An interview with Fleur Dobbelsteen-Muit
Emprover obtained its certificate for ISO 27001 certification in May 2023. When they began this process in 2021, they had no knowledge of certification and therefore went looking for a partner who could guide them in this process. In an interview, Fleur Dobbelsteen-Muit talks about how Emprover went through a professionalization process, gives tips if your organization is looking to get certified and talks about how this project went for them and how information security has taken a central place in our business operations.
About Emprover Emprover activates and secures strategic engagement in organizations by structuring development methodically strong and permanently visible. Emprover helps teams and organizations, both in the public domain and in SMEs, structure work and connect work to strategic ambitions. So that strategic engagement is secured, collaboration is improved and job satisfaction is enhanced. Emprover offers digital proven working methods, which are often based on agile thinking. Which method they apply depends on the target group, organization and what it should be applied to. The work the team has to do and how they (want to) work together.
"Our great love is to have all employees in an organization participate in thinking about strategy in an organization. So that the job satisfaction of employees is increased, they get hooked and really feel 'this is what I want to contribute to'."
In addition to services to improve collaboration, Emprover also provides digital support in the form of an app that allows organizations to work visibly with each other. This app is also called Emprover this is a digital tool, which allows organizations to work very visibly with each other on the goals they have set together. Because they use a software tool for their clients, information security is important, which is why they opted for ISO 27001 certification.
Emprover's team consists of about 20 people consisting of consultants and developers. The certification team consists of Jan Nouwens (director) with the role of technical security officer, Fleur Dobbelsteen-Muit operational security officer and Mitchell van Gerwen of Pearl-IT is involved as an external party to support mainly the technical area, including Microsoft 365 and Azure.
Why Protify?
Emprover had no knowledge of certification yet and therefore decided to look for a partner who could guide them in this process, so that the ongoing (customer) work could continue. After talking to three parties, the choice fell on Protify. 'We immediately had a good click with Danielle de Vaal and the pragmatic approach appealed to us. Danielle and Eveline are good at understanding the work within a small organization and made it clear how information security could be part of this. says Fleur.
'We definitely needed Protify, because without them we really wouldn't have made it.'
Why chose ISO 27001 certification?
'We find information security very important and noticed that our public customers, because of the Baseline Information Security Government (BIO) often also want to see certain standards confirmed. Our customers' data needs to be secured, because of course we absolutely don't want anything to end up on the street. That's why we felt it was important to be able to record it in a more professional way. And to demonstrate to our customers, that we have arranged this in a good way.' indicates Fleur.
Emprover is an online application where customer information is stored digitally. Therefore, it was important for them to secure this data and keep it safe. The information security standard is then a logical choice.
Internal organization: annual planning and improvement cycle
Emprover has a bi-weekly 'circle consultation' called: 'working on the store'. This consultation focuses on strategy and internal processes, where information security is a fixed agenda item. During this consultation, tasks are divided and what has come in is discussed. Emprover works in periods; cycles of three months, what has been achieved, what successes have been achieved and what are the points of attention for the next cycle? The tasks following from the consultation are placed in their own tooling and are part of the annual operational planning, which along with task management are housed in their own system. The PCT is used for risk analysis and policy documentation, and links have been established with the PCT from Emprover.
Continuous improvement
Emprover grew rapidly during COVID, so they wanted to pause and take a good look at their own operations. ISO 27001 certification makes you take a close look at your own operations and determine where adjustments are needed. ISO 27001 talks about continuous improvement and fits Emprover perfectly, as it is woven into the methodology they teach their clients.
The certification process ensures that you hold things up to the light annually, see if it still fits or works and take measures when necessary. Precisely because information security is standard on the agenda, you can no longer avoid it.
Have any things changed in operations because of certification? 'Absolutely! What I hadn't realized are the rules around your employees and staff you hire. The management measures related to (hiring) staff, indicate that you have to monitor them, but you also record getting in and out of service. So being aware of information security and your employees. Now we have recorded this well and this is also provided to the employees, which again makes them more aware of their role.'
Fleur further indicates, 'The management review is good for our own process as well as the supplier review. We have been working with our developers since 2016 and because we now have good input from the supplier assessment, we have more substantive consultation with them and you go more into expectation using the supplier assessment template. We are now more aware of what issues to include in terms and conditions in discussions with our suppliers. All in all, this has led to a more mature and professional management, which fits well with the growth we have experienced as an organization.'
Tips for other organizations chosing ISO 27001 certification
Be aware of the policies you write, that you must be able to review and monitor them.
Make several people from your organization responsible.
Set aside a "fixed" half day per week for activities arising from certification.
Don't try to "push it through" your organization in a short period of time. Quality will improve if you really put some things on hold for a week.
it's nice working with Protify. They are very flexible. They always answer my questions. They try very hard to empathize with where you are as an organization. We get practical tips, I like that.
Looking for the expertise partner for ISO27001 certification just like Emprover? Contact us and we will be happy to tell you more about the possibilities for your organization.