Since February of 2020, solarisBank’s information security management system is officially ISO 27001 certified. To find out why this is such a big deal and to what lengths we go to keep our end-customers’ data secure, we had a chat with Guido Reismüller (cover photo), our Head of Information Security, and Alvaro del Olmo, IT Security Manager at solarisBank.
How do you set up information security for a bank?
Guido: As a tech company with a full banking license it is our duty to comply to the same regulatory requirements all other banks are subject to. Given the extremely sensitive data that banks handle day to day, information security is a major part of those requirements and we have regular internal and external audits ensuring that we meet them.
As mentioned, solarisBank is a modern tech company at its core. We operate a state-of-the-art technology stack with a high degree of automation in our continuous integration and delivery pipeline of over 250 releases every week. The regulatory requirements that we face, however, are devised for traditional banks that apply processes and technology from decades ago. This can make it challenging to implement these requirements into our processes. So, we had to find smart solutions to manage it compliantly.
Can you tell us more about how you solved this challenge?
Alvaro: The key was to map and interpret compliance requirements to our modern processes and tools. To achieve this, we had to stay in close liaison with our regulators and auditors, as we were building a banking model that was unique in the German market. Concepts like agile working modes and continuous delivery of features are still new for many regulating bodies. We came up with new solutions like interactive security policies, automated security checks, a real-time risk dashboard and an enforced 4-eyes-principle for code commits.
What are you currently working on? And what do you have planned for the future?
Guido: Our vision is to integrate security from the start to build products that are secure by design. This way, we ensure that security controls are embedded in every phase of our software development process, thereby baking security directly into our services. As our Banking as a Service Platform scales both in terms of transaction volume and in terms of geographic expansion, we needed to adapt our security setup continuously. Therefore, we required a thorough information security management system (ISMS).
As many of our partners, third-parties and other stakeholders are interested in how we secure our services, we decided to strive for ISO 27001 certification, allowing us to demonstrate our ability to manage information security in a widely recognized way.
So, what does it mean to be ISO 27001 certified?
Alvaro: ISO 27001 is an internationally recognized standard for information security management systems. It defines requirements and processes to manage, control and continuously improve the information security of an organization. It also defines more than 100 industry standard controls, both technical and non-technical, that an organization has to implement in order to effectively manage and improve its security. Examples are security policies, access management, physical security, incident management or cryptography.
Alvaro del Olmo, IT Security Manager at solarisBank
How does solarisBank benefit from being ISO 27001 certified?
Guido: First and foremost, it benefits our partners, investors and service providers, as it demonstrates that we are committed to keeping our end-customers’ information secure at the highest standard.
Further, being ISO 27001 certified is particularly valuable in the context of the banking and finance environment. A lot of laws and standards are designed with ISO 27001 in mind, which makes working with supervisory authorities much easier. As an ISO 27001 certified organization, we demonstrate that we prepared for further national and international growth and potential further regulations if we reach a size of critical relevance to the economy.
Thanks for the insights, Guido and Alvaro!