What motivated you to pursue ISO 27001 certification?

Maureen: It started as a requirement for a client before we became INBISCO. After that, information security grew into something that became part of our company culture and image. That is why we have always pursued certification.

Can you briefly explain why this certification is important for INBISCO?

Jesper: The certificate is not the priority. Having an information security system is the main reason why we implement ISO 27001. It helps us to continuously improve our processes around information security.

Maureen: Yes, as Jesper indicates, we do not do it for the certificate on the wall. It is important to be able to guarantee the security and confidentiality of information for our clients. Information security is in INBISCO’s DNA. The audit for certification is an additional moment to test the level and status of information security and to be able to continue to improve.

How did you approach the transition from ISO 27001:2013 to ISO 27001:2022? What steps did you take?

Maureen: In the transition from the 2013 to the 2022 version, we performed a fit-gap analysis. We took the new version, reassessed it from point one and looked at where the relationship was with the 2013 version. From there, we assessed whether the current implementation or control measure was sufficiently aligned.

Jesper: We looked at what changes there were in the standard and the appendix. Based on these changes, we looked at what actions had to be taken.

Were there any specific challenges during the process? And how did you deal with them?

Jesper: The wish was to set up the Statement of Applicability in our own ISMS (Information Security Management System), and in particular our RAS application (Risk Assessment System), instead of in an Excel sheet. We recently renewed our RAS application and the functionalities are now present to create the Statement of Applicability in it. It was a lot of work, but we succeeded.

How did you collaborate with different departments within the organization?

Jesper: Our KPI is that all processes and documents must be assessed every year. The process and document owners therefore had to go through the internal audit again and, where necessary, update their processes and documents.

How do you ensure that all employees are aware of the importance of information security?

Maureen: All employees are involved in the internal audit of our processes. They receive training to work as auditors. This ensures that everyone is involved in the process. Furthermore, information security is part of the mission and vision of INBISCO. This is communicated to everyone who works at INBISCO.

Jesper: Employees were also kept informed before the audit. Management explained what was expected of them during the audit and the developments surrounding the audit were communicated internally.

Have specific initiatives been taken to increase awareness?

Jesper: There are annual awareness sessions. These are organized by different people from different departments and are about phishing or IT awareness, for example. We also ask our employees to register problems and certainly suggestions.

Are there specific learning moments or challenges that you remember during the certification process?

Maureen: Trust your own knowledge. There is still little information available on how exactly to make the transition to the new version. We devised a method ourselves based on the knowledge we had and it has proven to be successful.

Jesper: Understand the changes in the standard and be confident in the actions you have taken.

What do you think are the most important advantages of obtaining the ISO 27001 certification?

Jesper: You are very actively involved in information security. The PDCA circle stimulates continuous improvement.

Have you already noticed positive effects or improvements within the organization?

Maureen: We use the new functionality for our ISMS. It is great to see how our own software connects to the matters that are needed within an ISMS. By using our updated RAS for our Statement of Applicability, we have developed and used another new application within our software. Everyone at INBISCO is enthusiastic about that.

Jesper: Employees think about information security and suggestions are made for improving processes.

How will you ensure that compliance with the ISO 27001 standard is maintained?

Maureen: This is part of the annual plan. This contains the set goals, KPIs and actions for the coming year.

Jesper: We work with random samples, trend analyses, quarterly meetings, management reviews. Furthermore, the reports made in our ISMS are of course monitored.

Are there plans for continuous improvement in the field of information security?

Maureen: This is a recurring part of the process. We are continuously looking for improvements.

Jesper: We always strive for improvements, by going through the PDCA circle and adjusting the KPIs in the annual Security  Plan.

What are the next steps now that you have obtained the ISO 27001:2022 certification?

Jesper: Setting up our new ISMS. We found that certain settings in our ISMS could be improved. For example, improving the workflows and cleaning up irrelevant data. We are also investigating ISO 27017 and CIS controls.

What is your advice for organizations that also want to obtain certification?

Jesper: The goal is to get everyone on board. Management must provide commitment, resources and budget. It is a continuous process, so not a one-off action to obtain the certificate. Using the INBISCO ISMS software can support the implementation and maintenance of an ISMS. And therefore also the achievement of ISO 27001!

INBISCO Secure

We used our own ISMS to achieve ISO 27001 certification. INBISCO – Secure makes managing information about information security policies and practices a breeze. Anyone can easily report deviations and possible improvements, so you are constantly informed about potential threats. The risk inventory can be performed within the system. This allows you to take timely measures.