Cyber security is a continuous process of adding layers and staying vigilant. As the international standard for information security management, this year’s ISO/IEC 27001:2022 certification is a key part of Diversity Atlas’s cyber defence. We are proud to announce here that we have achieved ISO/IEC 27001 certification for the third year in a row.

Have you ever noticed how some houses in Australia do not even have fences? You can walk down the street, see a lovely home, and there is no clear boundary between the front yard and the sidewalk.  

Now, imagine if you can the unlikely scenario that you live in one of these houses, but your neighbourhood suddenly becomes targeted by dozens of criminal gangs who specialise in break-ins and entering.  

The first thing you may do to feel a little safer is build a fence. Simple, right? But what if you want more protection? You may make that fence taller and add a gate. Still want more? How about some security cameras, alarms, and even a large, intimidating dog to ward off intruders? 

But here is the big question: Is the house 100% secure now? The truth is, no matter how many layers of security you add, there is no such thing as 100% safety.

This is a metaphor for information security but where most house owners in Australia do not have much to fear, cybercrime is very prevalent, with. For example, 76% of respondents in a 2022 case study involving the US, Canada, UK, Australia, and New Zealand said their organisation had suffered one or more cyber attacks in the past year.

Adding to the imperative for organisations to have strong defences is that they are in a position of trust with their customers, and data breaches lead to financial loss, legal issues, and reputation damage. 

Just like with the house, organisations can keep building their defences, but they can never eliminate risk. However, what they can do is follow best practices, constantly assess their defences, and stay alert to new threats. This is the philosophy that has guided Diversity Atlas in maintaining the highest standards of information security—and one reason why we are proud to announce our ISO/IEC 27001 certification for the third year in a row. 

A Lesson from Dover Castle: Defence in Depth 

Cultural Infusion‘s Diversity Atlas has been leading the world since 2019 with our holistic data-driven approach to measuring, mapping and analysing cultural diversity within organisations. We are well aware of the importance of protecting our clients’ data by maintaining its integrity, availability and confidentiality.

To understand how Diversity Atlas thinks about security, let us take a historical detour to Dover Castle in England. Dover Castle, often referred to as the ‘Key to England’, is an architectural masterpiece of defence in depth. The castle has multiple layers of protection—first, the deep ditches that surround the outer perimeter. Next, towering walls, providing a formidable barrier against attackers. Even if an intruder breached one layer, they would still face several more obstacles before reaching the heart of the fortress. 

This concept of defence in depth is exactly how we approach information security. It is not about having just one strong wall; it is about creating multiple layers of defence, so if one layer is compromised, others stand ready to protect us and our customers. 

Our Defensive Mindset 

For us, information security is not just about compliance. It is a mindset—a way of thinking that permeates every aspect of our work. We have built a security culture grounded in vigilance, best practices, and continuous improvement. 

Much like Dover Castle, our defences are multi-layered. We leverage the latest technologies and best practices, and we review our security strategies daily. This ensures that we are constantly adapting to the rapidly evolving landscape of cybersecurity threats. 

Continuous Improvement: How We Keep Getting Better 

A key aspect of Diversity Atlas’s security strategy is the constant refinement of our defences. We conduct monthly penetration tests and vulnerability assessments to identify potential weaknesses before malicious actors can exploit them. These tests simulate real-world attacks, enabling us to strengthen our systems proactively. It is like regularly checking the locks, testing the alarms, and ensuring that big dog is always on alert. 

Patch management is another crucial element. When new vulnerabilities are discovered in software or systems, they must be patched immediately. We have developed an efficient process to ensure that all our systems are up to date, reducing the window of opportunity for any attacks. 

In addition to regular testing and patch management, we are focused on building a Zero Trust environment. The Zero Trust model means that we assume no device, user, or system is trustworthy by default. Instead, every access request must be verified before being granted, making it significantly harder for attackers to move laterally within our network if they manage to breach an initial barrier. 

Facing the Future: Zero-Day Exploits and Zero Trust 

No matter how strong your defences, there is always the possibility of a new, unknown threat—what we call a ‘zero-day exploit’. This is a vulnerability in software or hardware that has not been discovered or patched yet. Like an invisible burglar finding a way into your well-fortified house, zero-day exploits are dangerous because you cannot defend against something you do not know exists—until it is too late. 

That is why we take a proactive approach to security by preparing for the unknown. Our Zero Trust architecture is a key part of that preparation. It assumes that threats can come from anywhere, even from within, and focuses on minimising damage through strict access controls and continuous monitoring. 

Sobhan, our tech lead, explains that security involves regular updates and implementing best practices such as input validation and patch management, which ensures timely updates and third-party packages to mitigate vulnerabilities.

Our DevOps lead Mohsen says a shift-left security mindset’ and continuous monitoring are key to protecting customer data. We secure systems early with encryption, virtual private networks, firewalls, and strict access controls, ensuring our infrastructure is safe and risks are proactively managed.

Nabi, our InfoSec specialist says, ‘Since 2016, we’ve been redefining privacy and security in a global, collaborative world. The future is about deeper insights, greater inclusivity, and unwavering data protection.’

We follow a shared responsibility model with our clients. While we are responsible for the overall security of our platform, our clients and their administrative staff are responsible for the way they use it and their access. All these are listed in our Code of Conduct policy.

Our Privacy Policy also supports our cybersecurity efforts: all data gathered via the Diversity Atlas survey is on a voluntary basis, and all data are fully anonymised and disaggregated with the option ‘prefer not to answer’ available for all sensitive questions. To preserve anonymity, Diversity Atlas requires groups of at least 20 people. Transparency is one of our key values, a vital counterbalance to the opacity that has begun shrouding the big AI models.

The Importance of ISO/IEC Certification 

Why is this certification so important? ISO/IEC 27001 is the international standard for information security management. It demonstrates that we have implemented a robust framework for managing risks and protecting sensitive information, whether it is client data or internal resources. Achieving this certification is no easy feat—it requires thorough audits and an ongoing commitment to improving our security processes. 

For three years now, we have passed these audits with flying colours, but we do not take this for granted. Each year brings new challenges, modern technologies, and new threats. The ISO/IEC 27001 certification is not a one-time achievement—it is a continuous process that requires us to remain vigilant and adapt to the ever-changing cyber security landscape. 

‘By successfully implementing this upgrade, Cultural Infusion has strengthened their position as a leader in secure intercultural data analysis industry, showcasing their commitment to upholding the highest standards of information security and protection of data.’

Amie Biagooi from Premier Quality Management Consultants (PQMC) put it this way, ‘Our recent work with Cultural Infusion involved guiding them through the transition from ISO 27001:2013 to the new ISO 27001:2022 Standard. This upgrade represents more than just a compliance requirement, it’s an essential step in aligning the security framework with the evolving and rapidly changing landscape of cyber-security threats as well as ever-changing regulatory expectations. By enhancing controls and incorporating a broader risk management approach, the 2022 version of ISO 27001 ensures businesses are better equipped to handle the increased complexity of data handling and protection.

‘Cultural Infusion (and Diversity Atlas), in particular, deal with vast amounts of sensitive cultural information. The revised ISO 27001:2022 standard that introduces new focus areas like addressing supplier relationships and enhancing risk mitigation strategies, ensuring that the organisation not only safeguards their own information, but also protects the data that is handled on behalf of clients. By successfully implementing this upgrade, Cultural Infusion has strengthened their position as a leader in secure intercultural data analysis industry, showcasing their commitment to upholding the highest standards of information security and protection of data.’

Cyber Security Is a Journey, not a Destination 

Just like the Australian house that can never be 100% safe, information security is a continuous journey. There will always be new threats, and no system is ever entirely foolproof. But by following best practices, staying informed, and maintaining a defensive mindset, we can make sure that we are as prepared as possible to face whatever comes our way. 

At Diversity Atlas, we take our responsibility to protect our clients, partners, and data seriously. Our ISO/IEC 27001 certification for the third-year running is a testament to our commitment to maintaining the highest standards of information security. But for us, this is just one milestone in a much longer journey. As we look to the future, we will continue to strengthen our defences, stay ahead of emerging threats, and ensure that our ‘digital house’ is as secure as possible.