Cybersecurity is a matter of utmost importance in edtech. Learners, teachers, parents, schools, governments and other stakeholders want to ensure that learner data is safely stored and learners are protected from digital risks. But if you decide to purchase software or services from a third party to add to your edtech offering, how do you evaluate its security?
Many organizations undergo a build or buy decision process: do we buy that component from elsewhere or build it ourselves? Security is a big piece of that puzzle.
The truth of the matter is that any organization can claim to be secure. But to live up to its claims, it has to consistently and regularly consider the risks and threats it faces and put in place comprehensive measures to mitigate them—and, crucially, have an independent third party review its security.
The ISO 27001 standard helps companies adopt a standardized way of managing these risks. Although working with a supplier who has earned a 27001 certification does not guarantee security, it is evidence that the supplier has made serious efforts to put in place secure processes and environments.
ISO 27001 is a management system standard published by the International Organization for Standardization. It requires organizations to set up an information security management system, which is a framework of documents, policies, controls and procedures that enable them to evaluate security risks systematically and consider the confidentiality, integrity and availability of their data. A key focus of the standard is that it requires ongoing, continual improvement over time.
To be certified against ISO 27001 (as Learnosity has been), an organization defines a scope. Usually the scope is the whole of the organization’s activities, but sometimes the scope can be a part of an organization’s activities.
Any organization can claim to be secure. But to live up to its claims, it has to consistently and regularly consider the risks and threats it faces and put in place comprehensive measures to mitigate them. Share on XAn accredited, independent certification body then conducts a detailed onsite audit of the organization and its management system. These audits are taken very seriously, and if the organization has many locations, then there are usually visits to each of them. An ISO 27001 certification is usually valid for 3 years with annual reviews and audits.
Be wary if someone claims to be ISO 27001 compliant or conformant, but not certified. You should expect certification as without independent review, the statement is not very meaningful. Also, make sure that it is the organization that is certified—not just their hosting supplier or data center.
If an organization claims to be ISO 27001 certified, you can verify the claim by doing the following:
You don’t need a non-disclosure agreement in place to view the certificate but one may be required to see the statement of applicability.
ISO 27001 is not just applicable to third parties. It could also be useful to consider for your organization. Whether or not you buy in external services, you need your core software and systems to be secure.
Undertaking ISO 27001 certification is fairly expensive in terms of time and bandwidth.
Whereas the actual audit costs tend to be moderate, the staff time to set up the information security management system and the procedures and policies within an organization can be substantial. There are also ongoing compliance costs and requirements.
If you are considering it, it could be worth getting a consulting or auditing company to do a preparedness evaluation/gap analysis to determine how much work is needed. It probably only makes sense if your organization has a genuine, long-term commitment to security and plans to continue the certification/attestation over time. You also need top executive approval and commitment.
Obtaining ISO 27001 certification … shows customers and stakeholders (including learners and teachers/schools/instructors) that an entity takes security seriously and will look after their valuable data. Share on XWhile costly, obtaining ISO 27001 certification ultimately confers great value. It shows customers and stakeholders (including learners and teachers/schools/instructors) that an entity takes security seriously and will look after their valuable data. Perhaps most importantly, being ISO 27001 certified requires that an organization complies with best practices in security. It will make a security failure less likely and, should one occur, allow it to be remediated more easily.