The average HR department manages a wealth of valuable and sensitive personal data: from birth dates to addresses, national insurance numbers to bank account details.
As an HR professional, you’re legally obliged and morally responsible for your employee’s data. This is because if it’s lost or stolen, it can be used by criminals to commit and fund serious crime. In the worst cases, a person who’s had their personal information used or stolen by nefarious individuals may find it difficult to obtain loans or credit cards, get a mortgage, or even be accused of financial crimes themselves.
It isn’t just individuals who can suffer from their personal data being either lost or stolen. The legal ramifications for a company that fails to have adequate safeguards in place to keep personal data safe are huge – including massive financial fines and irreparable damage to their reputation.
For those reasons, it’s crucial every business has the right safeguards in place to maintain robust HR data security. This is where using ISO27001 compliant HR software can really help.
What is ISO27001?
Jointly published by the International Organization for Standardisation and the International Electrotechnical Commission, ISO27001 is an auditable international standard on how to manage information security. It can be used by businesses of any size from any industry.
It provides a framework that helps organisations to protect information in a systematic way through the adoption of an ISMS. An ISMS (Information Security Management System) is a set of policies, procedures, processes and systems that manage information risks.
Why is it important that my HR software is ISO27001 certified?
Although an ISO27001 certified HR systems won’t prevent criminals trying to access sensitive personnel data or data breaches (an employee getting unknowingly get caught in a phishing scam, for example), it shows that the supplier takes data protection seriously and has appropriate processes and procedures in place to correctly handle, manage and process data.
ISO27001 certification demands that businesses have robust infrastructure and processes in place to ensure data is stored and processed in an appropriate manner. If your HR software provider’s product is ISO27001 certified, it’s an excellent sign that the company is taking your data security seriously.
How does an HR software system become ISO27001 certified?
Because ISO27001 is an exceptionally tough standard, it usually takes around 6 to 12 months from start to finish to complete the initial certification; although this is dependent on variables, such as available resources, experience with the standard’s requirements and involvement of key stakeholders.
For an HR software solution to become ISO27001 certified and compliant, the software provider will generally follow these steps:
- Appoint an implementation team responsible for the system meeting all ISO27001 certification requirements
- Establish the scope and objectives of the information security management system (ISMS)
- Develop an implementation plan
- Identify the core security processes and procedures required to meet the standard
- Document and implement the processes and procedures in accordance with the controls stipulated in the standards
- Establish a risk management process which involves identification, assessment and treatment of potential risks
- Appropriate training for staff which can take the form of one-off sessions and regular refreshers.
- Have the ISMS certified as ISO27001-compliant. This must be undertaken by an external auditor from an accredited National Certification Body, such as the British Standards Institute.
- Measure, monitor and review the processes and policies. This is to ensure that the ISMS remains fit for purpose and ISO27001 compliant. This is also an ongoing requirement that doesn’t stop when certification is achieved, and full re-certification inspections must be undertaken every 3 years.
What are the key benefits of ISO27001-certified HR software?
In today’s data-driven world, the protection of sensitive information and data security should be of paramount importance to everyone. This is especially true of those who handle and process data, such as HR software providers and HR professionals.
By choosing an ISO7001 certified HR software solution, you’ll be ensuring that your company’s sensitive data is stored and processed in a proper manner. This will significantly reduce the risk of a data breach or data-related incident, which could be both costly and damaging to your company’s reputation.
Companies that offer ISO27001 certified products are also regularly audited by an accredited body to ensure they remain compliant – it certainly isn’t a ‘fire and forget’ exercise!
What are the risks of not having ISO27001 certified HR software?
If the system you select isn’t certified, you can’t be sure if a supplier has the correct measures in place to protect data from either a GDPR or ethical standpoint. As an HR professional, it’s your duty and legal responsibility to ensure it is.
What security features should I look out for when choosing HR software?
When it comes to choosing the right HR software solution for your business, there are several security features you should look out for. These include:
- Data encryption – is data encrypted both in rest and during transmission? Can important information – such as DoBs, bank details – be intercepted during data transmission?
- Role-based permissions – Does it offer controlled access to sensitive data? Can it restrict access to editing or viewing data depending on user roles and user locations?
- Ongoing penetration and vulnerability testing – Is this done by an unbiased third-party provider? How often does it take place?
- An extensive backup and disaster recovery procedure – Does it have a thoroughly tested recovery process?
- Secure sign-on – Does it have single sign on and dual authentication? Are passwords protected by advanced hashing techniques?
Thinking about making the switch to HR software?
If you’re thinking of switching to a new HR software solution, we have a number of helpful guides that can help you to make the right choice for your business. Just follow this link to learn more.
About the author
Sarah Griffiths is Cezanne HR’s Compliance Manager and has over fourteen years of IT and Technology industry experience; including working on a range of compliance standards such as ISO9001, ISO14001 & ISO27001.
She has excellent knowledge and experience of compliance issues, auditing and risk management. As a professional, Sarah is focused on assisting clients with meeting their regulatory compliance and information security objectives related to implementing Cezanne HR’s solution and will continue developing and maintaining our ISO27001 accreditation.