• blogheader ISO

ISO 27001 certification: 1,000 hours of work, 350 glasses of water, 250 double espressos, 12 packets of syrup waffles and 3 days of auditing... managing secure information is no mean feat!

Tags: |
hours of work
glasses of water
cups of espresso
syrup waffles
auditing days

Data security is very important. The ISO 27001 certificate stands for security of the information process management systems (best Scrabble word ever!). In short, a large 3-day audit takes place in 3 years, after which 2x (1x per year) a smaller audit takes place to see if things are still in order and if the necessary improvements have been made.

That's all well and good, but what exactly happens during such an audit and what do we do for it? In this blog, we give you a look behind the scenes.

Task distribution: the four-member 'ISO board' and the rest of the team

The audit or inspection is therefore a real team effort. Everyone at Lime Networks is aware of this and contributes to it, from the management to the helpdesk and from marketing to accounting. Passing the certificate is not a one-off test, but a long-lasting and ongoing process.

The ISO was led by four people, three of whom were in management and one a security expert. Our security expert Maarten had the task of looking at which matters could be improved. He also went through the technical issues with the auditor.

Kelvin, Chief Technical Officer (CTO), focused more on communicating with the employees: "I had to make sure that everyone knew the importance of ISO. As a next step, I was responsible for adapting procedures for the technical staff. This is, of course, something that always happens, but specifically for this audit I communicated this to the employees."

Nathalie, Chief Operations (CO), also had an important role to play in supporting the staff and preparing the documents. "In the past, I set up the entire ISO and ensured that processes were in place. Within the ISO, I am now the process controller and take care of the ISO annual plan."

Finally, our General Manager, Daan, was in charge. He had to make sure that everything would come to a good end and kept an overview.

Months of preparations

For the preparations, it was important that everyone fulfilled their assigned roles well. Daan, Nathalie and Kelvin, for example, focused mainly on communication and processes. Reviewing and overseeing components was central to this.

For Kelvin, a large part of the preparations also consisted of security meetings. "I had security meetings with everyone who has an interest in part of the ISO project. I asked them if they had noticed certain things. Think of it as a kind of awareness sessions. We also have these security meetings a few times a year, but for the ISO we wanted to refresh this."

Maarten mainly focused on going through the documentation with the auditor. Think about the infrastructure of Lime Networks and how antivirus was set up. "Everything had to be arranged before the auditor arrived. The auditor gave advice on the things that were arranged beforehand."

So you see: security is extremely broad and comprehensive. In Daan's words: "We are always working on access management - both physical security and IT security.

The audit: exciting and instructive; interesting and refreshing

Then the moment of truth arrived and the audit took place. Our 'ISO team' found it exciting, instructive, interesting and refreshing. It brought us many insights and learning points.

"It really felt like an exam," says Kelvin. "You have that healthy tension, even though you have prepared well." This is also confirmed by Nathalie and Daan. Daan: "With the ISO, you get a new auditor every three years. This was the first year with the new auditor. He gave us a fresh look at things and approached the audit in a completely different way. That was very refreshing and gave us many insights."

For Maarten, the security expert, the audit was perfectly planned. "A while ago I followed a study related to the security of information and information processes. I am becoming more and more engrossed in IT security. Of course, that never stops, but it's cool to see how I can apply that knowledge to obtain the certificate."

Fortunately, the nerves and all the preparations were not in vain, because we passed with flying colours. Maarten: "The best part was showing the auditor how well we are doing with everything. It felt great to proudly tell how we arranged everything."

Nathalie adds: "For me, the ISO is really a moment to reflect on all the processes. The recommendations are always nice and I enjoy seeing how we can do things even better." Daan also agrees; "The end result, the cooperation, the team effort... then I know again what I am doing it all for! Most of the credit goes to others, because everyone is working so hard on this."

What do we take away for the future?

Yes, we have passed! What will we take away with us for the future? The main point was documentation. We are going to improve our documentation on the basis of the ISO standard and transfer our ISO structure to another programme. This will enable us to work more quickly and efficiently with the ISO. Daan: "We are working on a new system to keep track of everything, in order to introduce more structure and work more efficiently. Fortunately, Nathalie does a lot of that."

Nathalie draws it a bit wider on a strategic level: "I am going to work on an annual plan for security. This makes it clear to the entire team which actions must be carried out and when, and we distribute the tasks better. The certification is really a team effort."

And what do we have in our hands? What is an ISO 27001 certificate anyway?

ISO 27001 is about controlling and improving information processes and ensuring the confidentiality, integrity and availability of business-critical (customer) information. With the introduction of the General Data Protection Regulation (AVG or GDPR) in Europe, the rules surrounding data protection have been tightened. This means that our management system for information security must be in order.A data breach of personal data not only has strong financial consequences, but also affects our reputation and possibly that of our customers.

ISO 27001 sets out the requirements for information security. If you want to know more about ISO 27001, take a look at our page about ISO.

We provide IT services and products for the SME! We combine our passion for IT with knowledge and experience to help your business perform in a secure way. We work according to the 'secure by design' principle, whereby the IT security of your environment is central to every process, service or product.

Do you also want to work safely?

Frequently asked questions about security

Is your question not listed? 1 email or 1 phone call is enough to get it answered. 010-2121806 | info@limenetworks.nl

We can make your staff aware of risks and risky behaviour. For security awareness we can give your staff a training (external or internal) with a partner who has experience in this. In addition, optionally a tool can be delivered to the workstations that measures knowledge, keeps it up to date and reports to the responsible persons. This way, you get a continuous improvement in risk awareness and avoidance of risky behaviour.

Yes and no. Cloud in itself has no security. Apart from the fact that on the outside (and sometimes on the inside) it is not visible what the physical location of your data is in the whole. But the more fish in the sea, the more fishermen on the water & the bigger the fish, the more effort one puts in to catching it. So it is with valuable data. So a cloud service is a valuable object for hackers because of the large amount of data. Your network is much less interesting.

Wrong. IT is complex and securing it is even more so. So it takes time, knowledge and skill to make you work in it safely - mostly in the background so you don't notice. 20 years ago, passwords were rare. 10 years ago, everyone knew some colleagues' passwords. 5 years ago, MFA was known but little used in SMEs. And we are only talking about passwords. We make IT simple for customers so that secure working becomes feasible and we can minimise your risks.

Retention literally means "to hold on to". With data and backups, retention is a very important factor. It is not only about retaining your data, but also about how much your data changes. If you have a backup every month and keep it for a year, this means that the retention goes back a maximum of a year and can result in a month's loss of data. It seemed like a good plan, but in practice it is not enough. Different backup strategies can make your data retention perform a lot better. In the Netherlands, SMEs are required to retain data that is directly linked to the added value of their products or services for at least 7 years. A backup of no more than 7 years is a big disappointment.

Working safely is a top-class sport. But your employees are not all top sportsmen. It is a complex problem that cannot be solved just like that. Your company has to deliver and your people have to perform. So you need help from someone with experience and focus on safe working. A reliable IT party can be a good starting point. They arrange the basics and help you further with safety, where necessary specifically in your company. For example, with procedures for staff turnover or the physical security of your company.

How secure you work can be measured. With a technical security test or pen test you can always look for weak spots in the security of your IT equipment, software and network. But also your website or developed application can be extensively tested. You can also have a procedural security test carried out. This has little to do with IT; it means testing how secure the actions are within your company. In other words: are your procedures in order?

Call your IT manager. These people will (probably) know what to do, provided they are familiar with the matter. Calling in your IT party, internal or external, is the first step. They will find out where the hack took place, know how to stop it immediately or cut it off and make sure the damage is limited as much as possible. You also want to secure data about the hack, such as log files of servers, network equipment, etc. This way you can also find out what went wrong or discuss this with a specialised security company (e.g. Northwave). This may also be important to see how you can prevent further security breaches and your insurance may ask about it.

Yes, it is. It's all about the purpose of your data and its security. It can range from a data room for sharing data with multiple parties for a company takeover - but also setting up labels on data in Office 365 so that your company and your data are compliant for regulatory or legal purposes. Above all, you must be able to work safely. Efficiently without being at risk.

Heel erg veilig. Dit doen ze door data opslag en het versturen van data te beveiligen. LastPass beveiligt jouw data, verstuurt het encrypted , slaat dit encrypted op en laat jou MFA gebruiken voor het gebruiken van deze data. Jouw inloggegevens en data zijn dus in deze procedure absoluut veilig. Daarnaast hebben ze een helder bountyprogramma voor bugs, waardoor jij en andere gebruikers fouten direct kunnen melden. LastPass blijft dus niet stilzitten totdat er iets misgaat maar werkt continu aan verbeteringen om de veiligheid te optimaliseren.

We believe that customers should own the IT that they have. We make customers aware of the risks they run and the solutions that are available to them. Of course, we point this out and indicate where things could possibly go wrong if you make other choices. We choose to work safely, but we understand your choices. That is how we work together and share knowledge and experience.

Every customer request that has to do with security or rights to data/systems is always discussed with the person in your organisation who is authorised to do so. This may be a member of the board, an IT manager or another director. This way, this is neatly recorded and controlled. This prevents someone from borrowing someone else's password, temporarily accessing a colleague's mailbox or giving an external person access to the CRM software without this being desirable.

Take a network, for example. If you build and manage a network, you have to standardise on security. By minimising the number of variations in the number of solutions, you can spend more time on testing, settings, basic configurations with optimal security, documentation. Also, different configuration options for customers are now much better researched and easier to support and secure. We research different security options and engage third parties to verify them. A setup that is properly standardised and configured reduces security risks and makes installation in the office much faster. We then provide controlled and timely updates to the software and settings. We monitor and measure what happens on your network. This way, it is easier to see when things go wrong. Separating guests, customers and non-company equipment from the company network is also essential to prevent abuse. We regularly review and adjust security for all customers in a single operation through central control. Finally, configurations are neatly stored and backed up. This way, you can immediately install replacement equipment if things ever go wrong. Secure by design' is not a method or a set of measures. It has to be in your DNA. This is how we at Lime Networks make the most complex IT simple.

The AVG is for personal data. In other words, data that you store or process that is directly related to people. Think of name and address data with bank account numbers or, for example, data about sick leave, insurance, remuneration, etc. That you have this data or process it is not the problem. But not thinking about who can see it or who can provide access to it or how it is stored and backed up, that's exciting. By thinking about this and gaining insight, you can design adequate processes.

Het is een anagram die inhaakt op de hoeveelheid moeite die nodig is. Iedereen kan wel een eindje joggen, de een wat verder dan de ander. Maar de marathon binnen de 3 uur is al knap lastig. Oefenen, trainen, techniek, goede spullen, ervaring is jarenlang nodig om dit te bereiken. Met Veilig Werken is dat net zo. Het is geen firewall instellen en antivirus installeren. Dat stadium zijn wij al jarenlang voorbij. Met deze ernst zie je misschien ook in dat jij zakelijk gezien zelf geen tijd hebt om topsport in techniek te bedrijven en schakel je ons in voor deze zaken. Wij zijn getraind, hebben ervaring en gaan voor de medaille zodat jij veilig kunt werken.

That is a sober approach. But with your data, your company or others may be considerably disadvantaged. So always pay attention to how and where you share data.

If you are asked to log in somewhere, do not click on the link in the e-mail. It is that simple. If it's about banking, go to your bank's website and check the message service there. If it's about your documents online from a cloud service, go to your own login page that you know and log in there. If it's about a service from a customer, you can call them to confirm. Never log in with your own data, but only with the data they have provided. This prevents you from clicking on wrong links, accepting wrong proposals or downloading programs or giving permission that is malicious or illegal. It ensures that you are smart.

Take the example of Maastricht University in December 2019. Then a hack with a nasty piece of software rendered the entire university network with most of the server structure and workstations unusable. What was the damage:

  • FOX-IT was called in on weekends, Christmas, New Year's Eve etc. to investigate and share knowledge with the hack, its clean-up and how to recover.
  • A very large proportion of the computers had to be reinstalled. These computers also had to be checked for traces of the virus in parts that you cannot easily see (bios or secret partitions on the hard disk/SSD drive).
  • Almost all production servers and backups locally became unusable. Only reinstallation was going to help for the recovery.
  • A ransom was paid to the hackers to decrypt the network structure/Active Directory (the Volkskrant speaks of tons of ransom).
  • A large part of the servers had to be reinstalled and data from backups had to be restored where possible.
  • In-house and external employees spent many days doing all the repairs... This also happened during the December holidays.
  • The damage to image was enormous. As a company, something like this can also cost many customers or scare off investors.
  1. One backup is no backup.
  2. Zorg minimaal voor drie kopieën van je data, op 2 verschillende locaties waarvan één minimaal beveiligd.
  3. Check regularly that it really works and the data can be restored.

Not always. Sometimes backups also get infected or are not sufficient to get back to work quickly. How much data do you lose? What is the recovery time? How bad is it if the whole company can't work for 24 hours... or maybe longer? Dealing with retention is also important. If you were hacked last week and the consequences only become visible today, do you have enough backups/retention to look back into the past? An employee who left the company last year and deleted or compromised data is also a hack. Can you go back a year with your backup? Finally, you also need to have a plan if things go wrong and see how quickly you can get back on your feet. A continuity plan helps with that.

Dan zijn wij er natuurlijk ook voor je. Stel dat je bijvoorbeeld wordt gehackt, dan zorgen wij er direct voor dat de aanval gestopt wordt en dat logfiles en sporen zo veel mogelijk behouden blijven. Zo kunnen wij zien wat de impact is van de aanval en welke gegevens mogelijk zijn buitgemaakt. Dit helpt vaak in het proces van inzicht of bij de verzekering. Wij werken met standaard procedures waarbij we op een zelfde methodiek aan de slag gaan om problemen op te lossen.  Ook kan het waardevol zijn met forensisch onderzoek. Het zou vervelend zijn als een hack (zonder dat gegevens zijn buitgemaakt) leidt tot een excuusbrief aan al je klanten of leveranciers en imagoschade.

You don't have to. With Bitlocker you can neatly secure the data on your laptop against theft. A stolen laptop is no problem this way and data stays safe. Did you know that we can remotely erase your data in case of theft, provided your stolen laptop or phone is connected to the internet? The decryption codes are stored by us in your business environment so that in case of an emergency or hard disk replacement, the data can be safely read again.

At Lime Networks we work according to the ISO 27001 standard. This means that we have thought about physical and virtual security and have actively set up our processes accordingly. This is improved annually and checked by the TüV. You can read more about ISO here: https://limenetworks.nl/iso We use our knowledge of IT and security to make your environment as safe as possible. From your workplace, your fixed and Wi-Fi network, your servers, smartphones and cloud services.

With MFA you have two ways of identification. This often comes down to login details (username and password) and a code via an app on your smartphone. Someone who has stolen your login details still can't log in to systems or services, because this also requires the code from your smartphone. Have you or your company/supplier been hacked? Then this need not be a problem. We use Microsoft Authenticator for this. The extra login codes are not your own systems but open. With the Microsoft app, you can therefore also set MFA on your Gmail account, your bank, Office 365, supplier of crypto currency or your Apple ID. It is a generic standard.

LastPass provides a safe place for storing passwords, a kind of password vault that you can only access with a master password. It also helps you in your daily work with logging into websites and services. It works on your desktop PC or laptop and on your smartphone. It is free to use. It allows you to work securely with complex passwords so that this becomes very difficult. The paid variant is also useful for business purposes. You can create and manage accounts for a supplier or a social media account, for example, and share these with colleagues or external parties. They can log in (via their free LastPass account) and not see the password, but they can use it. If the account is no longer relevant to others, you can withdraw the permissions individually without having to change passwords.

Dat is lastiger dan je denkt en is niet in een paar zinnen te verwoorden. Wel hebben wij hierover een blog geschreven en die vind je hier. https://limenetworks.nl/spam-of-phishing-mail-herkennen-voorkomen-en-oplossen

You can start by being aware that you want to work safely. This question has succeeded, so let's mention the next easy steps right away. Use legal software! Make sure you have a good antivirus/antimalware solution on your PC (pay for it too; no freebies). Always make sure you have the most recent versions and updates for your system and software. Also make sure you have the latest security patches and updates. Use a password manager (like LastPass; free for private use) and do not use the same passwords for different systems and accounts. Use MFA (multi factor authentication) for all services/accounts that are online. We are far from there yet, but with these measures you are not a low-hanging fruit for hackers and certainly not for the majority of online crime.

Working safely is our top priority. It is not a core value, but an aorta that runs through our company. With 'secure by design', we continuously ensure that our products and our own internal processes are based on Safe Working and are also designed safely. The customer is our focus. We make complex IT matters simple; security and Safe Working are the basis for this.

Als wij uitgaan van een veilige werkplek, dan is het veilig houden een serieuze taak. Belangrijkste is dat de werkplek altijd up-to-date is. Voor het OS, de hardware, geïnstalleerde programma’s, antivirus/antimalware. Door gebruik te maken van Bitlocker en MFA zorgen wij dat toegang lastig is. Met policies voor de firewall en door het gebruik van monitoring houden wij de boel strak in de gaten.

We are Microsoft Gold Partner in three areas, for which the employees of Lime Networks have successfully completed many training courses and for which current customer cases have been approved by Microsoft. In addition, there are many certifications in the areas of security, voice, networking and the like. We work according to the guidelines and standards of our suppliers. Our ISO 27001 certificate without comments also ensures the correct working method and attitude.

With 'secure by design', every choice of product or service is considered in terms of its implications for the IT security of your environment. This means that the highest security requirements are taken into account, such as encryption, MFA, AVG, access control, etc. This ensures that we always stand behind our products and we know about data security and availability.

Ga naar de bovenkant