Microsoft Azure. It’s therefore important that Wejo demonstrates our approach and commitment to security, trust and privacy matches or exceeds that of our cloud providers.
In summary, attainment of the ISO 27001 certification demonstrates internal excellence and fosters trust with our business partners at all levels. At Wejo we don’t just ask our partners to trust us, we demonstrate why they can be comfortable placing their trust in us.