What it takes to get and keep ISO Certification

Last month SDL was granted ISO27001:2013 certification for our SDL WorldServer translation management system. To understand why this is a fairly rare occurrence for translation software and services I wanted to document what it took for SDL to earn this prestigious certification. You will understand better why large enterprises that value their data security insist on utilizing only ISO certified products.

ISO certification requirements are published by the International Organization for Standardization (ISO) and validates that best practices for information security are used to create and support certified applications. We already had ISO certification for SDL TMS so we were very familiar with the process. To support the TMS certification for example, SDL does a background check on new support employees to look for any potential security concerns. Even with this SDL TMS knowledge and procedures already in place it took almost a full year to add certification for SDL WorldServer.

For the software itself there are extensive technical assessments. The code is reviewed against a risk framework to highlight any weak points where hackers, ranging in capabilities from teenagers (also called script kiddie or skiddie – an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks) to sophisticated, state-sponsored hackers could enter the software. This effort included SDL hiring outside “White Hat” hackers to see if and how they could access the software. As a result of these reviews a set of mitigation steps were defined, software amended and support policies implemented.

ISO verification also requires documenting processes for supporting and updating the software to keep humans from introducing new vulnerabilities. This work was actually the most time and effort intensive part of ISO certification. Not only were procedures documented, but actually implemented, tested to see if they were implemented correctly and then audited to ensure that all changes are traceable to the exact time and person who did the work.

The process of gaining ISO certification involved many SDL people. Dennis van der Veeke, our former CTO chairs a Steering Committee of about eight VPs and Directors to oversee all security related issues. SDL also has a team of dedicated information security specialists whose whole job is to ensure our applications are protected from unwanted access. In addition all operations people including Customer Support and Cloud Operations have been trained. SDL is currently training all software developers on the ISO procedures and the steps they need to write “secure code.”

Despite the operational and personnel challenges required for ISO certification, SDL is moving forward to add more systems. Both our translation management systems, SDL WorldServer and SDL TMS are now ISO certified. We are working to add SDL Knowledge CenterSDL Web and SDL Campaigns before the end of the year. Later next year we hope to add our machine translation tools and SDL eCommerce Optimization.

You can see from the effort we invested that we value ISO certifications. They demonstrate our strong commitment to achieve and maintain secure applications.

If you have any questions about SDL, ISO certification or applications mentioned above, please feel free to reach out to me (dcsaplar@sdl.com).