Data security is very important. The ISO 27001 certificate stands for security of the information process management systems (best Scrabble word ever!). In short, a large 3-day audit takes place in 3 years, after which 2x (1x per year) a smaller audit takes place to see if things are still in order and if the necessary improvements have been made.
That's all well and good, but what exactly happens during such an audit and what do we do for it? In this blog, we give you a look behind the scenes.
Task distribution: the four-member 'ISO board' and the rest of the team
The audit or inspection is therefore a real team effort. Everyone at Lime Networks is aware of this and contributes to it, from the management to the helpdesk and from marketing to accounting. Passing the certificate is not a one-off test, but a long-lasting and ongoing process.
The ISO was led by four people, three of whom were in management and one a security expert. Our security expert Maarten had the task of looking at which matters could be improved. He also went through the technical issues with the auditor.
Kelvin, Chief Technical Officer (CTO), focused more on communicating with the employees: "I had to make sure that everyone knew the importance of ISO. As a next step, I was responsible for adapting procedures for the technical staff. This is, of course, something that always happens, but specifically for this audit I communicated this to the employees."
Nathalie, Chief Operations (CO), also had an important role to play in supporting the staff and preparing the documents. "In the past, I set up the entire ISO and ensured that processes were in place. Within the ISO, I am now the process controller and take care of the ISO annual plan."
Finally, our General Manager, Daan, was in charge. He had to make sure that everything would come to a good end and kept an overview.
Months of preparations
For the preparations, it was important that everyone fulfilled their assigned roles well. Daan, Nathalie and Kelvin, for example, focused mainly on communication and processes. Reviewing and overseeing components was central to this.
For Kelvin, a large part of the preparations also consisted of security meetings. "I had security meetings with everyone who has an interest in part of the ISO project. I asked them if they had noticed certain things. Think of it as a kind of awareness sessions. We also have these security meetings a few times a year, but for the ISO we wanted to refresh this."
Maarten mainly focused on going through the documentation with the auditor. Think about the infrastructure of Lime Networks and how antivirus was set up. "Everything had to be arranged before the auditor arrived. The auditor gave advice on the things that were arranged beforehand."
So you see: security is extremely broad and comprehensive. In Daan's words: "We are always working on access management - both physical security and IT security.
The audit: exciting and instructive; interesting and refreshing
Then the moment of truth arrived and the audit took place. Our 'ISO team' found it exciting, instructive, interesting and refreshing. It brought us many insights and learning points.
"It really felt like an exam," says Kelvin. "You have that healthy tension, even though you have prepared well." This is also confirmed by Nathalie and Daan. Daan: "With the ISO, you get a new auditor every three years. This was the first year with the new auditor. He gave us a fresh look at things and approached the audit in a completely different way. That was very refreshing and gave us many insights."
For Maarten, the security expert, the audit was perfectly planned. "A while ago I followed a study related to the security of information and information processes. I am becoming more and more engrossed in IT security. Of course, that never stops, but it's cool to see how I can apply that knowledge to obtain the certificate."
Fortunately, the nerves and all the preparations were not in vain, because we passed with flying colours. Maarten: "The best part was showing the auditor how well we are doing with everything. It felt great to proudly tell how we arranged everything."
Nathalie adds: "For me, the ISO is really a moment to reflect on all the processes. The recommendations are always nice and I enjoy seeing how we can do things even better." Daan also agrees; "The end result, the cooperation, the team effort... then I know again what I am doing it all for! Most of the credit goes to others, because everyone is working so hard on this."
What do we take away for the future?
Yes, we have passed! What will we take away with us for the future? The main point was documentation. We are going to improve our documentation on the basis of the ISO standard and transfer our ISO structure to another programme. This will enable us to work more quickly and efficiently with the ISO. Daan: "We are working on a new system to keep track of everything, in order to introduce more structure and work more efficiently. Fortunately, Nathalie does a lot of that."
Nathalie draws it a bit wider on a strategic level: "I am going to work on an annual plan for security. This makes it clear to the entire team which actions must be carried out and when, and we distribute the tasks better. The certification is really a team effort."
And what do we have in our hands? What is an ISO 27001 certificate anyway?
ISO 27001 is about controlling and improving information processes and ensuring the confidentiality, integrity and availability of business-critical (customer) information. With the introduction of the General Data Protection Regulation (AVG or GDPR) in Europe, the rules surrounding data protection have been tightened. This means that our management system for information security must be in order.A data breach of personal data not only has strong financial consequences, but also affects our reputation and possibly that of our customers.
ISO 27001 sets out the requirements for information security. If you want to know more about ISO 27001, take a look at our page about ISO.
We provide IT services and products for the SME! We combine our passion for IT with knowledge and experience to help your business perform in a secure way. We work according to the 'secure by design' principle, whereby the IT security of your environment is central to every process, service or product.