We are beyond excited to share some fantastic news—Workpay is now ISO 27001 certified! This milestone showcases our dedication to ensuring the highest standards of security are applied to the data and information entrusted to us by clients.

ISO 27001 is an internationally recognized standard that outlines requirements for implementing and maintaining an Information Security Management System (ISMS). An ISMS helps Workpay:

• Identify and manage information security risks;
• Anticipate, address and prepare contingencies for security vulnerabilities; and
• Proactively respond to threats with clear action plans.

Employees who wish to see our ISO Certificate or share it with a client or partner, you will now find it linked on the Workpay Wiki. There you can also find official logos, which can be used in proposals and other marketing material to communicate that we are certified.

Obtaining the ISO 27001 certification took over seven months and required support from many corners. Here we’ll explain why this was worth it, then take you through our certification journey and remind you of your role in keeping our ISMS robust and effective. Let’s dive in!

The Benefits of ISO 27001 Certification

So, what does this shiny new certification mean for us and for you?

• Market Trust: Our clients and partners can rest easy knowing that the data they entrust unto is as secure as it can be. Our certification reassures enterprise-level prospects and existing clients that we meet the stringent security requirements demanded by larger organizations, differentiating us in the market.
• Risk Mitigation: We’ve implemented comprehensive systems to identify threats and vulnerabilities across our infrastructure. Through continuous monitoring, we can swiftly detect and address potential risks, maintaining a robust security posture.
• Global Compliance: Being ISO 27001–certified aligns us with internationally recognized standards. This not only positions us as a global player in information security but also helps us stay ahead of evolving regulations and best practices.
• Smooth Operations: Clear procedures and protocols minimize disruptions and keep operations running smoothly through whatever challenges.

Our Journey to ISO 27001 Certification

1. Gap Audit (April 2024)

The first step in obtaining the ISO certification is understanding the current status of your ISMS. This process, known as a gap audit, began in April 2024. By conducting a thorough self-assessment, we were able to:

• pinpoint areas where Workpay’s processes fell short of ISO 27001 standards;
• highlight vulnerabilities that needed immediate attention; and
• Provide management with a detailed roadmap for corrective measures.

This initial phase was critical because it revealed exactly where we needed to focus our efforts.

2. Setting Up the Information Security Committee and Documenting the ISMS (May 2024)

In May 2024, we formed a dedicated Information Security Committee featuring representatives from various key departments (shout-out to Boris, Jesse, Jess, Philo, Max, Jos, Flanders and David).

The committee’s role was to:

• review existing security processes and procedures;
• propose improvements to better meet ISO 27001 requirements; and
• Document and implement the necessary ISMS controls.

3. Documenting and implementing the ISMS controls

Based on the feedback received from the Committee as well as the insights derived by the lead implementers, Nelson and Victor, the ISMS started to take shape. The lead implementers started documenting the current processes and implementing technological and physical controls.

This is the reason why we have installed CCTV cameras and fire extinguishers around the office. By introducing these measures, we strengthened our security culture and demonstrated our commitment to ISO 27001 compliance. This meticulous documentation and careful implementation of controls form the backbone of our ISMS, ensuring risks are managed proactively and effectively.

4. Internal Audit (July 2024)

With our ISMS documentation complete, we conducted a thorough internal audit with support from Datasec. This step was crucial for verifying that:

1. Gaps Were Addressed: We revisited each gap highlighted in the gap analysis to confirm the successful implementation of corrective measures.
2. We Were Audit-Ready: The internal audit provided an added layer of assurance that our ISMS would withstand the scrutiny of the upcoming external audit.

This rigorous internal review, set the stage for the external audits to follow.

5. Training and Awareness Sessions

Information security isn’t just about systems and technology—it’s also about people. In fact, human error is often the weakest link in any ISMS. Consider how employees handle data, respond to phishing emails, set (and store) passwords, or even leave their laptops unattended. Each of these everyday actions can strengthen or compromise our security posture.

This is why we will continue holding training sessions with mandatory quizzes. We will ensure that ISMS awareness is a key and mandatory onboarding requirement and that employees are regularly quizzed on their compliance and knowledge. Our security is only as strong as our collective commitment to it. Your day-to-day actions—no matter how small—contribute to the overall resilience of our ISMS.

6. Management Reviews

In September 2024, we conducted our first semi-annual management review. These serve as a formal mechanism for top management to assess the adequacy and alignment of the ISMS with organizational objectives and external requirements, monitor performance, and ensure accountability from all the parties involved.

7. External Audits (October 2024)

With all our preparations in place, it was time for testing. The prestigious British Standards Institution BSI conducted a series of rigorous external audits to evaluate our ISMS against ISO 27001 standards. These audits evaluated our entire security framework—examining everything from our policies and processes to our physical and technological controls.

We’re proud to say we passed with flying colors, proving that our security framework didn’t just meet the standard—it exceeded it. This was the moment our hard work paid off, and what a moment it was!

Keeping the Momentum Going

Getting certified is just the beginning. Here’s how we’re making sure we stay at the top of our game:

• Regular Check-Ups: Internal audits and management reviews will keep us in check. We also have an annual surveillance external audit.
• Staying in the Loop: We’ll keep up with the latest security trends to stay ahead of potential threats in technology.
• Training/ Awareness: We will continue with planned training and awareness sessions to always be secure and ready. Each new team member will receive thorough security onboarding to cultivate a strong security culture from day one.
• Living Security: We want to develop a culture of security, and we’re making sure everyone’s all-in, all the time. To help us do this, ensure you are well versed on what relates to security at your departmental level.
• Updating the ISMS: Our ISMS will keep evolving to meet the ever-changing demands of our industry. We have planned annual reviews for the ISMS.
• Dos and Donts: Our training sessions emphasize practical guidelines for everyday tasks, from password management to handling confidential documents.

Workpay is not just about meeting expectations—we’re about smashing them. Achieving ISO 27001 certification is a huge step forward, but it’s also a promise to you, our customers, and our partners that we’re serious about security.

A massive thank you to our amazing team for making this possible.