Information is one of a company’s most important assets, so when it comes to information security, it’s essential not to cut corners. This is especially true if you work with information-processing applications such as an enterprise content management system (ECM). There are an array of advantages to choosing ECM software with ISO 27001 certification. Read our article to find out more.

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). It provides organizations with a model for establishing, implementing and monitoring targeted rules and procedures to ensure that their information security management frameworks are systematically optimized and updated in line with industry-specific requirements.

The main objective of the standard is to safeguard compliance with the three central protection principles of information security: confidentiality, integrity and availability. In other words:

1. Only authorized people can access certain information.
2. The information is always complete, consistent and trustworthy.
3. The information is always available (to the right people) when it is needed.

ISO 27001 requires the organization to:

• Establish clear information security guidelines
• Evaluate risk and opportunities
• Perform internal audits
• Develop suitable risk-management measures
• Establish a process of continual improvement

To demonstrate the conformity and efficacy of your information security management system in accordance with ISO 27001, it is good practice to obtain ISO 27001 certification based on the IT baseline protection (IT-Grundschutz) approach. Once your system has been successfully audited, you will receive the certificate from an independent, accredited certification body.

Certification in accordance with ISO 27001 is entirely voluntary; no company is obligated to undergo certification. Generally speaking, companies or organizations of all sizes and from all sectors can pursue certification.

In particular, ISO 27001 certification is good practice for operators of critical infrastructure. It adds a layer of reassurance that the operators fulfill all regulatory requirements applicable to IT security. Critical infrastructure in Germany includes the information technology, energy, food, finance and insurance sectors, among others.

But also companies from other industries can benefit from certification for various reasons:

• Customer demand: Some customers, especially large corporations, governmental organizations and operators of critical infrastructure, require their suppliers to be ISO 27001-certified. The aim of this stipulation is to ensure that their information stays secure and protected.
• Industry standards and regulations: Certain industries, such as finance or healthcare, must comply with detailed information security requirements. ISO 27001 certification can help meet these requirements and demonstrate regulatory compliance.
• Risk management: Organizations with a keen awareness of the importance of risk management and information security may opt for ISO 27001 certification to improve their internal processes and security controls.
• Competitive edge: ISO 27001 certification can help companies to set themselves apart from competitors, especially in industries where information security plays a central role. Certification demonstrates to potential customers that the company takes the protection of their information seriously.

An ECM system helps you to digitally capture business-relevant information, bring structure to your documents and optimize your business processes. Protecting the security of information is paramount throughout, and this extends to the security of applications, networks, databases, and more. For this reason, it is good practice when choosing a suitable ECM system to ensure it is also certified to ISO 27001. This offers myriad advantages:

1. End-to-end information protection

The ECM software captures and processes a great deal of critical and highly sensitive information that requires protecting. This can include confidential customer, business partner, supplier and employee data, which must not be lost or fall into the wrong hands under any circumstances.

With an ISO-certified ECM platform

• You protect business-relevant information against loss and misuse.
• Your trade secrets stay safe.
• You keep personal data protected at all times.

2. Mitigation of security risks and incidents

Daily business is fraught with threats to information security. For instance, technical issues with IT applications such as an ECM system can lead to costly operational disruptions, while human error can result in the loss of data. Criminal attack vectors can also cause huge financial damage if systems are hacked and data is leaked or manipulated.

With an ISO-certified ECM platform

• You can rely on a system that is continually checked, monitored and further developed.
• Vulnerabilities are identified before they become a security issue.
• You forestall and mitigate security risks.
• You minimize the impact of any security incidents.

3. Trust and transparency for customers

System certification to ISO 27001 is a holistic approach that requires transparent insight into the entire information security management system. Neither is it a one-time affair, requiring instead periodic audits and renewal procedures.

This transparent process of continual optimization also lays an important foundation for building trust — with your customers and business partners, and with the public.

With an ISO-certified ECM platform

• You demonstrate the importance you attach to information security and your willingness to invest in optimizing your IT.
• You have credible, objective confirmation of conformity to the ISO standard.
• Your customers can entrust you with their data, safe in the knowledge that you will handle it with the utmost care.
• You prevent security incidents and potential damage to your reputation.
• You increase the likelihood that customers will decide to place their trust in you (and not in the competition).

4. Legal and regulatory compliance

With an ISO-certified ECM platform

• You fulfill all legal requirements relating to information security.
• You comply with all applicable industry standards.
• You lay the foundation for adding further ISMS-related standards, such as the TISAX label (Trusted Information Security Assessment Exchange) for the German auto industry or the BAIT prudential requirements for IT (Bankaufsichtliche Anforderungen an die IT) for German banks.
• You abide by the contractual arrangements agreed with your customers and business partners.

The ISO-certified ECM system is even approved for working with customers and partners from heavily regulated sectors — with no need to furnish further evidence of conformity or undergo additional audits.

5. Competitive edge and market acceptance

ISO 27001 certification is one of the most important cybersecurity certifications in the industry and carries a lot of weight on the market. As companies become more aware of the importance of information security, many are beginning to stipulate certification as a supplier requirement.

With an ISO-certified ECM platform

• You are choosing a trusted partner.
• You can fly the flag for information security and build confidence in your brand.
• You contribute to an all-round positive company image.
• You set yourself apart from the competition and have a decisive competitive advantage.
• You don’t run the risk of lagging behind your competitors due to the fall-out from security incidents.
• You stay prepared for the future.

Good to know: SER’s software is ISO 27001-certified, meaning it meets the strictest globally recognized security standards for the protection of business, customer and employee data.

Besides ISO 27001, there are several other standards and certifications which are relevant for ECM.

SOC 2

Like ISO 27001, SOC 2 (System and Organization Controls) is a recognized, voluntary standard for information security. Whereas ISO 27001 is a widespread standard found in all industries worldwide, SOC 2 is mainly used in US businesses, particularly SaaS companies and cloud providers, as well as in finance and healthcare.

The SOC 2 compliance framework is built on five principles — security, privacy, availability, confidentiality and processing integrity — which are reviewed in regular audits. Certification is issued by the American Institute of Certified Public Accountants (AICPA).

Recommended read: We explore SOC 2 certification further in our blog post SOC 2: What does SOC 2 certification mean for cloud security?.

Good to know: Doxis Cloud Services are SOC 2-certified. Our software keeps your data highly available and secure in the cloud.

ISO 16175-2

ISO 16175-2 is an international standard for records management. The standard provides guidance and functional requirements for software applications that are used to manage digital records, such as enterprise content management systems and document management systems.

These include:

• Guidelines on capturing and maintaining information
• Definition of processes
• Retention and deletion rules
• Compliance-based work practices

Good to know: Doxis is certified in accordance with ISO 16175-2 and meets all of the requirements for managing information subject to retention.

EU GDPR

The EU General Data Protection Regulation (EU GDPR) harmonizes the rules according to which personal data is processed across the European Union.

The EU GDPR outlines six principles of data protection:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

In a nutshell, personal data must without exception be processed transparently, correctly, in accordance with its intended purpose and to an appropriate extent, and protected against unauthorized access at all times.

Good to know: Doxis is certified in accordance with EU GDPR and meets all statutory data protection requirements. Meaning you can use Doxis to capture, store, manage, delete and share information all in conformity with EU GDPR.

An ISO 27001-certified ECM system offers you a slew of competitive advantages: It helps set you apart from the competition, gain customers’ trust, mitigate security risks and incidents, and fulfill both legal and industry-specific requirements.

With SER’s software, you gain an ECM system that meets the most stringent security standards. Our ECM platform is certified in accordance with ISO 27001, ISO 16175-2 and SOC 2, and fully EU GDPR-compliant. An array of customers from the finance sector already swear by it, including Aareal Bank Group, DEVK insurance and Landesbausparkasse Rhineland-Palatinate. You, too, can benefit from our certified quality!