Information security in Vision AI: Why ISO27001 matters

What is ISO27001, and why should retailers prioritise it when selecting technology vendors?

ISO27001 is the leading internationally recognized information security standard, dating back to the 1990s. Its foundation lies in the British standard BS7799. ISO27001 is a broad framework that covers both technical security measures and organizational policies, including HR and management controls.

Since it is widely recognized, many retailers are either familiar with it or certified themselves. When a technology vendor is ISO27001 certified, it means they have undergone rigorous audits to ensure their security processes are robust and effective.

For retailers, this certification provides confidence in their vendors. While no information security standard is completely foolproof – human error is always a risk factor – ISO27001 helps ensure that vendors take information governance  seriously. If a breach happens, it also provides a framework to analyze what went wrong, what safeguards were in place, and how to prevent future incidents.

How does ISO27001 provide reassurance to retailers?

ISO27001 is a broad standard that requires businesses to think beyond just IT security. Unlike, for example, Cyber Essentials which provides a prescriptive list for securing computers, ISO27001 requires companies to anticipate other tangible, real-world risks, by thinking outside the box and considering everything – including human behaviour and how people typically react in different situations.

A great example is Stuxnet, one of the most sophisticated hacks in history. Israeli intelligence hacked Iran’s nuclear facility, not by breaking into the network directly, but by targeting its supply chain. Hackers planted infected USB drives in the facility’s car park, in the anticipation that someone would eventually pick up a device and plug it into a computer on the network, compromising the entire system.

This highlights a critical lesson: even the best information security measures can be bypassed by human actions. ISO27001 forces businesses to consider not just how to secure systems, by also how to mitigate human vulnerabilities.

For retailers, this is important as they introduce self-checkouts, handheld devices, and other connected technologies. Every new device increases potential information security risks. Retailers need confidence and assurance that their vendors won’t introduce weak points into their network, and ISO27001 certification is a key indicator of diligence in information security.

How does ISO27001 work with data privacy, such as GDPR?

GDPR and ISO27001 complement each other. GDPR is a privacy regulation that ensures personal data is handled responsibly, while ISO27001 provides a framework to protect that data.

The latest version of the standard, ISO27001:2022, includes additional privacy focused controls such as data masking. For example, if a retailer collects video footage containing customer faces, depending on the intended use of the data,

By working with vendors that follow or are certified to ISO27001, retailers demonstrate a proactive approach to information security, helping them to stay compliant with GDPR and other regulations.

If a security breach occurs, what should retailers expect?

ISO27001 requires businesses to have a clear incident response plan. If a breach occurs, retailers should expect:

• Prompt notification with transparent updates
• A root cause analysis to explain how the breach happened
• Details on what data was affected and how the issue was contained
• Corrective actions to prevent future breaches

In short, retailers should expect strong communication and accountability from their vendors.

What advice would you give to retailers when assessing vendors?

Retailers should evaluate all vendors, both new and existing, to ensure they meet strong information security standards. Key questions to ask include:

• What security certifications does the vendor hold (e.g. ISO27001, SOC II, Cyber Essentials etc)
• How frequently do they review and update their security policies
• What specific risks does their technology pose to your business

Additionally, retailers can use automated security assessment tools to verify a vendor’s information security. For example, platforms like SecurityScorecard.com scan a company’s digital footprint to identify potential vulnerabilities – from website security configurations to past data breaches reported in forums.

This provides retailers, or any business considering working with a technology vendor, an opportunity to verify that responses to security questionnaires match with the digital security footprint the company has. Where discrepancies arise, this allows for proactive investigation before committing to a technology vendor.

Any final thoughts, takeaways on ISO27001?

One of the things I’m always keen to stress about information security, is that it’s important to recognize that no matter how many policies and processes you put in place, the human element will always present challenges. If you take Stuxnet, referred to previously, as an example, you can do everything right, but one person plugs a USB into their laptop, and it can be catastrophic.

ISO27001 helps businesses to think beyond technical controls, and pushes them to consider human behaviour, evolving threats, and continuous improvement. Information security is never a one time task , providers must remain vigilant, and risks must be reassessed regularly.

By prioritizing ISO27001-certified vendors, retailers can reduce information security risks, build customer trust, and introduce new technologies which allow their businesses to advance without compromise.

SeeChange is proud to be ISO27001 certified.