How do you, as a company, ensure that you can demonstrate that you are treating other people’s data seriously? What is important to our customers? What are our biggest risks? How can we show that our data is secure?
The answer to those questions is by having an ISO 27001 certification. Each ISO certificate that is issued is valid for 3 years. After obtaining our previous certificate in 2016, we have been busy with our recertification in 2019. But what does such a certificate entail, what do you have to do for it and what do educators and trainers who use our learning platform have to do with it?
Mayella (Legal & Quality) is going to explain that in this interview.
aNewSpring obtained its recertification for ISO 27001 in December. I suppose you’ve been pretty busy preparing for that?
“Yes, that’s right. A recertification is an exciting moment. For us, 2019 was largely dominated by the question ‘Have we implemented ISO sufficiently over the past three years and have we perhaps missed something essential?’.
We have worked hard with many people to be able to answer this question with a firm ‘Yes!’. We are proud to say that we have achieved the recertification for ISO 27001.”
Why did aNewSpring choose to be certified on ISO 27001 in the past?
“About four years ago, aNewSpring was eager to show the outside world that they are a reliable company to work with and that they have carefully set up their processes. Internally this conviction was already there, but without a certificate it is difficult to prove this to the outside world.
More than ever, and certainly with the introduction of the Dutch AVG (the General Data Protection Regulation), the security of data and information is an important factor when someone wants to collaborate with a learning platform, Learning Management System or authoring tool. Our ISO certification makes it possible to say: “Look, here is proof that we are a reliable party.”
Since the first certification, we have also made improvements to ensure that all our data and that of our customers is safe.”
How do customers benefit from aNewSpring’s ISO 27001 certification?
“Certification can help customers in three ways: data security, integrity/reliability of information and availability of information.
Data security means that people who are not authorised do not have access to the data. Integrity means that our internal and external data are secure and remain accurate. And information availability is related to the uptime target and response time of our learning platform.”
What have you learned from the ISO certification process?
“I have learned how much the word ‘information security’ really encompasses in reality. It’s a lot more than ‘keeping your desk tidy, keeping confidential information in a lockable cupboard and not disclosing sensitive (company) information’.
As ISO Coordinator/Security Officer it has become clear to me that information security plays a role in the vast majority of our systems and collaboration, such as in collaboration with vendors, employee data, and the (physical) security of the office itself. As such, it also forms an important part of the long-term strategy of our company and is certainly not an isolated activity or role. Continuous improvement is also the basis for ISO and a core value of aNewSpring.”
What does Rickrolling have to do with ISO 27001 certification?
“Haha, that is inside information! When we made everyone aware of working safely, we also instructed everyone to ‘lock’ the computer screen when leaving the workplace. Of course, people sometimes forget that.
When that happens, colleagues seize their chance and turn on Rick Astley’s well-known video on that person’s computer. So, we’ve heard that song a number of times by now! Although I have to say that screen-locking has become very well established by now. Even when I’m working at home and there’s no one else there, I catch myself shutting down my screen automatically when I’m not using it.”
What was the hardest thing about ISO 27001 certification?
“The hardest part remains making sure that all employees are aware of the importance of information security and the processes associated with it, and that this awareness is kept. Of course, everyone prefers to focus on achieving results within their team and the ‘dry’ matter of ISO is then sometimes less exciting.
Our corporate culture focuses on everyone making their own decisions. That’s the way we work. While there are many advantages to our corporate culture, it can also make it difficult to change things. Through awareness sessions and regular security updates, we try to make and keep everyone aware of the importance of ISO 27001, and explain why certain things are crucial – for us as well as our customers.”
What was enjoyable about the ISO 27001 recertification?
“First of all, of course, we achieved this in one go without any major findings.
In addition, it is interesting to see how information security is ‘growing’ as it is not only about having ‘the right lists’ in place. Through collaboration between all teams, the Information Security Management System (ISMS) is becoming a lot more solid and that it is maturing. The ‘growth spurt’ is of course also accompanied by the necessary challenges, but it is fun to think about this with several people and to work out plans for how we can best overcome this and implement it successfully.”
Is there anything you personally do differently now because of ISO 27001?
“Besides automatically locking my computer screen, I also started using a password management system for private accounts. Before I worked at aNewSpring, I thought it was fine to use a similar password for different accounts or to store it in a (secured) Word document. I really can’t imagine doing that anymore.”
Last question: What are you going to do in the near future?
“The first ISO certification is followed by recertification every three years. ISO expects that each year a company formulates ambitious objectives with regard to making their ISMS (even) more mature and better integrated.
In the coming year, we will work hard to further integrate ISO into all our business units, and we will strive to make it even more of a natural part of how departments work, both within the team and with each other. In addition, we want to focus on how we can use ISO even better as a service to our customers.”
About ISO 27001
ISO 27001 is a globally recognised standard in the field of information security. Our certification shows that aNewSpring complies with all the globally set objectives and measures and that we treat our Information Security Management System (ISMS) and any relevant laws and regulations with utmost care.
All objectives and measures that must be met for ISO 27001 can be found in our Statement of Applicability. Naturally, we can share a copy of our ISO 27001 certificate with you upon request.