A CTO's View of the Journey to ISO 27001 Security Certification

Venkat Rangan headshot

Venkat Rangan
CTO, Clari

Published

Updated

Ready to take your revenue to new heights?

Today, we announced our ISO 27001 certification, a major milestone and the culmination of a company-wide effort. ISO certification validates how serious Clari is about the security of our customer's data and provides our current and future customers with the comfort of third-party recognition.

Our Data Security Journey Started Early

Our journey to certification by the International Organization for Standardization (ISO) has been long. Our commitment to data security dates back to our founding. Because we believe in the importance of selling, we know the value of sales data. As a co-founder and CTO, I took responsibility for leading the effort, and security has always been vital to our entire team. From our earliest days, we continually reviewed our infrastructure to close potential security gaps.

At the same time, customers told us that they would be more comfortable if our efforts were endorsed by a neutral third party, preferably a standards body such as ISO. So we embraced ISO 27001 certification of our Information Security Management System (ISMS) as a critical step in earning the right to serve more customers.

A New Chapter in Our Security Governance

The decision to get ISO certification opened a new chapter in our security effort. We defined a year-long plan to achieve certification. To learn from best practices, we hired a consultant to educate us, picking EKKO Consulting, a group that supported the certification of several respected technology and SaaS application providers. And we created an ISMS management team to lead the process. After that team completed a thorough review of our production environment, policies, and procedures, they authored a risk assessment report with a comprehensive list of security gaps and the associated risks.

The ISMS management team then drafted a plan to remediate the risks and obtained approval and support from senior management to execute their plan.

The Risk Remediation Plan and Actions

The ISMS team's plan had four key elements:

  1. Draft a master set of policies and procedures
  2. Train all employees in security procedures
  3. Create and execute mitigation plans for all security loopholes identified through manual penetration tests, automated scans, and static code scans
  4. Measure and continuously improve

We also established formal ISMS management team meetings, with meticulous tracking of minutes. To support the effort, Clari took advantage of the latest team collaboration tools such as the Confluence content management system for tracking changes through multiple versions of documents and documenting the history and execution of decisions.

Turning a Disruption into an Advantage

We moved to a larger corporate headquarters right in the middle of our security certification effort. What first looked like a disruption gave us the opportunity to upgrade our physical security—a big part of ISO certification. The upgrade included a modern visitor check-in process using Envoy, an advanced security camera setup, and multi-level access control into our data center network and server room.

We Were Ready for Third-Party Security Evaluation

When our plan was complete, we invited BSI Group Inc., the leading business standards company, to conduct an audit of our ISMS compliance. Their audit had two stages:

  • Stage 1 audit: evaluation of policy and procedure documentation
  • Stage 2 audit: deep analysis of compliance

Thanks to the efforts of our ISMS management team, our experienced consultants, and our entire team, we passed the certification audits with zero adverse findings. Kudos to the Clari team for achieving this milestone.

Looking Ahead: Data Security Never Ends

Our ISO 27001 certification is merely our first step in ensuring the most secure data environment for our customers. We established a capability maturity model (CMM) for each of the ISO 27001 control groups, and will strive to attain the highest CMM levels. Moreover, we expect to participate in industry-approved security initiatives such as CloudTrust security and SOC2 SSAE 16 certification.

I hope a glimpse into our data security journey and regimen inspires your own efforts and offers a useful starting point. We will be publishing a security-oriented whitepaper on various aspects of our production environment. And if data security concerns were standing in the way of you learning how advanced sales analytics and forecasting can improve your selling, our new security certification makes this an ideal time to request a demo now.