An interview with Yvo Dolmans
Kreuze decided in 2021 to get certified for ISO 27001, the standard for information security. They wanted to better manage internal affairs and respond to market forces; as more and more customers are demanding this standard. Since Kreuze had no experience in the field of certification, they decided, after a selection from several parties, to go with Protify.
Do you want to implement ISO 27001 in your organization? Read how the preparation for the audit and subsequent certification went at Kreuze and what tips Yvo Dolmans has.
About Kreuze Kreuze looks at business communication in a new, broader perspective. They offer customized integrated communication solutions, from fixed & mobile telephony, to business online communication and custom solutions. Therefore the choice for ISO 27001 fits well with their services, as dealing with confidential and personal information is part of their daily business.
Start of project -GAP analysis In March 2021, Kreuze started the project. Because they wanted to approach the ISO 27001 certification properly, they decided to set up an ISO team consisting of 4 people Mischa Walraven (Managing Director), Ceriel Roland (Technical Director), Daan Lambrix (Technical Security Officer) and Yvo Dolmans (Operational Security Officer) and HR was also involved. The management gave this team the space and time to take on this task, in addition to their regular duties. Together with consultant Danielle de Vaal from Protify the Kreuze ISO team started the certification process. First, a GAP analysis was performed. This analysis showed that Kreuze already implemented many components according to the ISO standard and acted accordingly, but it was not all described. This GAP analysis gave them a good insight into what was needed to set up their ISMS.
Yvo Dolmans says: 'Things became visible; you always think you have your IT security in order, but how do you see this? You only see it when it threatens to go wrong. We have learned how important it is to have these things well organized in order to be able to secure and guarantee against unexpected things. As an example, when Corona broke out, we started working from home with all our colleagues overnight. This was possible because we can work place independently and were therefore not tied to our premises. During the GAP analysis we realized that we had already set this up properly.'
Protify as consultant and projectleader As a consultant, Danielle de Vaal went through the standard together with the Kreuze ISO-team. By dividing it into parts, divided into sprints, the information was retrieved by means of interviews for each part. Based on these interviews Protify made a start with this information by incorporating it in the ISMS. Kreuze could then add his own information or make changes. These 'blocks of information' eventually formed a large whole, which served as the basis for the ISMS, which is part of the ISO 27001 for information security.
What did you start doing differently after the introduction of ISO 27001? Yvo says
'We started working even more on Security awareness. Creating awareness among our people, for instance by carrying out tests with phishing mails.
We have improved our documentation by working with classifications of secure documents or of trusted persons or of public documents.
Instructions for employees on how to store documents and what can and cannot be shared. In order to increase awareness.
We make employees think about their actions based on security and safety and how they should handle documents from there.
We have included compliance with the ISO rules internally in the assessment of our employees.'
Are there any noticeable effects of your ISO certification yet? Yvo says:
'Yes, we won a tender where ISO 27001 was a requirement and we could now demonstrate that. Of course we have a commercial interest, we have customers in governments and municipalities who require this certification from us. But that was not the main motivation. It is even more important for us to organize the process properly and to know that we have our affairs in order. Eventually more and more companies will demand that you have your security in order. And for us, that is now in good order.'
How is that going now? You set up your ISMS, has your approach changed now? Yvo says: 'The ISO team still exists, we have now created a certification consultation. We discuss issues that have to do with information security but also the recurring tasks that arise from the ISO standard. The great thing about the tool (PCT) is that you receive a trigger that a task is open. Because this tool works proactively with you, it is also included in your daily process. And you discuss it and act accordingly. It's not like you're working on it every day anymore, like setting up the ISMS but it's part of your work. It comes back weekly. What is the status of open tasks, have we had the awareness meeting? What's next on the schedule?'
Do you have any tips for people who want to achieve ISO 27001 certification?
Don't underestimate it and give the employees involved the space to work on this. As the ISO team, we were able to focus on setting up the ISMS and the certification process, which is why we succeeded in a relatively short space of time.
Find an expert partner like Protify to explain the ISO matter. The subject matter can be quite complex, especially if you have never been in contact with it before.
Make sure you make ISO 27001 part of your business process.
Do it for the right reason! Not primarily to get more commercial business. Yes, it's a derivative, but make sure it's not the main one!
Think of it as a kind of insurance for your organization in the field of information security. It gives you peace of mind, because you carry out checks throughout the year.
Now we are certified, it really starts. Compare it to a driver's license: after you have obtained it, you really learn to drive.
How to proceed? Protify has supported us in setting up the ISMS and made us aware of it. Now we, as the ISO team, will continue this in the organization. Now we are certified, it really starts. Compare it to a driver's license: after you have obtained it, you really learn to drive.
We do plan to use Protify's services for the next internal audit. You notice that the questions can be very specific, I think it's too early in the first year to do this all by yourself. So we are happy to be taken by the hand. We look forward to the continued collaboration.
More information needed? Please contact us if you would like advice on ISO 27001 certification for your organization.
Comentários