We are (again) ISO certified!
The last weeks at Jitscale were dominated by the ISO 27001 recertification. The whole organization was turned over and all internal processes were audited by an external party. The result? Jitscale passed with flying colours and maintains its ISO 27001 certification! This makes Jitscale the first company worldwide that can offer platforms based on public clouds completely meeting the security standards of this certification. In the first quarter of 2012, ISO 14001, ISO 9001 and NEN 7510 will be added.
ISO 27001 is an ISO standard for information security, abbreviated from ISO/IEC 27001:2005 for information security and essential for organizations that need to comply with requirements nowadays set by, for instance, RFPs. The ISO 27001 standard is published since 2005. This is an internationalised norm by the ISO standards, based on the earlier BS7799 standard of the British Standards Institute.
One of the things verified by ISO is whether business data is properly secured. This is done on the basis of three components: confidentiality, availability, and integrity. Other things that are examined include secured processes, well-informed employees on all agreements, and dealings with security in general. An organization is endlessly tested, questioned and checked on 15 different matters. And they go the whole hog. In general, organizations have internally secured most things just fine, but information also needs to be retractable and retrievable within 10 seconds. This means an organization needs to work with a shared folder structure where everything is filed in good order and of which all departments within the company are made aware of. It also needs to be monitored whether the latter actually happens. A common pitfall is that organizations go too far in structuring information and therefore lose their overview or flexibility. It is, all in all, quite a job to become “ISO audit ready”.
ISO certification can be essential to maintaining competitiveness, cash flow, profitability, observance of the law and regulations, and the image of an organization. Besides, obtainment of ISO certification is an interesting marketing tool as it is concrete proof of the good quality of an organization’s internal structure. A visible sign of extra confidence. Plus, and perhaps even more importantly, an ISO certification also indicates an organization’s level of maturity. A new company, or for example one with less than 10 employees, will not be able to deliver job profiles, business emergency plans, codes of conduct, CRUD-matrices, security policies, templates for different documents, and incident reports.
Obtaining a certification is no mean task. Retaining one isn’t either. Each year, an audit based on previous year’s report takes place, and every three years a new blind audit will be performed where all issues are discussed anew.
Still, a lot of criticism on the ISO 27001 certification goes around. Some people claim it is just a ‘paper’ audit. “You can even have a rubber ring made of stone certified” is an oft used example. In other words; as long as you describe and define it well, the certification is yours. It wouldn’t reveal anything on the quality of work of the organization, just that it is put down in writing. Even though testing of ISO is mainly about verification of information and defined procedures, they really do look for ‘proof’ as well. Employees are questioned and spot checks are done. “It says here that management meets up 12 times a year. Can you please show me the minutes”, “Please demonstrate your current fire drill”, etcetera. Understandable, of course. How else are they supposed to test the certification?
But….it can never work without deliberate strategic choices, necessary management commitment and attention to the importance of information security. Obtaining and maintaining the ISO 27001 certification is something you strive for because you care, can, and want to. Not just for having it.
Leave a Reply
Learn more about our services.