ISO 9001, here are your new friends, ISO 27001 and NEN 7510
At Four Digits we strive to constantly improve, and document our processes. Being ISO 27001 and NEN 7510 certified was the logical next step.
10 Years ago
At Four Digits we want to work using certain guidelines and structure. To ensure quality we decided to get ISO 9001 certified 10 years ago in 2009. ISO 9000 is a family of standards for quality management systems. It's maintained by the Organization for Standardization.
ISO 9001:2015 specifies requirements for a quality management system (QMS). Some of the requirements a set of procedures that cover all key processes in the business, such as:
- Monitoring processes to ensure they are effective
- Keeping adequate records
- Checking output for defects, with appropriate and corrective action where necessary
- Regularly reviewing individual processes and the quality system itself for effectiveness and facilitating continual improvements
10 years later
We wanted to expand these 10 years of ISO 9001 with proper certification for Information security management. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. As a software developing company awareness about security and the information we are dealing with is of the utmost importance.
Two certifications who mainly focus on Information Security Management are ISO 27001 and NEN 7510. ISO 27001 focuses on information security and NEN 7510 focuses on information security in the Health Care Sector. See NEN 7510 as an extension on ISO 27001, with extra rules.
Implementation
In August of last year we started with the project. Our first step was creating a plan of attack. We decided it was more efficient not to start this on our own, but to see if a consultant could help us with understanding and setting things up.
For this we worked with Patricia Kaak of Quality In Motion. She checked what processes, documents and workflows we already had in place. Based on that we discussed what our image of Information Security Management is and how to achieve this within the current QMS.
We applied the standards and use them in our own way within the company.
The writing starts
Everything you do on Information Security has to be documented. We've created our Information Security Policy which is the hart of the ISMS. Within Information Security we already did a lot of things, but we never wrote them down in a policy context. After the complete policy was completed we started to work on all the other subelements, such as definitions, our Statement of Applicability, Risk assessments, Controls and such. The first draft of the ISMS was born!
Review one
It's time for the first review of the ISMS. We asked our external consultant to do a thorough review of the whole ISMS. After this process she had great feedback, improvements and also told us parts we needed to work on, or were missing at that time. We implemented the feedback shortly after this, while it's still fresh in our memories. Second draft is go!
Team involvement
Second draft of the ISMS ready? Well, We are ready for the first part of the external audit aren't we?
Guess again! Everybody in our team started to read the second draft and there were so many questions and discussions about how we should manage information security. Over hundred suggestions, rewrites and improvement where brought upon by the whole Four Digits team.
This is really a good thing for many reasons:
- Everyone really took the time to read it properly and to understand the material
- Improvements are always welcome
- Quality absolutely rises
- Lot's of questions where answered, misunderstandings clarified
I would like to thank everyone for their input and strictness. Now it's really something which is ours! All the feedback was processed ready for phase one of our certification: The Document Review.
Phase one: Document review
Within this phase all the documentation an external auditor will ask all kinds of questions about the ISMS, especially about the policy. After the interviews the complete system is read, reviewed and findings written in the report.
Controls: Reccurring tickets
A major factor in most ISO standards is: "Say what you do, do what you say". Yes, of course we can say we do everything within Information Security, but you also have to prove it. To check different aspects of NEN 7510 and ISO 27001 we decided to expand our ISO 9001 implementation of our ticket concept. Every control is defined in a ticket, which contains status, information, priority. For example if we check certain access levels of a system, it has to be documented within the ticket. Tickets will be reviewed in every audit, by using this process we can determine if we are doing the right things and they can be adjusted if needed.
Phase two: Internal Audit one
After the document review it was time for our first official internal audit. We used to do internal audits for our ISO 9001 certification, but we also include both new certifications in our audit. The purpose of an internal audit is:
-
Checking the compliance level of ISO27001 / NEN7510 after the implementation project / Determining whether there is conformity between the management system and the standards. and identifying positive points and points for improvement.
-
Determine whether the management system is able to make the organization comply with applicable regulations.
-
Determine whether the management system is effective to ensure that the organization can reasonably expect to achieve the objectives set.
After conducting the audit, a complete internal report was written and presented to the team. We used this to make improvements in the ISMS, so we are ready for official external audit.
Phase three: External Audit by DNV
The moment was here, the official external audit. Everything was in place but still you never know what's going to happen. DNV was at our office for multiple days, interviewing almost everyone in the company and checked the documents, controls, policies. Every day there was focus on a different area within the standards and since it was the first audit, everything was checked thoroughly.
During this audit they have found several observations (which are improvements), but none of them was a non-conformity! The auditor has given us recommended us for official certification.
Certification
After a period of time the work the external auditor did was checked externals and they also approved everything. This August we got ISO/IEC 27001:2013 and NEN 7510-1:2017 certified by DNV GL.
We are very happy with this team achievement. I would like to thank everyone who participated in the process!
Next up, internal audit two :) Let's see if we also manage to keep this up in time.