In December 2012, Areximbank – Gazprombank Group got an official status of a company enjoying ISO 27001 (International Standards Organziation) certificate. The certification has been carried out by Certification International United Kingdom, a respected audit company. Areximbank – Gazprombank Group is one of the first commercial banks in Armenia to receive such a certificate.
Hasmik Nersesyan, chief of the bank’s IT division, told ARKA News Agency what effect this fact may have on the bank’s activity and what its clients may gain from it.

ARKA – What advantages this certificate gives to the bank, its management and its clients?

Nersesyan – ISO standards are peculiar quality marks of activities in various areas. In 2010, our bank’s management received ISO 9001 certificate from AB Certification, French audit company, and this year we got information security management quality certificate.
It is not a secret that security is one of the key factors necessary for business stability. Introduction of this system will enable us to build an effective integrated management system, to strengthen our positions in Armenia’s banking market and to confirm reputation for being an accomplished and reliable company.
You should agree that it is difficult to dispute the importance of the global international credential recognized all over the world.
In addition, I would like to say a couple of words about the standard itself, since further talk will be senseless without comprehension of its essence.
This standard describes information security requirements for creation, development and maintenance of the information security management system, which is a component of the general management system. This component is in charge of information security, risk assessment, persistence of business processes in banks etc.
The objective of the information security management system is far wider than it may seem at the first glance, since its mission is to ensure comprehensive security and accessibility of data.
Management of information asset register, creation of reserve copies of various documents, protection of physical safety of equipment are among objectives as well.
Well, what are advantages of a company with such a certificate? The first of these advantages is image. As a rule, the bank’s attractiveness grows immediately and corporate clients esteem it higher than before.
The second advantage is enhancement of information security in the company. The third, most important benefit is enhancement of transparency of the work of the company’s administrative units, including the division in charge of information security.
Advantages are specific and subjective to each bank, depending on current things in information security and on what goals the information security pursues in this certification.

ARKA – What is the company head’s role in the decision to undergo certification?

Nersesyan – The issue is essential. It often happens that companies’ heads don’t understand consequences of their decisions to ensure or not to ensure information security to their companies. Financial aspect of this issue impacts their decisions as well, since certification is not a cheap procedure. But later they will save money, since they are shielded from incidents related to information security.
Out bank’s administration fully understood the necessity of this certification. A working group was established for controlling and organizing preparations. The group was made up of chiefs of all the concerned divisions.
This months-long work of our personnel would be impossible without support from the bank’s top leadership. This was a heavy work, and it will be necessary to confirm its results in the future.

ARKA – Did you involve outside assistants or consultants for preparations?

Nersesyan – Business processes can be brought in conformity with standards through less heavy work, if skilled specialists are attracted. They can gauge the company’s preparedness for certification and help it at each of the stages. But, first of all, you should understand very well what exactly you want to gain from it. Otherwise, you may realize later that you spent money on something absolutely unnecessary.
On the other hand, although outside consultants’ services are expensive, it would be wrong to think that your decision to handle everything by using own resources will save money for your organization. It will be difficult to those who have never dealt with international standards in management area to build an information security system able to satisfy international certifying organizations. We weren’t an exception and had recourse to consulting company Grant Thornton, which was chosen through tender. The company has a 15-year experience in provision of audit and consulting services at local market.
Together with Grant Thornton, the bank improved its information security system and developed a system which met ISO 27001 completely.
I want to express my gratitude to Grant Thornton Company’s specialists for their support and high professionalism, which enabled the bank to prepare itself properly to the Certification International United Kingdom Company’s audit.

ARKA – And the final question. Many companies fear that a certified system of information security management will require higher expenses than an uncertified system. Is it true?

Nersesyan – It is known that a miser pays twice. Very often expenses shrink, since the organization concentrates its attention on its peculiar risks, but not on those things which may jeopardize routine work.
We appreciate the fact that our bank’s management system meets international quality standards. This makes our s confident upon the high quality of our IT services and gives our administration additional confirmation of effectiveness of our system.
The ISO 27001 certification came as continuation of our constant efforts to ensure information security and as an additional guarantee of our reliability.
This gives grounds for growth of our clients and partners’ confidence in our bank, since nowadays, information is one of the most precious resources, and we find it very important to protect this value. M.V.-0---