Let’s start with the news: Sievo is ISO-27001 certified.
We actually got this stamp of approval for our information security practices a few months ago and it gives further assurance to our clients about our levels of security. A formal certificate also helps us Sievonians communicate that we’ve really got these things under control.
The certification process itself was a very smooth. So smooth that our auditor commented that this was easiest audit he’s done in his entire 15+ years career in auditing.
Having information security in control does not surprise me, but I must admit that before we engaged in the process I was bit anxious. We’ve got a pretty unique way of organizing ourselves at Sievo. There’s a very limited number of formal processes with approval stamps; instead we rely on people making smart decisions and communicating actively. Streamlined processes are great for Sievo – not only are they a way to support our current 40+ % growth, but I strongly believe they are one of the key reasons for our growth. However, I did wonder how this would mash up with ISO-27001 requirements and audit processes.
In the end, the certification was a formality for three main reasons:
- We do have things in control. In the world of information security, this not only means that you do the right thing, but that you retain evidence that this is the case. Even long before ISO-processes, we’ve had this mindset. Even if there was – and still is – a lack of formal processes at Sievo, all our actions end up in an audit trail of somekind (whether it’s a huge automated log file, or set of signatures of people who’ve attended annual information security trainings).
- We have a dedicated ISO project leader – thanks to the many, many Sievonians involved and our auditor partner KPMG that got this right. It’s not about doing stupid things for the sake of a process; but describing the right way to do things in a crisp and clear way. As long as things get done and there’s evidence, it’s perfectly OK.
- We continually strive to make improvements. Here is an example from a few years ago from a separate ISAE auditing process. In the audit it was highlighted that Sievo doesn’t have a formalised ticketing system. Just one week later we had a ticketing system in place, not just to fulfil the audit requirements, but because it made sense.
Story doesn’t end here, of course. Information security is a topic that requires constant attention. And ISO-process is just one way for us to make sure that we’ve got the right structures in place.