In Germany, many companies are affected by security gaps that affect both the IT structure and the handling of data. Even translation service providers (ÜDL) are not exempt from this. How processes and infrastructure can meet current security requirements is regulated, among other things, by ISO 17100 for translation service providers and translation agencies.
It's all about this:
- Information Security Procedures
- When IT fails
- Security Levels in Agreements
You can reach us by phone on +41 44 552 66 19 or send an email to Mr. Markus Kukla, head of the certification body. We look forward to hearing from you!
Don't underestimate security gaps
Information technology is still often seen as an appendage of a company, as a necessary evil, as a tool. The IT infrastructure has long been the engine, at least in the operational area. Nothing works today without computers and servers. The networks should be secured accordingly. The same applies to information and data from customers: These are not intended for the eyes of third parties.
In a survey on cyber attacks (LINK), 19 percent of the 1,000 German companies surveyed stated that they had already been the victim of a ransomware attack. Computers are encrypted until a ransom is paid.
But a data breach doesn't even have to be the target of an attack. Because it is often still made too easy for attackers to obtain important information via operating systems that are not updated, passwords that are easy to guess and careless handling of customer data. 46 percent of the companies surveyed have been hit by a cyber attack at least once, in most cases it is a virus.
ISO 17100 standard prescribes procedures for information security
So that your customers know that their data is safe, an ISO 17100-certified process is one solution. The international standard stipulates that there must be certain procedures for information security. These must be documented in detail.
The requirements of the ISO 17100 standard state:
“The ÜSP must have a procedure to ensure information security and the safe storage and, if applicable, the safe return of all materials provided by the customer.”
Time and again it is underestimated how far-reaching this requirement can be. It includes, for example, requirements of ISO 27001 (management of information security), regulations of the BSI (Federal Office for Information Security) and the implementation of the EU-DSGVO (EU General Data Protection Regulation) as well as industry-specific standards such as TISAX (information security in the automotive sector).
Common failings in an ISO 17100 security audit
As a recognized certifier for ISO 17100 and ISO 18587, we repeatedly find in audits that there are recurring deviations from the requirements.
So it happens that a list of "assets" with risk assessment is not visible. However, assessing risks is an important part of the security strategy. Accordingly, it must sometimes be noted that a risk analysis for information security is not sufficient. This is not only about safety aspects, but also about emergency management. After all, customers want to be sure that even if the IT structure fails, the orders can be processed as promptly as possible.
An emergency plan is provided for this purpose, which describes in detail the maintenance of business operations. Not only scenarios and risks must be described in this plan, but also concrete processes, how employees have to behave in an emergency, what roles there are and what measures are taken. Emergency situations can also include power outages, network disruptions or damage to the building.
Customer data are assets worth protecting
Documents given to you for translation are confidential. It can be internal manuals for business processes that contain company secrets or contracts that nobody should see. And finally, according to the European data protection regulation EU-DSGVO, personal data must be specially protected - this also includes addresses and other information from customers. DIN EN ISO 17100 requires you to explain how these legal regulations are introduced and observed. This includes that documents for the external communication of the data protection principles and information on data correction and data deletion are clearly formulated.
You can reach us by phone on +41 44 552 66 19 or send an email to Mr. Markus Kukla, head of the certification body. We look forward to hearing from you!
Information Security Procedures
Part of the requirements needed for an ISO 17100 certificate is an information security procedure. This includes a list of the content to be protected, a risk analysis, a resulting follow-up of measures to increase information security and secure data storage.
To protect data and information, you need a policy. This not only lists the behavior, but must also include a risk assessment of the IT infrastructure. Since assessments and regulations are always changing, these guidelines and risk assessments must be marked with a revision level. This is the only way to see when which measures came into force and whether, for example, new developments have been incorporated compared to a previous certification.
In order to comply with the provisions of ISO 17100 regarding data protection, it is advisable to divide sensitive information into classes. These can be:
- Order-specific customer documents
- Confidential Documents
- Customer documents classified as highly confidential or secret
- customer master data
- Personal Data
- Internal personnel data
For these classes, in order to be ISO 17100 certified, you must carry out a risk assessment that includes the criteria of availability, accessibility (protection against unauthorized access) and integrity (protection against data modification). The risk assessment is usually based on the factors "probability of occurrence" and "extent of damage".
Finally, the result of the risk assessment is a list of measures for pursuing recognized task priorities. In this way you can prove secure data storage and secure data transfer as part of the ISO 17100 certification.
Agreements with customers on data security
Your customers do not have to be familiar with the regulations that apply to ÜDL. However, they often have certain internal regulations that you as a service provider must observe. These agreements with customers are in addition to our own information security efforts. It is important that they are recorded in writing and integrated into the project processes.
As an ISO 17100-certified service provider, you often already meet these standards - but this must also be recorded. The ISO 17100 standard states:
“The ÜDL enters into an agreement with the customer and keeps a record of this agreement. In the case of verbal or telephone agreements, the ÜDL confirms the agreement and its conditions in writing. Any deviation from the original agreement must be agreed by all parties before any action is taken."
Benefit from the safety regulations of ISO 17100
If you have your company certified according to ISO 17100, you will already find out during the preparation which deficiencies exist and how you can remedy them. In our pre-audits, we give you tips on how you can adapt your current processes to the requirements of ISO 17100.
That way, you'll be better prepared to go into certification, while still allowing for improvements to be made during it.
Conclusion:
With an ISO 17100 certificate, you can convince your customers that security is important to you. Your company is certified according to international standards, which also makes it easier for you to access new markets.
We will be happy to help you with questions about information security in the certification process. Simply contact us via this contact form or call us: 41 (44) 552 66 19.