ISO Certifications and Why We Love Them

Last month, Green River earned a genuine ISO/IEC 27001:2013 certificate. See, here it is:

“clip

As credentials go, industry certification is rarely cause for comment, perhaps even less so meeting one of the tens of thousands of arcane standards developed by the International Organization for Standardization and International Electrotechnical Commission. But this one matters to Green River. It matters not because compliance and audit drills took time and effort, and not because the certificate signals a particular level of software security competence. It matters because this certification affirms both a long-standing Green River value and, as we see it, an intrinsic obligation in how technology is applied.

The Green River tagline “software and analytics for a better world” would not mean much if our work spilled protected health information and corporate trade secrets all over the web. If there is anything we take as seriously as our impact mission, it is privacy and security. The data we handle—that our clients handle—spans medical information about private citizens, personal details about individuals experiencing homelessness, global supply chain research, and more. An ISO/IEC 27001 certification means the security controls we have in place to protect that data, and the management systems and policies our staff follow to ensure the integrity of those measures, meet a rigorous standard. We hope this piece of paper demonstrates the respect we have for our clients’ information and data, and how seriously we take our responsibility to safeguard it.

That respect and responsibility has long imbued our work, but over the course of Green River’s 21-year history we have seen it migrate to the very core of what we do—it is an evolution we believe tech is embracing, but belatedly, hesitantly, sometimes ineffectively, and often for oblique reasons. Priorities frequently matter. Clearly, the motivations behind cyber attacks and ransomware events are diametrically opposed to ours. But the same might be said of less blatantly nefarious data intrusions and privacy envelope-pushing, the kind motivated by financial gain, commercial intention, or selfish purpose. At Green River we strive to use data for good—to build software that enables our clients to help the homeless, serve public health, empower the underprivileged and underserved. And we have found that that purpose is inextricably linked to privacy, security, and confidentiality.

In short, our interest in ISO certification derives from more than checking a box for a client or mere compliance in the realm of HIPAA or GDPR. It derives from a commitment to the ethical and moral reasons for getting security right. And on that front, ISO certification is one of the tools we can use to hold ourselves accountable, measure progress, and continually improve. Internal audits, stress tests, refining processes, security trainings, other certifications (SOC2 is on our radar)—these are the kinds of ongoing proactive measures an ISO/IEC 27001 certificate encourages Green River to keep pursuing. ISO/IEC 27001 may not be a panacea for tech threats, but it is a catalyst tech broadly needs.