THE HIGH PERFORMANCE STORY
Found in 2012, Reinvented for 2017
MAYASEVEN was founded in 2012 by a group of people who loves to do a penetration testing in-depth and to provide a high-quality service to the clients. Including to inform the society about cybersecurity information to make them have more awareness of cyber threats.
Later in 2017, MAYASEVEN has registered as MAYASEVEN Co., Ltd improving the service quality to comparable to the international standard following the company vision.
MAYASEVEN has adopted ISO 9001:2015 and ISO/IEC 27001 to the company to solve the problems that had been “a pain” for clients in the penetration testing industry:
- Penetration testers lack advance cutting-edge penetration technique beyond the penetration testing methodology standards.
- Penetration testing Lacks service quality consistency due to the uneven assignee tester skill on each project.
- The tester company uses third-party services for their services; therefore, they cannot control the quality of the services thoroughly.
- Beware that the tester company may cause the disclosure or take advantage of clients’ confidential information.
So, we use ISO 9001:2015 to solve the first three problems and ISO/IEC 27001 to solve 4th problem.
On the first problem we have determined the minimum skills to qualify our tester to have won any national cybersecurity-related competitions, have done many pieces of research on an interesting vulnerability or have any international penetration testing related certifications. We also have internal seminars for exchanging knowledge about new penetration techniques frequently and adding it to our company penetration guide for using in our client penetration testing.
On the second problem, we have a penetration testing guide systemically. Our employee must understand our penetration testing guide. We also have verification for the understanding of our penetration guide regularly. Moreover, we have two people to review the result of penetration testing, which is the project manager and quality assurance of each project to assure our clients that they will always receive a high-quality service from us.
On the third problem, we have no policy for using any third-party services to assure our clients that they will receive the penetration testing from our skilled tester.
On the last problem, we have the management system for information security ISO/IEC 27001 to assure our clients that their confidential information has been manage and destroy appropriately according to the international standard.
Does ISO 9001:2015 is necessary to solve these problems? And how it relates to penetration testing work?
ISO 9001:2015 is the international standard that is used to guarantee that the company has a quality management system with working conventionally and importantly, all these methodologies are used truthfully and verifiable by a credible regulator like BSI (British Standards Institution). Our company, MAYASEVEN Co., Ltd, is the first company in Thailand that is certified the standard ISO 9001:2005 within Penetration Testing and Cybersecurity Consulting services term from BSI.
Does ISO/IEC 27001 is necessary to solve these problems? And how it protects the clients’ confidential information?
ISO/IEC 27001 or Information Security Management System (ISMS) is the standard of information security management. In penetration testing work, the tester usually can access the clients’ confidential information such as their employee salaries, trade secrets, critical vulnerabilities that can cause damage to their business. How can we be sure that the tester will not disclose or make use of this information, that is why ISO/IEC 27001 is necessary. We have a selection process on hiring an employee that the applicants must not have any criminal history about the computer-related offense. Our employee must strictly obey the company’s security policies. All clients’ information will be encrypted while they are stored on the computer and are being transmitted. Also, they will be destroyed after the period and have a log that can track the holder of each clients’ information using in a case that there is a disclosure of data to identify the people who take responsibility.