23andMe recently received two additional privacy certifications from third-party auditors, while successfully re-certifying an existing security certification.
ISO certifications are awarded after extensive audits by independent third-parties. An international standard-setting organization develops the standards for each certification. In line with this commitment, 23andMe asked independent third-party auditors, Schellman & Company, to test and assess 23andMe against the standards for security and privacy under the ISO 27001, ISO 27701, and ISO 27018 certification. 23andMe is the first direct-to-consumer genetic testing company to be assessed against all three standards.
23andMe’s first certification, which we first received in 2019, is ISO 27001. We started with that certification because it is one of the most widely recognized and internationally accepted information security standards. It identifies requirements and specifications for a comprehensive Information Security Management System (ISMS). This defines how an organization should manage and treat information more securely, including applicable security controls. 23andMe’s ISO 27001 certification was recently re-certified, an achievement built on all the great work that teams across the company did to support security and privacy since the beginning.
But we didn’t stop there. This year, 23andMe added two privacy-focused ISO certifications —ISO 27701 and ISO 27018 — to complement our ISO 27001 certification. What do these certifications mean?
Protecting Privacy Rights
The first, ISO 27701, is a new standard for protecting the privacy rights of individuals. It is an extension of the standards that are part of ISO 27001, and requires a Privacy Information Management System. Some of the key requirements of an ISO 27701 certification include privacy awareness training, privacy notices, supporting consumer privacy rights, and more.
The other certification, ISO 27018, establishes commonly accepted controls and guidelines to protect Personal Information in cloud computing environments. Some key requirements for ISO 27018 include encouraging accountability via breach notification procedures and having more stringent security requirements for cloud services providers.
Every year, a third-party auditor will validate that 23andMe can demonstrate on-going compliance with these ISO certificates. These certifications act as additional proof of our commitment to information security and privacy and providing the most trusted experience for our customers. Privacy and Security are in our DNA, and we have the certifications to prove it.
To learn more about our privacy and security practices, please take a look at our Privacy Center.