The Fund’s Office of Investment Management (OIM) obtained today ISO certifications for information security (ISO/IEC 27001) and business continuity (ISO 22301), confirming that it meets the best standards in these areas.
“This is a tremendous achievement and excellent news for our beneficiaries, stakeholders, and staff,” said Pedro Guazo, Representative of the UN Secretary-General for the investment of the UNJSPF assets and in charge of OIM. “We protect the Fund’s assets not only by investing safely but also by making sure operational risks are fully considered and addressed; this is what these certifications are about.”
“OIM operates in an environment where cyber criminality is a daily concern, and the COVID-19 situation has shown that business continuity needs to be taken seriously,” Bill Wilkinson, OIM's Chief Operating Officer added. “With ISO certifications, we have the confirmation that OIM has the best processes and procedures in place to ensure the Fund’s resilience to disruptive events.”
The newly obtained ISO certifications are the result of more than a year of intensive work involving all sections of OIM and the assistance of the UN International Computing Center (UNICC). It included a risk assessment and a gap analysis against ISO standards, followed by the issuance or updates of relevant policies and procedures.
ISO certifications are part of the OIM’s Strategic Roadmap for a new Target Operating Model, where strengthening information security and improving business resilience were identified as key deliverables to protect the Fund’s assets.
ISO/IEC 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.
ISO 22301 is an international standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.