Recorded Future's Journey to ISO 27001 Certification

Over the last few years, Recorded Future has sought and received SOC 2 Type 2 attestation. Since then, we’ve been trying to figure out additional methods to demonstrate just how seriously we take security. While there were many options, ISO/IEC 27001:2013 was the obvious choice, especially given ISO’s international worldview. Unlike SOC 2, which focuses on a period of time, ISO 27001 provides us with the guidelines to establish, implement, maintain, and most importantly, improve our information security management system (ISMS). No one is perfect when it comes to security, but ISO 27001 provides clear direction on how to strive for improvement.

Once Recorded Future made the decision to devote resources to attaining certification, the next step for us was engaging a reputable vendor to determine the gaps between our current security measures and the ISO 27001 standard. Fortunately, after a fairly lengthy search, we settled on Coalfire, based on their unique combination of experience, breadth of services, customer satisfaction, and competitive pricing. Coalfire was able to walk us through the ISO standard to illustrate exactly where we needed to place our focus — a framework that included more than 150 unique controls and management system requirements.

Coalfire’s Readiness Assessment kicked off roughly three months of work for our compliance, engineering, operations, and of course, information security teams to align our organization with the ISO standard. This remediation work included not only ensuring our documentation was sound, but also improving our processes to meet the stringent ISO guidelines. After that, our team thought we were more or less ready, and we secured the services of risk3sixty to perform both the required ISO Risk Assessment and Internal Audit. As a result of risk3sixty’s subject-matter expertise, were able to identify several opportunities for improvement to make sure we were truly prepared, including improvements to our cybersecurity awareness training and risk methodology, which we promptly implemented.

Roughly a full year after kicking off the effort, Recorded Future had the entire suite of documents and the necessary processes in place — we were a well-oiled, risk-managing, audit-planning, security-threat-mitigating machine. It was audit time, and we were prepared. Coalfire came back on site, this time as auditors, and ran us through our paces. They ensured that we had all necessary documentation in place, that our controls conformed to the standard, and that our processes and security measures matched our rhetoric regarding the paramount importance of securing our infrastructure and data. Once Coalfire was satisfied, almost 500 days to the day after we made the decision to seek certification, we were awarded full ISO/IEC 27001:2013 certification and ISO 9001 certification!

As mentioned earlier, ISO 27001 is not a “certify it and forget it” standard, it is an entire organizational process. We are already working toward more ISMS improvements for next year, including expanding our secure development training for engineers, and expanding our penetration testing exercises to include phishing simulations and red teaming. Not only will this certification and continuous improvement process demonstrate to both prospective and current clients the measures that Recorded Future takes to secure their data, but the certification also gives our employees the confidence that our infrastructure has the integrity and availability to allow them to successfully do their jobs.