Fanny See, Co-founder and COO, Detrack SystemsBlog

How Detrack earned data protection, infosec certifications

By Fanny See, Co-founder and COO, Detrack Systems

From 580,000 Singapore Airlines (SIA) frequent flyers and 129,000 Singtel customers being compromised due to data breaches, to approximately 470 OCBC Bank customers losing a combined $8.5 million recently because of a phishing scam, several major local companies in Singapore alone have been hit by cybersecurity breaches last year.

For our delivery management software company Detrack, which started in Singapore but now boasts a presence in 50 countries, the security of our users’ data remains an utmost priority. This is why over the last year, Detrack has earned itself the Data Protection Trustmark (DPTM) certification while also making sure its Information Security Management System (ISMS) is officially certified to meet the requirements of the ISO 27001 standard. The latter certification was earned in just four months — a process that typical companies take many months or even years to complete due to the stringent requirements of the ISO 27001 standard.

Of course, getting these certifications in the midst of the COVID-19 period is hardly heard of, and while we celebrate Detrack’s achievements, we would also love to share some of our lessons learned during the entire process.

PLDT group holds data privacy forum to boost information security
NPC leads creation of global working group on data privacy

How Detrack did it

Before companies embark on the process of gaining accreditations for ISO or DPTM, it is key to do interval evaluations and examine if the organization is ready with its system design and implementation stage of the key processes. Detrack was able to get the certifications within a shorter than the estimated time, primarily because we were long prepared and did not start to inject processes simply because of the requirements of the certifications. Companies planning or preparing to apply for ISO 27001 certification need to correctly define the scope of the accreditation and always keep the scope in mind even at the design stage.

Engaging a consultant was also something we did right. While a consultant will not be able to work wonders, and it is still largely the company’s own internal processes, they will still be able to provide effective guides and checks along the way and also handle some heavy lifting to offload putting the full burden on internal resources. There was a stringent internal audit alongside an outsourced consultant to prepare for our own certification process.

Planning out the timeline is also important. The ISO 27001 certification process can be quite complex and challenging, so an implementation plan to take the team through it all before getting started will help a lot. This ensures that the supporting dedicated staff to this will be available to handle without major clashes with other key projects of the company.

Next, prepare the various departments. A company’s staff will be its biggest security strength, but only if you equip them with the information they need to be capable. It was imperative to ensure all employees are aware of the importance of information security through annual security awareness training sessions.

A key lesson to note would be to keep communication open. Even when we were all working remotely, the process of constantly collecting specific documents from staff members from different departments was always completed smoothly as everyone was on the same page.

Employee collaboration

While improving on our workflow systems, there were also some areas in the server infrastructure and technical configurations, which were rather foreign to our Operations team. To fill this gap, our technical and engineering team stepped in to help everyone understand the complex technical configurations, rationales, and workflows. Our extraordinary engineering team tried their best to simplify their explanations into layman terms. Indeed, the help and positivity that our teams have shown during the whole journey demonstrated the importance of open and honest communication within the entire organization.

Nonetheless, the process was considered relatively smooth as Detrack has been embarking on a paperless office with transformation happening to transit paper documents to electronic formats way before the pandemic happened. Going paperless definitely helped us organize all the necessary information more efficiently.

We had to constantly remind ourselves to focus on the goal of achieving accreditation. On top of that, it was crucial to recognize that the process would ultimately strengthen our data protection framework. This, in the long run, would safeguard important data and our partners.

As a leading Delivery Management solution, Detrack empowers businesses around the world to make thousands of deliveries daily. Detrack has always regarded security as a topmost priority and by clinching these accreditations, we are providing our users with the confidence that we are not merely putting on paper that we value data security but to let them understand and have the strongest vote of confidence in our processes. Today, Detrack is the only delivery tracking and proof of delivery solution in Singapore with both the ISO 27001 and DPTM accreditation, which proves to our partners that we have gone through robust and comprehensive processes to achieve the highest data security accreditation available. At the end of the day, we believe any company should be able to achieve these goals if they wanted to — and we hope that our learnings would prove helpful at some point.

Detrack is a real-time vehicle tracking and electronic proof of delivery (E-POD) solution. It works anywhere in the world with a smartphone or tablet. Detrack is now used in over 45 countries, supporting 35 business types. As a global solution, the app is currently translated into 21 languages, with more than 58,000 installations.