Last December, BeLazy successfully passed the ISO 27001 audits, the standard that regulates information security within organizations. In this blog post, we explain why we decided to certify ISO 27001, the importance of information security and what’s in for you.

Did we really need to certify ISO 27001?

Most companies in the language technology industry are client-driven when it comes to certifying standards. This was definitely not our case — we had not even started trading when we started the preparations for the certification. The simple truth is that as a middleware operator, we have to store much information about our customers: we record several of their business transactions in our database together with usernames and passwords to the systems they work with.

As a matter of fact, we actually needed to comply with double requirements: ease of use and data security. The first one we handled with ease, but data security requires a totally different approach, one which is far distant from the user-experience logic we usually excel at.

BeLazy was conceived as a cloud-based system right from the start and information security has always been present during the software development cycle. So naturally, the ISO 27001 preparation and certification process was at the core of our systems selection and technical process design. It wasn’t a client-driven request, neither an afterthought!

Basically we wanted to certify ISO 27001 to prepare and address information security in a systematic way. Once you manage to get that done, the certification per se is a piece of cake. In fact, the audit was planned to last until 5:30 pm, but it ended at 2:30 pm, simply because we had the right answer to each question.

You may wonder, if everything was planned right from the beginning why did we wait until December to certify? First, the standard requires you to operate the security measures for at least three months before they can be audited. But there was also another, much more mundane reason for waiting. Every business needs to be GDPR compliant when selling to other countries within the European Union (UE). Because GDPR was introduced before BeLazy was launched, we simply didn’t know how to prepare for it, even if it is also about information security. All in all, we decided to kill two birds with one stone (and in our solution, it’s ca. 98% pure information security and 2% administrative GDPR).

Was ISO 27001 costly?

Data security is definitely an investment. We spent several weeks coming up with solutions that could have been solved in a much more compromisable way for less money. We had to build code scanners into our continuous integration process, implement security incident reporting in our ticketing system and outsource password management to specialized technologies in the cloud. On the other hand, contrary to popular belief, we did not do much paperwork: most of our changes affected the systems where the stakeholders work directly.

Using the tech giants to your advantage

One of the main ideas in our security policy is that Belazy is a small fish compared to Microsoft and Google. We rely on these two technology providers as we use Azure and GSuite, both of which save us a lot of work.

Let’s see the following example: Our users login to BeLazy exclusively via a Google or Microsoft account. If Google detects anything suspicious during the login process, it immediately notifies the actual user. We simply don’t have to care about two-factor authentication here because it is already served on a plate. We also don’t store any user’s password to BeLazy, because it’s all Google or Microsoft accounts.

One may argue whether they’re evil corporations or not (actually, your passwords to your customer’s systems and your project data are stored by Microsoft, not by Google, the latter is only our login and office suite provider), but one thing is granted: they have more bandwidth to guarantee security than we do.

What’s in it for you?

Even if the translation industry is quickly moving towards the cloud, there are still many concerns regarding data storage in the cloud. We have proactively addressed these concerns.

Let’s see two examples:

While we don’t want to publish the entire processes publicly, you may still come to us if you need further clarification of how we protect the sensitive information.

Whenever you need to provide information security to your customers, you can always refer to our ISO 27001 certificate. It is a widely recognized standard that resonates well with many security-conscious enterprises.

And, to conclude, here’s our certificate.

Automation Connectors