What Rickrolling has to do with our ISO 27001 certification [Interview]
By: Corjan Bast
Content Marketeer – aNewSpring
What’s key for our customers? What are our biggest risks? How can we show that our data is safe? These were some questions that Marlijn van de Kerkhof wanted answers to as part of our ISO 27001 certification journey.
Marlijn is our Process and Quality Assurance Manager. She has pulled it off to get aNewSpring ISO 27001 certified before the year-end (2016). I recently sat down with her to dive into the how, what and why of our newly acquired ISO 27001 certification.
Marlijn, I take it has been a busy time for you?
Indeed, it has! We already had plans to go for our ISO 27001 certification two years ago but we only decided to go for it in the spring of 2016. We were shooting for having completed the certification process before the year end. It was a challenge, but with a lot of hard work we were able to get the job done.
Why did aNewSpring choose to certify against the ISO 27001 certification?
Internally, we were confident that we are a reliable company to work with. We have carefully designed our processes and continue to improve them. But without a certification, it’s hard to prove this to the outside world.
When people are looking for a learning platform, LMS or authoring tool, security of the data is an important factor.
The certification enables us to say: Look, here’s the proof that we’re a trusted party.
Having gone through the certification process, we’ve also identified some improvements to ensure that all of our data, and the data of our customers, is secure.
What did you learn from the ISO certification process?
The project initially started as a client request but when we learned more about ISO, we realised that the certification is all about making new improvements part of your process. That is actually something we strongly believe in. Continuous improvement is the basis for ISO and a core value of aNewSpring!
Can you give me a couple of practical changes you’ve made because of the certification?
- We introduced a clean desk policy.
- We’ve made everyone aware of what needs to be done. See the previous question.
- We introduced a visitor log.
- We’re frequently changing the alarm codes and wifi logins.
- We strictly review our suppliers.
- All equipment is labeled, e.g. computers, projectors and phones.
- The customer success team checks whether the customer on the phone is the actual person they say they are.
- The development team has encrypted the source code of our platform on all laptops.
How do customers benefit from aNewSpring’s ISO 27001 certification?
The certification can help customers in three ways:
- Data security
- Integrity of information
- Availability of information
Data security means that the data cannot be accessed by people who are not authorised. This even goes so far as cleaning flip charts at the office in case of sensitive data. Integrity means that our internal and external data is and stays accurate. Availability of information ensures that our platform (take a tour) reaches an uptime target and set response time.
What does Rickrolling have to do with the ISO 27001 certification?
Haha, that’s inside information! Well, when we were making everyone aware about working securely, we also instructed everyone to lock their computer screen when they left their work station. Of course, sometimes you’d forget. Someone at the office decided that anyone who forgets will come back to a computer that’s playing Rick Astley’s video “Never gonna give you up”. So yeah, we’ve heard the song quite a few times!
What was the most difficult about the ISO 27001 certification?
The number one thing that was most difficult was getting people to change the way they work. Our company culture is one that relies on everyone to make their own decisions. That’s how we operate. While there are many benefits of our culture it can make it difficult to change things. We did overcome this by informing, convincing and explaining things, often!
What was the fun about the ISO 27001 certification?
That we made it! Woooow! Runner up is our Risk Astley process!
Is there anything at home you do differently now because of ISO 27001?
Yes, I realized I had quite some passwords for some of my internet accounts which I hadn’t changed in forever. Also, I’m the treasurer of the home owners association of the apartment complex I live in. It had been years since we last changed email passwords.
Ok, great answers so far. Final question: Where do you go from here?
Well, we are working hard to find a new HQ in Rotterdam as we’ve outgrown our space. Of course, our new office also needs to meet the ISO 27001 standard. Hopefully we can update you about our new place, soon!