Last June, so almost a year ago, we started preparations for our certification for ISO 27001 and NEN 7510. Because we are a compact organisation, with a clear service and no sub-locations, this is classified as a simple certification. My experiences provide three tips for your certification.
SecuMailer started in 2016 as a service for organisations that want to be able to email their customers and employees securely. We have many clients in the business services, financial sector and healthcare. All three of these sectors are permeated with quality thinking and generally handle information security very professionally. Also we ourselves, of course. I myself am well versed in privacy legislation as CIPP / E. Meint Post, the COO of SecuMailer, knows the tricks as a security architect with 30 years of experience at the major banks in the Netherlands and the necessary accreditations: CISSP and ISSAP.
So we can do this job well in terms of content, let’s get started. First, we purchased a template set at informatiebeveiligingdoejezo (how you do information security). We started with that and soon we had a well-filled to-do list with at least 30 documents to develop. At first we thought, we just fill that in and fill it in, and then most of it is, but that has turned out differently.
As you delve deeper into the matter, it turns out that all documents link up. So before you know it, you have a knitting that you can’t not drop any stitches on. One of the things that disappointed me was that you don’t just pick up something for half an hour, but that you really have to make time for your to-do list in half-days.
Tip 1: plan blocks of at least 2 hours at a time to work on your ISO implementation, anything shorter will result in “sloppy errors”.
After the first iteration of all documents were create, we started deleting. Because you have many procedures and formal measures, and they have to be made suitable for the organisation. As an example: we have a continuous process for software development (Agile Kanban) with full digital documentation and digital support for the process. This no longer resembles the classic waterfall methods, which were the basis of the template we had.
Version 2 of the software development document no longer resembles the template in the slightest. And that’s a good thing, because now it fits our company like a glove.
Tip 2: Delete all procedures that don’t really work that way in your company. Describe what you are doing, don’t do what the template describes.
After that it was the turn of the workshops for the risk analyses. A great deal of work has also been done there. It is nice that you are going to look at your own processes from a distance. Very educational and the necessary improvements were found in no time. In retrospect, I think this has been the biggest time-consumer. Because you sharpen fundamental insights, you also want to get started with your improvements right away. But it is important to separate that, because then you also grow in your own procedures.
By this I mean, by analysing the risks, you will describe measures and new measures are added. You actually want to include this in your improvement plan and start tackling it. But your ISO system is precisely intended to allow the continuous improvement to take place in a structured way and to become better and better as an organisation. The implementation of the improvements is tackled with the procedures from your ISO system and recorded in the registers and administration thereof. In this way you actually walk through your own ISO and NEN system for the first time, and that is very instructive.
I think this took about 4 months for our organisation and resulted in a usable, tested system.
Tip 3: The first improvement is actually the test drive of your organisation in its new ISO machine!
With these three tips for your certification, we’ve addressed most of our preparation.
“Done!” I thought – just call the consultant, show how beautifully it is furnished and then on to the certification.
Fortunately, the consultant’s first comment was: “Wow, you are the first organisation to do a full implementation based on our templates and get it exactly as I ever envisioned!”
The second comment was: “Shall we make an appointment for an internal audit, you can apply for certification based on that”. Great I thought, 2 dates, and then we are there.
But that was not entirely true. Because it felt just like my graduation thesis again: I had everything in my head and also thought it was written down very clearly. But the auditor felt that a lot of small things still needed to be done differently.
In the meantime I also literally knew all the documents by heart and at the beginning of the question I can already call up a document number in which we can find the answer.
This round lasted a full week instead of 1 day. But in the end, the system had become clearer and even better adapted to our organisation.
Bonus tip: Do the first internal audit with an external consultant, this way you learn to look at your own organisation through “audit” eyes.
And then it was D-day: the certification was about to start.
Robert van de TüV spent three days intensively on location with us, and his overall impression can be summarised with: “You have a lot of work to do, and how well it is put together and between the ears. But it is a bit scary that you know all document numbers by heart! ”
If you could certify cum laude, you succeeded! Good luck with my three tips for your certification!
Groetjes Yvonne Hoogendoorn
CEO SecuMailer