Crystalloids began the ISO 27001 implementation process in 2020 and received their certification in 2021. Last week we successfully passed the ISO 27001 External Audit with no significant findings identified. How did we achieve this?
In a recent interview, Ronnie Bathoorn, Crystalloids’ information security officer, sheds light on the purpose and process of such audits and how the ISO certification sets us apart from many other small businesses.
“Our organization deals with significant amounts of customer data, particularly in marketing. ISO 27001 certification assures our customers that information security is our top priority. The initial request for certification came from one of our ISO-certified customers, as it builds trust and improves collaboration with other certified organizations. Their request motivated us to pursue ISO certification and align with their standards.”
“The main objective of the audit was to obtain and maintain ISO 27001 certification. To retain the certification, organizations must undergo an annual audit. The certification ensures that the company has implemented robust information security policies and measures to safeguard sensitive data.” Ronnie explains.
“The audit is conducted by an external company called Brand Compliance, which is a certified auditor. They visit the company's office to assess compliance with ISO 27001 standards. The audit includes evaluating physical security measures, such as access controls and entry procedures, along with other aspects of the company's information security practices.”
“We have set the rules for office access control. Entry to the office is restricted by key fobs and access is granted based on an onboarding process. New employees receive a tag to access the premises, and when an employee leaves, they return the tag. The company maintains detailed records and procedures to track access authorization, which is reviewed during the audit.
Our information security applies to everything we do with data internally or externally. When starting work for a new customer, we request access to their data. Similarly, when we stop working with a customer, we have an off-boarding process in place to ensure that access is revoked. This practice ensures that only authorized individuals have access to the data, minimizing any potential risks.
All our MacBooks are encrypted, and we have recently installed software to verify their encryption status. This step ensures that if a MacBook is lost, the data remains secure and inaccessible to unauthorized individuals. Encryption adds an extra layer of protection, as without the login credentials, the data cannot be accessed.
We also have a change management procedure which means that before the software is pushed to production, it is tested. If the deployment to production fails we have a way to roll back to a previous version.”
“Businesses get enhanced security, trust, compliance, risk management, streamlined processes, and a competitive edge. Crystalloids' certification ensures strong information security measures, giving customers confidence and reducing the risk of data breaches. It also helps businesses comply with regulations and protect sensitive data.
Our certification streamlines internal processes, ensuring customer data is kept confidential, intact, and always available. Partnering with Crystalloids shows a commitment to security and gives you a competitive advantage in the market.”
ISO 27001 is a vital framework for organizations seeking to establish a robust information security management system. By implementing ISO/IEC 27001, businesses can enhance their information security posture, achieve regulatory compliance, build trust with stakeholders, and gain a competitive advantage. While the certification process may require effort and dedication, the long-term benefits make it a worthwhile investment in securing valuable information assets.