🔓 Achievement unlocked: ISO 27001 transition completed

In 2009, we started to get certified for ISO 9001 (Quality Management) and is still relevant today. After ISO 9001, we added ISO 27001 (Information security) and NEN 7510 (Information security in healthcare) to this list of certifications. So far, it gives us more structure, standardisation and awareness on many topics within our company. It is part of the onboarding process, part of the corporate culture and aligns with our vision of continuous improvement.

👷🏻 ISO 27001: Gap Analysis and Transition project

At the beginning of the year, we had decided to make the new standard of ISO 27001 part of our annual plan. To map out how to move to the new version, we created an annual plan goal to perform a GAP analysis:

• What has changed in the new standard, how do we map it out?
• How will we practically incorporate this into our already existing ISMS?
• How do we check that we are complete?

The standard itself has 11 new controls, 58 controls have been updated and 24 controls have been merged. We started looking at how to implement the new standard in a practical and workable way. The standard was purchased from the NEN and read. In doing so, we looked at what has changed in the standard itself and then started looking and describing what all we needed to change in our already existing ISMS.

The various discussions and analyses eventually translated into an internal project. We created a complete overview of the steps we needed to implement and implemented them one-by-one. After internal checks and verious feedback rounds by our team, we were ready in time to have this version included in the upcoming external audit. Ultimately, this resulted in a completely new ISMS including associated controls. The new standard is easier to follow and more logically structured. As a result, onboarding time has also been reduced and information can be found more easily.

⏳Audit time

From 15 July to 18 July, it was again time for the external company audit by DNV. This time for the recertification of ISO 9001 and adaptation of the new ISO 27001 standard. The four-day external audit, conducted by DNV auditor Paul Ten Holter at our office, was open, pleasant and successful.

A standardised working method was drawn up by DNV, with the audit itself being an interaction between Paul and us, with several Four Digits people being interviewed, on a wide range of topics. This brings good conversations, where apart from testing the standards, improvement is always a main topic. We always appreciate this from the sessions too, so well-deserved compliments to our auditor Paul. The various conversations go back and forth in terms of topics.

These topics include: Information security, HRM, ISMS, Marketing and sales, Quality management, Internal Audit, Project management, Operations and Software development. The different topics were scheduled in time boxed blocks on four different days.

☀️ Close out: Audit results and conclusions

After these days, the audit was complete and after writing the initial report, the audit was completed in a debriefing session. The overtones of the report are very positive, there are many strengths identified in the report that we can be immensely proud of. Some highlights include:

• Transition structurally addressed, GAP analysis created and ticketed in JIRA;
• Information security policy gone through and interpretation of all controls checked and adjusted where necessary, in line with VVT/SOA;
• Four Digits' team is highly involved in the further optimisation of the QMS/ISMS and remains critical of its own processes to improve them;
• Project management: clear and straightforward project approach and execution;
• Software development: excellent planning, execution and monitoring in various tools, records of code reviews and testing, The inhouse developed CookieCuttr tool is used for the setup of standarised development environments;

This brings a high level of control and the ISO 27001 transition has been structurally implemented and is complete!

🚦Room for improvement and a green light

There are also a few observations, areas for improvement that we will work on in the coming period. These are all very nice additions and improvements. We had no non-conformities at all, which means a positive recommendation has been issued.

This means: we are certified! 🎉🎉🎉 Happy days.

🙏🏻Thanks

Thanks to my colleagues Coen, Maarten, Stefanie, Franklin and Maikel for the interviews and discussions. Thanks to the whole Four Digits team by always being so critical and providing feedback to improve the ISMS. My special thanks to Paul ten Holter for another pleasant and well-organised audit and always positive approach.

🚀 Added value for our customers

By achieving this certification, we are not just enhancing our internal processes, we are also providing tangible value to our customers by safeguarding their information and building a stronger foundation of trust. ISO 27001 involves regular reviews and updates to security practices, ensuring that our company's approach to data protection evolves with emerging threats, which benefits our customers in the long term. Want to work with us? Please don't hesitate to contact us.