Memority is certified ISO 27001 and ISO 27701

On December 25, at 10:33 a.m., I discovered a nice surprise under my CISO virtual Christmas tree. It wasn’t completely a surprise, nor was it a real gift, although it made us all happy. It was rather the result of many months of hard work at Memority. Also, it wasn’t Santa who left this surprise there, but Certi-Trust, the certifying company.

In the package were two beautiful brand new certifications for Memority:

• ISO 27001, which attests to our excellence in information security management,
• and, much rarer, ISO 27701, which also validates our mastery of the personal information management system.

Following their audit at the beginning of December, our certification auditors confirmed and stamped that we were compliant both standards. This recognition is a great reward for all of Memority’s staff, who can take pride in this result, achieved within the deadlines promised, especially to our clients (before the end of 2024).

With these certifications, our customers and partners will see their (already strong) confidence in our ability to protect their data and assets, further strengthened.

A major investment

Obtaining these two certifications represented:

• a little more than 20 months of project, from my entire team (in particular Léa Zerah but also our interns Loïck Chagneau, Adrien Barbier, Paul Ledoux and Arthur Teste), assisted of course by the whole Memority staff ;
• 341 pages written and published inside and outside the company, constituting 9 security policies, 11 security standards and a crisis management manual. One of these documents is already in its 17th version!
• 272 pages of documentation, processes, and follow-up materials on our internal wiki ;
• 1542 permanent control instances triggered ;
• 2 internal audit missions.

Why is this important?

I recall a meeting with representatives of the ANSSI a few months ago, where our interlocutors, leading experts in offensive security, smiled kindly at the mention of ISO 27001, reminding us of what we regularly use to say: being certified does not mean being secure.

They are right, of course, ISO 27001 is not intended to guarantee full security.

However, this remark reflects a primarily technical vision, focused on threats and vulnerabilities, where the norm plays a more global role. ISO 27001 does not only deal with operational aspects. It ensures that Memority is structured, organized and ready to approach all aspects of information security rigorously, while committing to continuous improvement.

The auditors went further and specified in their report an impressive number of strengths:

• the involvement of leadership and management (an executive committee that closely follows all security topics and includes the CISO among its members, that’s what involvement is all about) ;
• good document management (including its accuracy and contextualization to the company … indeed, at Memority, the security policies are not written by ChatGPT) ;
• vulnerability management (I warmly thank our platform security pilots for their involvement in the permanent treatment of this strategic topic) ;
• the principles of secure development (The CSSLP certification of our senior devs is not just decoration)
• the control plan (despite its very thankless nature) ;
• the reaction to non-conformities and continuous improvement (when our auditors arrived in the morning, action plans to correct the remarks of the previous day were already being executed… I can understand that it may be surprising).

A great project that paves the way

It is therefore a beautiful project that is coming to an end, and we can be proud of it.

But this is only the beginning. I wrote last month in the editorial of the “petit serrurier”, Memority’s internal security newsletter, that obtaining the ISO 27001 certification was a bit like reaching level 60 in an online multiplayer role-playing game: it’s not an end but rather a first step, it’s where it all really begins.

So, even if there is no truce in the cyber space, we have well deserved a glass of Champagne to celebrate our success, then we will resume our work with the same enthusiasm, in the same state of mind, it’s Memority’s DNA anyway…