We’re delighted to announce that LibLynx has achieved ISO 27001 certification — the international standard for information security management systems.

This is a significant achievement that we’re very proud of (not a phrase that we throw around often), as it means we have attained the highest global standard for information security. Not many organisations in the scholarly community have earned this badge of honor, and those that have are predominantly large organisations with hundreds or thousands of staff.

It’s also a significant commitment — information security is a journey, not a destination, and compliance requires re-envisaging an organisation’s policies, systems, and workflows around security. It’s required a lot of our time and attention over the last year, and we’ve learned a lot as a result.

The rest of this post shares more information about what it means for our clients, and what we learned during the process. Feel free to contact us if you’re considering ISO 27001 certification as we’re happy to share our experience.

What ISO 27001 means for our clients

LibLynx’s end-to-end operations comply with international standards for Information Security Management Systems, i.e., we have integrated systems and practices designed to put information security at the core of our operations.

You can be confident that we:

  • Develop software solutions that are rigorously designed and tested for security before release
  • Host our applications in secure and resilient infrastructure designed around business continuity and disaster recovery
  • Securely store and manage the data we collect as part of our operations: from clients, from our client’s customers, and from their end users
  • Regularly review all our policies, systems, and workflows as part of our continuous improvement plan to re-assess risks, identify new and emerging vulnerabilities, and upgrade our capabilities

What we learned en route

We publicly posted about our commitment to ISO certification just over a year ago, explaining our decision to invest in compliance. At the time, we expected to end up with some improvements to our systems and a certificate to post on our website. In practice, we found compliance was significantly more impactful.

The biggest change was both simple and profound — thinking about information security at every level of our business. Activities like adding a new supplier, changing a piece of software, or onboarding new staff now have structured processes geared specifically around understanding and addressing our information security needs. Plugging a device into our network or exporting data to a client are covered by specific policies.

Thinking holistically about information security has also borne fruit in terms of new processes and policies that help inform and improve our business. For example, we now have a legislation register to scan the legal horizon for emerging regulatory changes, as well as a key supplier dashboard linking to all our various contracts and online T&Cs. We now have a new staff handbook that provides an easy reference point for all of the policies governing how we work, such as personal devices and responsible use of AI, in addition to information security.

Last, but not least, ISO compliance has significantly upskilled all of us, a valuable benefit. We increasingly get questions from clients about issues related to information security, often prompted by questions from their own customers and end users. Historically, those questions sometimes had us scratching our heads. Now it feels like information security is our new superpower!