ISO 27001:2013

It is very important to all businesses that outsource operations and services to IT companies to obtain confirmation that the service provider operates a certified information security management system. Information security is becoming increasingly important for the valuable and sensitive infrastructure of businesses and public institutions. It is very important that service providers look for all means to minimise threats and risks that may affect the IT environment and use recognised and certified methods to achieve this. Origo has implemented an ISO 27001 certified information security management system and also employs around 30 specialists who have received an ITIL Foundation Certificate in IT Service Management. The Company places great importance on constantly deepening and enhancing employees' awareness and knowledge of information security. In addition to the Company itself holding security courses, tests and conferences, it also sends employees to more tailored courses, including courses on secure programming and ethical hacking. The Company conducts numerous tests each year on infrastructure security as part of regular contingency and emergency planning, as well as vulnerability tests on the infrastructure and systems that the Company owns, services and operates.

Origo places great emphasis on ensuring that its entire operating and service environment is secure and that its employees exhibit the highest level of knowledge, skills and professionalism when it comes information security and services. The Company's goal is to be the first choice of customers when they choose a partner for the secure operation of information technology and services. Origo has been ISO 27001 certified since October 2004.

ITIL

The Company's information processing, procedures and service management are based on a strong ITIL foundation, built by Origo's talented team of ITIL specialists.

The ITIL methodology ensures a high level of customer service while also minimising the potential impact of any disruptions that may occur. Service Level Agreements (SLAs) have been structured on the basis of ITIL and all service procedures and service controls have been developed according to the ITIL methodology.

The Company aims to be in the forefront of Icelandic service providers who have implemented and adopted ITIL and ISO 27001, in order be able to provide a secure operating environment and excellent service, both for its own infrastructure as well as for customers.

Risk assessment and risk management

Risk assessment is based on the most valuable assets that fall within the scope of certification. Once the most important assets have been defined, as well as the owners and persons responsible for those assets, the risks that affect the asset concerned are assessed. When threats, probabilities, frequencies and impacts have been assessed, risks are documented either as "Green", "Yellow" or "Red" and placed in the appropriate procedure category (risk non-existent/Green – risk that requires action/Yellow – risk that requires immediate action/Red). The final part of risk assessment involves reassessing risks that have been placed in an action category (yellow or red). The reassessment examines whether existing risks have been addressed and the actions that have been approved or rejected by the Security Committee, which has the role of reviewing and approving/closing or rejecting a solution or action.

The purpose of the risk assessment is to identify the risks that may exist in the environment, to understand their nature and to minimise the threats they pose through actions, transference or approval. Risk assessment and risk management delivers continuous improvement in both services and operations and ensures proper management, builds trust in information security management systems, minimises risks in the environment, strengthens information security management systems and allows for appropriate responses, in addition to protecting the Company during times of growth or contraction.

ISAE 3402 Type 2

Origo has issued a report in accordance with ISAE 3402 related to auditing and financial reporting of customers. The report, which is Type 2, describes the design and functionality of Origo's internal controls, with KPMG providing an independent opinion of Origo's description of the Company's service solutions.

Reliable outsourcing and service partner

The scope of the report is varied, covering, among other things, access controls, change management and incident management, as well as recording of information assets and their use. The report provides managers and auditors of businesses with some reassurance as to the control elements of the procedures that are outsourced to Origo and fall within the scope of the report.

"Here at Origo, a great deal of work has gone into this report, which will improve efficiency and is a recognition of Origo‘s status as a reliable outsourcing and service partner", says Örn Alfreðsson, Managing Director of Service Solutions at Origo.

Considerable benefit for customers

International auditing standards require that IT audits are included in the routine, yearly auditing of organizations that are required be audited.

Such audits can be both costly and time-consuming, but now these organizations have the option of purchasing the report, saving them time and money. The publication of the ISAE report can thus provide considerable benefits to those Origo customers who are required to conduct IT audits annually.

Data protection

Origo places great emphasis on the protection and security of personal data. Origo's goal is that all processing of personal data at the Company is in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data, and that appropriate procedures and processes are in place.

More information on data protection at Origo can be found here.