On 7 December 2016, the BSI Group officially certified Connexys in accordance with ISO/IEC 27001 norms. ISO/IEC 27001, which is part of the ISO/IEC 27000 series, is the internationally renowned norm for Information Security Management Systems (ISMS). It identifies requirements when securing confidential information within organisations. Certification means customers can count on Connexys to adopt a structural and demonstrable approach when securing and monitoring data. As Security Officer at Connexys, I have used this blog to answer the most frequently asked questions about ISO27001 certification.
What does ISO 27001 certification entail?
Our Information Security Management System (ISMS) identifies what Connexys does when safeguarding our data and the data of our customers. It addresses various themes:
- Availability. How do we ensure the accessibility and availability of data when it is needed?
- Integrity. How do we ensure the accuracy, completeness and punctual processing of data?
- Confidentiality. Who can access the data and via which procedures; which data is stored and for which period?
Why is certification important to Connexys?
Secure data management is a hot topic, not only in the Netherlands but also abroad. Huge amounts of data about ourselves, our customers and their candidates pass through our systems. Connexys believes it is important to deal carefully with such data and safeguard the highest standards when doing so. We have a long history of adopting strict norms, clear procedures and transparent work arrangements when it comes to data traffic. Dealing with information in a secure and reliable manner has always been an integral part of our services. But this certification has merely given everything an official and internationally renowned seal of approval.
So requirements were quickly met?
Early in 2016, we started preparing for implementation under the supervision of Audit Connect. They specialise in IT information security and audits. The certification process was fairly intensive. We started by creating an inventory of all potential risks. We then evaluated them and described how we would address them. This was done using the Plan, Do, Check and Act method.
The ISO 27001 norm contains 114 control measures, each of which must be described individually. And even if the norms do not apply to your organisation, you have to explain why. We managed to clearly do this in our ‘Statement of Applicability’. We already complied with a lot of the requirements, but things had not yet been established in an ISMS, as required by the ISO. Quite a lot of ground work was actually needed to appropriately prepare for the final audit. In the end, we managed to do this together with all involved parties within the organisation.
What will customers notice of Connexys’ ISO certification?
Customers can count on us to deal with their information in a careful and confidential manner. We already did this, but are now making our approach even stricter wherever possible. This, for example, involves adopting more complicated password procedures. Customers sometimes see this as awkward or time-consuming but, when it comes to security, it is very important for everyone to work together to create safe data management.
What does the certification mean to Connexys?
ISO 27001 certification represents an important forward step for Connexys. The quality guarantee we offer to customers has been improved and we can meet additional needs of certain customers. It also offers many benefits internally. All procedures have been clearly documented, so everyone knows what is expected of them and what they must do in case of security incidents. This means we can now work even faster and more effectively. ISO certification means we are also extra alert; security awareness among all colleagues has been improved and we always keep each other on our toes.
What can we expect in the future?
We are part of the supply chain that offers services to our customers. I expect more and more service providers in the chain to comply with ISO norms. This will ensure that data is handled carefully in every phase of the process. At this moment in time, we are explicitly examining the impact of the General Data Protection Regulation (AVG), which came into effect on 24 May 2016 and must be complied with until 25 May 2018.
Tips or questions?
If you have questions or comments about information security or our ISO 27001 certification, then please feel free to e-mail me. I will be pleased to offer extra information and am always curious to hear about your experiences and suggestions.