Compliance certification and standards
Useful, necessary or an empty shell?
There are quite a few different certifications. ISO27001, ISAE3402, SOC2, ISO9001, ISO14001 BIR & BIG, Nen7510, PCI, and we could go on and on. All are important standards, indicating how processes should be structured and safeguarding the quality of services. For certain target groups, such as the financial or public sector, it is essential to comply with these certifications due to laws and regulations. Often it is also a direct qualification standard for the suppliers in these sectors, who are unable to compete without certification. Certification almost seems to be an end in itself. However, the contrary is true. Certification forces an organisation to closely consider its working methods and take appropriate measures, and it enhances quality as well.
The challenge is to have these standards working for you without becoming bureaucratic or limiting your flexibility. There must be sufficient leeway for interpretation. A good example, in my opinion, is the Information Security Code (ISO27001). This code stipulates that you must take security measures, without prescribing how these should be realised. It has consequently been an excellent checklist for many years. If supplemented with the ISAE3402, which describes the configuration of all operational processes, this is a very effective combination – ISO27001 to comply with the security measures and ISAE3402 to explain how this is achieved.
For employees the usefulness is not always evident. They just want to do their job, preferably without any limitations. However, if you involve them in the process and introduce them to the reason behind such standards, this becomes an internal motivator and everyone benefits! For both the client and the organisation it will deliver immediate benefits: increased awareness among employees, adequate measures within the organisation and a better service provision for the client. Kudos to the colleagues who breathe Security & Compliancy day and night. They are often seen as a thorn in the side of the company, but they ensure that colleagues take action and that organisations continue to improve, demonstrating to clients and auditors that it works!
External auditors fulfil their own role, always managing to find ‘something’ in order to help improve and strengthen the quality of the service provision year after year. They, in turn, are thorns in the side of the Security & Compliancy officers. The challenge facing the Security & Compliance department lies in anticipating the results. They are a solid part of the entire quality system of the organisation.
Everything depends on the way in which the organisation handles such standards, implements them, engages their employees and adopts this way of working in the company.
At Solvinity we are committed to the ‘Security by Design’ principle. This entails that ‘everything’ we do for our clients has a security component. From datacentre access to system access. From simple changes to a completely new IT architecture. Whether we are operating in the public, private or hybrid cloud. Security is therefore part of our DNA, from start to finish. With the same precision we look at compliancy. We pass our KPMG and BSI Management audits, among others, with flying colours and are certified in multiple fields.
So about those certifications:
Absolutely: they force the organisation and its employees to be comprehensive and precise in their way of working.
Absolutely: they provide the conditions needed to guarantee quality to the (end) customer.
Certainly not: the strength lies in continuous quality improvement.
Solvinity’s important certifications and standards are: zijn ISAE3402 / SOC2, ISO / IEC27001, ISO14001: 2004 en ISO 9001: 2015.
Would you like to know what Solvinity can do for IT in your organisation? Please contact our Business Managers Pieter Kuijer (06-22888801 / firstname.lastname@example.org) and Anil Ozdemir (06-82119991 / email@example.com).
More and more municipalities are considering outsourcing their IT activities to external specialists.