The French interactive software firm Intuiface now has a shiny new certificate on its office walls saying it is ISO certified.
This at first glance gets about a 2 rating on an Exciting News-O-Meter, but it is interesting because the rationale of going through a lengthy, expensive and documentation-laden audit exercise ties to locking down a platform.
Intuiface’s new ISO/IEC 27001:2013 certification refers to the global standard for an information security management system, or ISMS. The goal of an ISMS, says the company, is to ensure data confidentiality, integrity, and availability. It’s a lot of work and took Intuiface 18 months to prepare for and pass the final audit.
I am relating this because any software company, their channel partners and end-users, should all have a healthy interest in information security for digital signage.
Says Intuiface’s Geoff Bessin: “Over time, customers are going to demand information security controls so DS vendors better be ready. Our bias is that we went with ISO instead of SOC 2 because only ISO is globally-recognized. (ISO 27001 is also essentially a superset of SOC 2 but, at the end of the day, the two standards try to address the same challenge – securing information.)”
I wrote a recent post about LA’s Enplug getting SOC 2 certification.
To illustrate why (we did this), we can approach this from one of two perspectives:
- From the perspective of enterprises deploying digital signage.
Intuiface is an exemplar of the broader trend to introduce signage that is intelligently aware of its users and surroundings. The objective of this sensitivity is to create (hyper)personalized experiences that draw on corporate knowledge, creating sticky, highly effective deployments which – in turn – generate useful data for business insight. None of this is possible unless the enterprise can find a way to provide access to its back office while, at the same time, protecting the information it contains and the privacy of individuals represented by that data. This can only be achieved through a formal process that protects data all while sharing it. That’s the role of the ISMS and the reason ISO 27001 certification has grown in prominence. In fact, all enterprise cloud hosting options, like Amazon, Microsoft, Salesforce, and Dropbox (to name a few), are already ISO 27001 certified. This move is trickling down to any organization hosting third party data.
- From the perspective of integrators and digital signage providers
To deliver personalized experiences, Digital Signage integrators and vendors inevitably sense, access, manipulate, display, collect, and write private information. If, as noted above, enterprises are self-tasked with improving information security management, service providers and vendors will have to comply with those same requirements if they’d like to do business. Take Intuiface, for example. We provision and facilitate experience storage, analytics data collection, and license management. More and more often, we are receiving 100+ question inquiries used to establish the extent to which we secure data and how well our approach complements a prospect’s requirements. Upon receiving the questionnaire we are told, “As an alternative to completing the questionnaire, simply provide your ISO 27001 certification credentials.” Certification is an insurance policy, guaranteeing a modern, reliable approach to data security.
Although it sounds arcane, ISO 27001 is going mainstream. It is morphing from extravagance to table stakes, the minimum necessary for an integrator or Digital Signage vendor to offer its services to security-aware enterprises. Compliance is thus technically optional but, in practice, obligatory. The good news is that compliance doesn’t just introduce a set of best practices from which any organization could benefit, it also reassures enterprises that their vendors can be a trusted partner.
Dave Haynes is the founder and editor of Sixteen:Nine, an online publication that has followed the digital signage industry for some 14 years. Dave does strategic advisory consulting work for many end-users and vendors, and also writes for many of them. He’s based near Halifax, Nova Scotia, on Canada’s east coast.