activpayroll Journey to ISO 27001 Certification

activpayroll Journey to ISO 27001 Certification

activpayroll officially achieved ISO 27001 certification on the 12th August 2019.

The certification confirms that activpayroll Information Security Management System (ISMS) officially meets the requirements of the international standard for information security.

ISO 27001 is an internationally recognized standard for information security and takes a risk-based approach to information security. The ISO 27001 certification provides customers and partners with verification that appropriate controls are in place to protect valuable information and maintain the confidentiality, integrity and availability of the information at all times.

The scope of activpayroll ISO 27001 certification incorporates key business functions including Global Payroll, Global Mobility, UK Payroll, IT, Technical Implementation, Contracts & Commercial, HR, Finance and Marketing. The colocation Data Centre facility utilized by activpayroll is already independently certified to ISO 27001 and ISO 22301 standards.

activpayroll began the journey to ISO 27001 certification early in 2019, engaging with Certification Europe, a UKAS accredited certification body, to undertake the certification audit of its ISMS.

ISO 27001 audits are carried out over 2 stages:

  • Stage 1: The Stage 1 Audit assesses whether all the mandatory requirements of the standard are in place, this includes all the mandatory elements of the framework as well as the mandatory documentation required by the standard.
  • Stage 2: During the Stage 2 Audit, the auditing team carried out a full review of the ISMS including assessing the overall effectiveness of the information security management system, verifying that documented policies and procedures are working in practice and assessing the effectiveness of the controls selected as per the Statement of Applicability. During the Stage 2 Audit, the auditing team conducted interviews with employees across the business including operational staff and top-level management.

Following a successful Stage 2 Audit, the auditing team provided a recommendation for certification and their findings were reviewed by the decision-making panel. Following successful completion of this process the certificate was issued.

Information security is of paramount importance to activpayroll and there were two main drivers behind the decision to invest in this information security program and go down the route of ISO 27001 certification:

  • To further improve the overall global information security program at activpayroll and to provide a robust framework to meet both current and potential future threats as well as ensuring the company is well equipped in meeting its contractual and legal obligations regarding information security and data privacy
  • To provide assurance to our customers and partners, that by having activpayroll’s information security program externally verified and certified to a highly respected international standard, that activpayroll have appropriate controls in place to protect their important information assets

activpayroll information security program has been subject to regular external audits for a number of years, this includes annual SOC 1 Type 2 Audits, triennial BACS Audit, regular penetration testing of external systems and frequent audits by customers and partners. Having an ISO 27001 certified Information Security Management System brings a number of other benefits, including:

  • Demonstrating the commitment from the activpayroll Board of Directors to the continuous improvement of its information security management system
  • Demonstrating activpayroll commitment to taking an ongoing risk-based approach to information security
  • Helping achieve compliance with global privacy laws including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018
  • Providing assurance to customers as well as their regulators and respective auditors that appropriate information security controls are in place within their supply chain
  • Adopting a strong culture for information security and promoting information security awareness across the organization

activpayroll are fully committed to maintaining compliance with the ISO 27001 standard and have engaged with Certification Europe to carryout biannual surveillance audits of its ISMS to ensure compliance is maintained and the ISMS demonstrates continuous improvement throughout the certification lifecycle.

If you have any questions relating to information security or data privacy at activpayroll or would like to understand more about activpayroll ISMS please contact:

David McLeod

activpayroll Information Security Officer

+44 (0)1224 860800