The road to ISO 27001 certification: phase 1 external audit passed

ISO 27001 is an international standard for the information security management system of an organization, the ISMS. This system focuses on the safety of all (digital) data of the organization by continually reducing risks in the field of information security. The standard is used both internally and externally to assess whether the organization complies with the laws and regulations and the company’s own criteria for the safety of information.

Why certify?

We are an ICT service provider. This means that we get to process all kinds of information of our partners and customers. That is why the security of this information is our top priority. By getting certified, we are obliged to continually improve our business processes and services while minimizing information security risks.

ISO 27001 in practice

The concept of an ISMS can be quite elusive for people who have nothing to do with ISO standards. The most important “resources” of a company are the people who work there. That is why the ISMS covers documents such as the personnel guide, the ethical code, the code of conduct, an ICT regulation, an exit procedure, roles and responsibilities and an overview of the professional competence of the employees. In addition, a number of procedures for business operations are important. Think about how information is managed, communication, incident management, investments, change management, and access control and authorizations. Equally important are the objectives of the company, risk assessment, continuity, accessibility and resources, procedures concerning the GDPR / AVG and of course policy principles for information security.

Just documenting everything is only a small part. Processes must be set in place which implement the documented procedures in practice. This means that evidence must be documented which must also be evaluated. To accomplish this, it must be measurable. For example, making estimates of time spent and costs in advance and holding those against the actual spent resources afterwards.

Bureaucracy?

This all seems very cumbersome and time-consuming and it can be, especially in the beginning. It is extremely important to set up the ISMS in such a way that it tailors to the current workflows and that it does not put up all kinds of bureaucratic walls which are insurmountable for the employees. Once everything is in in place, you can really let these kinds of standards work for you. The business processes are crystal clear for everyone from start to finish and everything is measurable and traceable. This greatly benefits the quality of your services and ultimately benefits customer satisfaction. And nothing is more important for a company than satisfied customers, because that’s what we do it for in the end.

How to accomplish such a feat?

Starting on such a standard is a huge challenge, especially for a small company. Fortunately, we have come into contact with KMC Solutions (Dutch). In the preliminary phase, they have supported us with their excellent knowledge and expertise, which enabled us to draw up an ISMS that fits perfectly for our company and works for us.

Initial audit: phase 1 and phase 2

The first audit is done in 2 phases. In phase 1 it is determined whether the organization is actually ready for the certification. The auditor checks whether the requirements in the standard are fully covered in the ISMS. In phase 2, the individual components are examined more in-depth and deviations are registered. When these remain within limits, the company receives the certificate. A period of several months is inserted between phases 1 and 2, because the ISMS must be ready in phase 1 and must have been in use for a while in order to properly audit phase 2.

Phase 1 in the pocket!

On Thursday 6 December an external auditor of Quality Masters came by for the phase 1 audit. He has extensively tested us about the documents and procedures we have drawn up for our ISMS. Fortunately, we were able to answer the questions and we passed Phase 1.

The phase 2 audit will take place on March 1, 2019. Then we will be seriously pulled through the wringer, after which we will find out whether we can start carrying the label ISO 27001 certified.