Skip to main content

Achieving ISO 27001:2022 Certification: What You Need to Know

· 6 min read
Jonny Griffin

In today's digital age, cybersecurity is an ever-increasing concern for organizations worldwide. It's imperative to keep sensitive information safe from cybercriminals - especially as a telecom mobile core network. That's why we're thrilled to announce that Working Group Two has achieved the ISO 27001:2022 certification - a globally recognized standard for information security management systems. This latest accomplishment marks a significant milestone for our organization in ensuring the security of our telco core network and edge sites, protecting our customers' confidential data from any potential threats.

Receiving the ISO 27001:2022 certification offers Working Group Two a host of benefits that are critical in today's rapidly evolving digital landscape. Firstly, it provides a robust framework to manage and protect sensitive information from any potential security threats. Secondly, it ensures the implementation of security controls to safeguard against cyber-attacks, data breaches, and other security incidents. Thirdly, it instills trust and confidence in our customers that we take data security seriously and have implemented the necessary measures to protect their information. Ultimately, achieving this certification demonstrates our unwavering commitment to information security and reinforces our position as a reliable and trustworthy partner to our clients.

ISO 27001:2022 Scope Statement

Working Group Two operates a mobile core network platform-as-a-service, enabling its customers to provide mobile telecom services using its core network. In addition, WG2 builds APIs to drive the programmability of the mobile core network. The scope of the ISO/IEC 27001:2022 certification is limited to the Information Security Management System (ISMS) supporting Working Group Two AS’s Software-as-a-Service (SaaS), Web application products, mobile telecom services in accordance with the Statement of Applicability version 1.0 dated 03/09/2023.

ISO 27001:2022

iso badge

ISO 27001 released a new standard in 2022, succeeding their previous version from 2013, making it the newest and most comprehensive security standard that outlines 93 information security controls to safeguard against various risks and threats. These controls cover all aspects of information security, from policies and roles to the use of cryptography and network security. They address critical domains such as access control, authentication, secure coding, application security, vulnerability management, and incident management, to name a few. The standard also emphasizes the importance of compliance with legal, statutory, regulatory, and contractual requirements, ensuring that organizations maintain an up-to-date understanding of their obligations. By adhering to these controls, Working Group Two can significantly reduce its exposure to security risks and safeguard its sensitive data and assets against unauthorized access, theft, or misuse.

ISO 27001:2022 Controls
15.1Policies for information security
25.2Information security roles and responsibilities
35.3Segregation of duties
45.4Management responsibilities
55.5Contact with authorities
65.6Contact with special interest groups
75.7Threat intelligence
85.8Information security in project management
95.9Inventory of information and other associated assets
105.10Acceptable use of information and other associated assets
115.11Return of assets
125.12Classification of information
135.13Labelling of information
145.14Information transfer
155.15Access control
165.16Identity management
175.17Authentication information
185.18Access rights
195.19Information security in supplier relationships
205.20Addressing information security within supplier agreements
215.21Managing information security in the ICT supply chain
225.22Monitoring. review and change management of supplier services
235.23Information security for use of cloud services
245.24Information security incident management planning and preparation
255.25Assessment and decision on information security events
265.26Response to information security incidents
275.27Learning from information security incidents
285.28Collection of evidence
295.29Information security during disruption
305.30ICT readiness for business continuity
315.31Legal, statutory, regulatory and contractual requirements
325.32Intellectual property rights
335.33Protection of records
345.34Privacy and protection of PII
355.35Independent review of information security
365.36Compliance with policies. rules and standards for information security
375.37Documented operating procedures
396.2Terms and conditions of employment
406.3Information security awareness. education and training
416.4Disciplinary process
426.5Responsibilities after termination or change of employment
436.6Confidentiality or non-disclosure agreements
446.7Remote working
456.8Information security event reporting
467.1Physical security perimeters
477.2Physical entry
487.3Securing offices. rooms and facilities
497.4Physical security monitoring
507.5Protecting against physical and environmental threats
517.6Working in secure areas
527.7Clear desk and clear screen
537.8Equipment siting and protection
547.9Security of assets off-premises
557.10Storage media
567.11Supporting utilities
577.12Cabling security
587.13Equipment maintenance
597.14Secure disposal or re-use of equipment
608.1User endpoint devices
618.2Privileged access rights
628.3Information access restriction
638.4Access to source code
648.5Secure authentication
658.6Capacity management
668.7Protection against malware
678.8Management of technical vulnerabilities
688.9Configuration management
698.10Information deletion
708.11Data masking
718.12Data leakage prevention
728.13Information backup
738.14Redundancy of information processing facilities
758.16Monitoring activities
768.17Clock synchronization
778.18Use of privileged utility programs
788.19Installation of software on operational systems
798.20Networks security
808.21Security of network services
818.22Segregation of networks
828.23Web filtering
838.24Use of cryptography
848.25Secure development life cycle
858.26Application security requirements
868.27Secure system architecture and engineering principles
878.28Secure coding
888.29Security testing in development and acceptance
898.30Outsourced development
908.31Separation of development. test and production environments
918.32Change management
928.33Test information
938.34Protection of information systems during audit testing

Leveraging automation

Working Group Two recognized the need for efficient and effective compliance validation of cloud and edge resources to meet the ISO 27001:2022 standard. The team leveraged automation and the DevSecOps methodology to automate the validation process to achieve this goal. Through automation, the team was able to efficiently validate the compliance of these resources and reduce the potential for human error. The DevSecOps methodology ensured that security was integrated throughout the development and operational processes, resulting in more secure and compliant cloud and edge resources. The combination of automation and DevSecOps allowed Working Group Two to streamline its compliance validation process and ensure that its resources met the ISO 27001:2022 standard.

Responsible Disclosure Program

Implementing a responsible disclosure program has been a crucial part in this process, prioritizing wgtwos security of all systems and data. By establishing a clear and easy-to-use reporting mechanism for security vulnerabilities, we can now work with security researchers and other external parties to quickly identify and address potential threats. A successful responsible disclosure program not only helps us to stay ahead of potential security incidents, but also demonstrates our commitment to transparency and collaboration in the broader security community.

Our security speaks for itself is a comprehensive platform designed to provide customers and partners with easy access to information about Working Group Two's security controls and certifications. The platform offers a centralized location to access detailed security documentation and certifications, including ISO 27001:2022 compliance, which assures customers that Working Group Two has implemented comprehensive security controls to protect their data and infrastructure. Additionally, trust promotes transparency and trust between Working Group Two and its customers by enabling easy access to relevant security information. With this platform, customers can have a better understanding of the security measures Working Group Two has put in place to protect their information and ensure its privacy. Overall, trust serves as an essential resource for customers and partners who want to stay informed and up-to-date on Working Group Two's security measures and certifications. security dashboard

We have joined the elite 0.056% of European Companies

Only 0.056% European Companies are ISO 27001 Certified

22,112,982 EU Companies
12,532 EU Companies with ISO 27001

Now, in May 2023 we are officially ISO 27001:2022 certified! The journey to reach this milestone was definitely challenging but also a rewarding experience. This accomplishment would not be possible without the support of many individuals across the organization - big 👏

With the high ISO standard, we innovated a security posture via automating the validation of cloud and edge resources. Through our platform, we have established transparency with our customers and provided them with the ability to download certifications and security documentation.

We are proud that Working Group Two, as one of a few, can display our ISO 27001:2022 certification today, demonstrating to our customers that security is at the forefront of how Working Group Two operates, and is the backbone of our core network.