To provide our member credit unions with assurance about information security, Central 1 became certified to the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) in 2008. Our ISMS is managed and coordinated through our Corporate Information Security Officer (CISO).
We were the first financial institution in Canada to be certified with the ISO/IEC 27001 standard. This certification independently validates that we implement a risk-focused information security program with all controls specified in Annex A of that standard. These controls include requirements in the following areas:
Organization of Information Security defines the structure and process by which information security is managed and coordinated, both internally and with external third parties.
Asset Management governs the use, classification and protection of physical computing, software, and information assets necessary for Central 1 to perform required business activities.
Human Resources Security defines management responsibilities for bringing staff (both employees and contractors) on board, for releasing staff, or when changing their roles. HR Security also addresses management responsibilities to staff for the duration of their time at Central 1.
Physical and Environmental Security addresses the specific conditions and controls within Central 1’s owned, leased, or occupied property and premises, and any physical equipment or services that are necessary to protect or support these environments.
Communications and Operations Management sets out the rules for detailing, communicating, making changes, addressing capacity items and/or establishing responsibilities for both internal operating procedures and those outsourced to third-party service providers.
Access Control Policy defines the specific conditions for allowing and supporting various levels of access to applications, data and network assets by users, administrators, contractors and third-party representatives.
Information Systems Acquisition, Development and Maintenance policies define the expected business and security requirements for the purchase, development and maintenance of new information systems, components and applications.
Information Security Incident Management policies outline the processes and procedures in place to address exposures, events, or potential weaknesses that could impact the security of Central 1’s information.
Business Continuity Management identifies the Business Continuity Program (BCP) used to protect critical business processes and ensure their timely resumption after an interruption.
Compliance policy defines processes for compliance with legislative, regulatory and contractual requirements, as well as audit considerations.
Certification involves annual independent audits by an external accredited certification body that provides certification based on the favourable results of their reviews. We have engaged a certification body that is responsible for independently assessing our conformance with the standard and issuing our certification.
The ISO/IEC 27001 standard also requires regular and ongoing internal audits of conformance to the standard. To meet this requirement and support the ISO/IEC 27001 certification process, Central 1’s Internal Audit Department conducts internal audits throughout the year to ensure adherence to the ISO standard. When external auditors from the certification body conduct their reviews, they also assess internal audit work and ensure that this is sufficient to meet the requirements and principles of the ISO standard.
Corporate Information Security Officer
Central 1 Credit Union