This article is based on an interview with Brian Taylor - the Plus Your Business ‘ISO compliance officer’.

CRM systems like HubSpot help businesses store vast amounts of customer data. However, storing data has real modern-day challenges. Data management can bring with it potential security issues. Matching HubSpot management with ISO 27001 requirements can boost security and improve compliance.

Taking control of your data's security, confidentiality, and integrity is critical. For example, a Cyber Security Breaches Survey found that 50% of businesses had a cyber breach last year. Accessing a higher level of security can make a real difference. It can prevent financial issues and potential legal problems.

This article discusses ten ways to secure your information assets. Work through each item to establish best practices in your organisation.

1) Become a CIA Agent with Your Data

When it comes to information, always consider its confidentiality, integrity, and availability. These three areas are the CIA Triad, a guiding model in information security. Your security strategy should make every effort to minimise threats to these areas.

• Confidentiality of data ensures only authorised users have access
• Integrity of data ensures the information is accurate and unaltered
• Availability of data ensures authorised users can access it when needed

It is a guiding model in information security. Your security strategy should make every effort to minimise threats to these areas. Follow these three points above to boost your data security.

2) Implement an Access Control System 

Safeguarding customer data in your organisation should be a priority. You can use an access control system to ensure only authorised personnel can access data.  You can do this by categorising the information into various levels. For example, you could separate the data into public, restricted, sensitive or confidential.

You can set up access to HubSpot CRM data on the principle of least privilege. When you do this, people can only access what they need to perform their role. Also, check that only authorised personnel can access any sensitive information. Your company must make a point of reviewing and updating this access.

3) Boost Security with Single Sign-On (SSO)

Another best practice to improve data security is configuring user authentication methods in HubSpot. Taking the time to do this will make your security as robust as possible. There are three ways to do this on HubSpot:

• Encourage employees to use strong passwords
• Use Multi-Factor Authentication (MFA)
• Set up Single Sign-On (SSO)

As the name suggests, SSO allows users to sign in once to access all their applications and services. This article explains how to set up SSO in HubSpot. Additionally, remember to update the HubSpot platform itself to protect against vulnerabilities.

4) Stay on Top of Vendor Risk Management

For ISO 27001, you must identify and assess risks to your CRM data. This tracking also applies to third-party vendors who have access to your data. You are responsible for ensuring they follow security policies and ISO 27001. You can use HubSpot to:

• Track third-party assessments and contracts
• Automate vendor risk management processes
• Integrate existing vendor management software that you are using

Automation is critical if you work with many third-party vendors. HubSpot can help you stay on top of them all and ensure compliance. You can find out more about GDPR compliance in HubSpot here.

5) Understand Relevant Legislation

Legislation can change, but you can use HubSpot to manage and track information about ISO 27001 requirements. Here are a list of some of the things you can do inside HubSpot to help you:

Create a knowledge base

• It can detail the requirements and guidelines for ISO 27001
• Receive updates on legal changes and how they impact ISO 27001 compliance

Track Compliance Activities

• Track activities related to ISO 27001
• Create tasks for updating policies and procedures and assign responsibilities

Manage Communication

• Send updates and reminders to employees about compliance requirements
• Use templates to keep the message consistent 

Centralise Documentation

• Upload and organise all ISO 27001 compliance documents
• Ensure easy access for employees to access the documents

Automate Compliance Workflows

• Automate reminders for regular compliance checks
• Set up automated notifications for legislation changes that affect ISO 27001 

Training for Employees

• Track completion of training sessions
• Use surveys to assess the compliance understanding of employees

6) Create a Business Continuity Plan

A business continuity plan can help you stay on track if a crisis hits your company. It outlines the directions and procedures your company should follow. Such a plan ensures your business operations continue during the crisis. Once you have created the plan, you can set things up in HubSpot to help you:

• Run different crisis scenarios 
• Develop contingency plans 
• Store your business continuity plan so employees can access it

7) Stay on Top of Security Updates

You should establish a designated person or team to monitor security updates and patches in HubSpot. You can access these security updates in HubSpot’s Trust Centre. Your designated person or team will also be able to access necessary documents and reports to ensure your HubSpot platform is secure.

8) Create a System for Incident Management

Your organisation must report every security incident. Not only is this the law, but it can also help to improve your data security processes. Create a comprehensive information security policy that outlines how your company manages data security. Don’t forget to check that this aligns with ISO 27001 requirements. 

• You can use service desks and ticketing systems to log and track issues in HubSpot. These tools help you stay compliant and promote a culture of continuous improvement and compliance. 
• Also, try monitoring all your business activities in HubSpot. It can help identify suspicious activities before they get out of control.
• With continuous monitoring and auditing processes, HubSpot can also detect and respond to security threats in real time. It has intrusion detection systems and security incident response teams that can address potential threats quickly.

Here is a ten-step process to help you set up an incident management system in HubSpot:

Step 1
Review the specific clauses of ISO 27001 related to incident management - particularly Annex A.16 (Information Security Incident Management)
Step 2
Define an incident management process, establish your incident response policy and procedures, and define your roles and responsibilities.
Step 3
Set up customer properties in HubSpot to capture all the incident details, such as the type of incident, severity, status, date it happened and date reported.
Step 4
Create incident record types in HubSpot. Use custom objects or the ticketing system to manage incidents.
Step 5
Create incident management workflows to automate your incident tracking and escalation process. 
Step 6
Report and log your incidents via incident reporting forms that your employees and stakeholders can use.
Step 7
Set up automated notifications in HubSpot so the relevant employees know when an incident occurs.
Step 8
Create an incident response and resolution system. You can also assign certain individuals to handle this.
Step 9
Conduct post-incident reviews to assess the cause and impact of the incident. Store the reports in HubSpot for audit and compliance purposes.
Step 10
Review and update the incident management process. You can also use HubSpot reports to check for incident trends and response times.

9) Conduct Internal and External Audits

Internal and external audits are crucial to maintaining and improving compliance with ISO 27001. Internal audits can help you identify and mitigate risks and prepare your business for external regulators' audits. Externally, stakeholders can have confidence that your business is fully compliant. You can use HubSpot to help you by:

Creating Custom Properties and Fields

• You can create fields that capture details about specific clauses and controls for ISO 27001

Planning and Scheduling Audits

• Break down the audit process into tasks and assign them to team members

Conducting the Audits

• Use workflow automation to guide the internal audit process. You can then document your evidence, findings, and observations directly in HubSpot.
• Securely share your documents and audit evidence from HubSpot with external auditors.

10) Use the Audit Results

Once you have conducted audits, you can generate reports for HubSpot. These reports can help you to check audit progress and findings. The reports can help you identify and address any gaps and take action to improve things. You can also customise dashboards to monitor key metrics related to ISO 27001 compliance.

Extra HubSpot Bonus - Automatic Encryption

Encrypting your data is imperative, with so much of it flying around. You must encrypt your data when it is at rest and in transit. Encrypted data stops people from changing, compromising or stealing data. It scrambles the data into a secret code, and only a unique digital key can unlock it.

Thankfully, HubSpot automatically encrypts data. All communications between a web client and HubSpot servers are protected using TLS (1.0, 1.1, 1.2) protocol encryption using 2048-bit keys. You can find more information here. HubSpot servers also use state-of-the-art storage infrastructure to prevent data loss for data at rest.

Using HubSpot to Meet ISO 27001 Requirements

ISO 27001 requirements are strict. Paying attention to its control categories can help you boost your data security. Work through the ten areas above and leverage HubSpot to its full potential. It will help you safeguard your CRM data and meet ISO 27001 requirements.

Want to learn how HubSpot can help you? Contact me here, and I’ll be happy to discuss your needs. You can also email me at martin@plusyourbusiness.com.

If you’d like to learn more about ISO certification for your business, then please contact brian@isoguy.com (PYB ISO compliance manager).