The added value of ISO27001 certification
ValueBlue was awarded the ISO27001 certificate in 2019. This type of certification is awarded for a period of three years so it will remain valid until 2022. However, a renewal audit is held every year to ensure that companies still comply with the specific requirements for this certification. Tom de Ridder (CISO) and Jordy Dekker (COO/CTO) explain what this audit involves and why it is so important.
“Two external auditors from auditing company DNV-GL spent a day in the office and interviewed everybody connected to our ISO certification procedure. They asked us questions about our information security and about how we comply with the requirements.”
“We answered their questions using our Information Security Management System (ISMS). This system includes links and all kinds of documents and information about how we work with information security and which processes and tools we use. Needless to say, we’ve recorded all of that information in BlueDolphin.”
DNV-GL is impressed
“During the audit interview, we explained what we do, displayed the processes and showed the auditors what we have recorded. The great thing about our ISMS within BlueDolphin is that everything can be retrieved on the spot. If the auditors ask a critical question about our software development policy, for example, the description of this process in our ISMS includes a link to the document in which that policy is described. You can display it with just one click.”
“The main thing that the auditors scrutinized is whether the management system is working properly in terms of the information security, whether the tools we use do what they’re supposed to do and whether the reporting is up to standard. The DNV-GL auditors clearly saw the added value of our product and described it as a fantastic, useful solution that quickly leads users to the information they need. You don’t have to search for the information because everything is based on logic. The auditors concluded that the information in BlueDolphin is stored very conveniently and had provided clear added value during the audit. There was no doubt that they were impressed with our ISMS,” says Tom.
This type of audit is also very valuable to us
Jordy adds: “That added value doesn’t apply just to them. The frameworks and guidelines that we have to satisfy for certification force us to structurally improve our organizational structure and processes. In the first place, we want to have the stamp “ISO certified“ so that our customers can see that we work safely. But while we were recording the information, we also encountered areas of focus in which we can and must make improvements internally. The follow-up to our continuity improvement plan was a point for improvement for us, for example. We do follow up regularly, but we need to do it constantly. That’s needed to improve. We’d have never found that out if we hadn’t made it visual.”
“We then decided to make ISO part of our strategic roadmap, so it’s now included in our annual plans just like our features, marketing, DevOps, sales and G&A. This forces us to actively target areas for improvement. And it’s helping us increase our efficiency and professionalism. So this type of audit is very valuable to us as a company because our customers will also ultimately benefit from it,” says Jordy.
The conclusion we can draw is that we’re proud that the DNV-GL auditors are impressed with our product, but we’re particularly delighted that our ISO27001 Certificate has been extended. We’re still in compliance with the international standard for information security. That proves that we structurally control the quality of the internal organization, processes and technology and that the quality of that control is and will remain on a high level.