May 28, 2021

Theta is ISO 27001 compliant



We're pleased to announce that Theta has become ISO 27001 compliant, which is the international standard on how to manage information security. For Theta and our customers, it demonstrates our commitment and ability to handle data with the highest of security standards.

ISO 27001

View our certificate

What does it mean for our customers?

We have put all the requirements in place across our people, processes and technology to manage information so that it stays secure. Our team is committed to following consistent, measured and repeatable processes to keep it that way. As risks evolve, we will also adapt and evolve to keep your business safe through continuous improvement, measurement and reporting with dedicated and trained staff.

The importance of compliance for heavily regulated customers

Heavily regulated industries, including banks, government and insurance, rely on trusted technology partners as part of their digital supply chain. With an internationally recognised ISO 27001 certification, we can assure these customers that we are well equipped to design secure solutions and secure information assets. As we apply high standards for these regulated customers, all other customers will benefit from the application of these same frameworks and disciplines.

Are all IT providers ISO 27001 certified?

No. It's not compulsory; however, independent verification of an organisation is the best way to ensure your technology partner is up to standard. Technology providers have a critical role in ensuring the security of New Zealand organisations and should hold themselves to the highest standards. We believe that achieving this certification shows a proactive approach to the security of Theta and the solutions we build and maintain for our customers.

What did we do to meet the standards?

ISO 27001 starts at the top. Our Board and Executives agreed that achieving certification was the right thing to do and reflects our wider ethical, diversity and environmental goals. With leadership commitment, we were able to ensure the key stakeholders were made accountable for their role in contributing to information security.

As well as a tightly governed set of policies and procedures, we were able to systematically ensure evidence of their effectiveness and this was independently audited. These policies specifically focussed on the security of our outputs, such as project management, privacy, secure development and security operations, while addressing HR, physical security, asset management, and supplier security ensured a holistic approach.

Should your business become ISO 27001 certified?

If you are a digital supplier, you should aim to be independently certified to some kind of security standard such as ISO 27001 - though others exist, including NIST, PCI-DSS or SOC2 depending on the nature of your business. Other ISO certifications exist for risk management, privacy and cloud security.

All organisations should consider some kind of security maturity strategy, and there are more lightweight approaches than full ISO 27001 certification, such as the Australian Government’s Essential 8 the UK Government’s Cyber Essentials and CertNZ’s Top 11.