EASI's Cloud2be is ISO 27001 certified! I'm asking Geert Van de Steen our Chief Information Security Officer (CISO) about the road to ISO 27001 and what it means.
It all began with a good idea in 2017, but now we officially received the certificate! Time for a little chat with Geert.
Geert, why was that ISO 27001 certificate so important?
"EASI is growing and attracts larger customers for cloud services. Today those customers demand - and rightly so - a greater degree of security. It was up to us to compete against the big players in the market and demonstrate our maturity in terms of security for Cloud2be. Although we already had quite a few internal procedures, that does not mean much to outsiders as long as you do not meet the official standard."
"This certificate has therefore a commercial advantage, because we can not only confirm the confidence of our customers, we can also fully adapt to the needs of new customers. On the other hand this certificate demonstrates our maturity. We are very proud of the increased reliability and security of our systems and information."
What were the most important changes that EASI had to make?
"Generally speaking, I would say we have developed four pillars alongside our existing procedures."
"First and foremost, there is the internal training that should not be underestimated: anyone who starts at EASI gets an onboarding and an exam, but it doesn't stop there. Everyone in our organization is effectively immersed in the ISO atmosphere, because security starts with all of us. That is why we invest a great deal in our own people. With quizzes, information mail and tests throughout the year ISO remains top-of-mind."
"In addition, we have formal procedures for
- Managing changes in our system
- Managing risks
- Management of incidents "
"There are clear procedures for different scenarios in case of an incident: as far as the changes are concerned, we now have a clear definition of who has which rights, who can change what, what we log, how we log it, who should approve or approve things ..."
How did you experience the audit?
"We had been working towards that week so if anything, that week could be considered as the ultimate test. You need the whole organization to be able to succeed, so that's exciting. It is really out of your hands at that point."
"That's why I will not soon forget the moment when the auditor decided he wanted to check our terrace, right after the lunch break on a hot summer day. Now, anyone who wants to enter our building, needs to identify themselves with a fingerprint. But there are also two sliding doors on the terrace. I was convinced that the doors on the terrace would not be closed. I was so stressed! Afterwards I learned that my colleague Hélène apparently just had been in the refectory before us. She saw the doors were open and had closed them before we came in. That is when you truly notice the strength of your team and the effect of your user-awareness training."
Is EASI now 100% protected?
"No, we are not, but nobody ever is ... Unfortunately, there is just no perfection in this area, you can always strive to improve, but even for those who are 99.5% secured, there is still a risk of 0.5%. Therefore ISO does not require perfection, a report without comments is literally unseen in an audit."
"They do not speak about major or minor non-conformities, you fail in major non-conformities, which are fundamental changes that you have to make before you can get a certificate." Minor non-conformities are part of life - they are often isolated cases As long as the auditor notices that you are responding correctly and taking the right action, it is not a big issue."
"In other words, ISO does not certify perfection but excellence and that is the most we can strive for. That's why I am very proud of our report." The auditors' criticisms were very positive: in total only three minor non-conformities were mentioned. and that is exceptionally few for the first issued certificate. "
"For us, the ISO story is a never ending one. We will keep improving every year in the field of security.This certificate is valid for 3 years, provided that an annual audit is carried out. We cannot afford any bad evaluations because then we could lose the certificate. That's why we will remain vigilant and continue to persist to our four pillars."