Three years ago we secured our first ISO 27001 certification, including the year of preparation, this was more than 4 years ago! At that time our company had around 100 employees, now we are at almost 260. We’ve seen other growth as well including number of clients, extent of our software offering and the reach of our organization as a whole.
Now, as stipulated in the ISO 27001 certification, we have gone through the first full re-audit of our organization. Looking back there were some immediate learnings for us:
- Start when you are small: Even though the list of requirements can look intimidating at first, there is an inherent benefit to starting such a project while you are still small. Processes and controls grow with your organization. Implementing security requirements across a bigger organization would have been much harder, cost more and would have taken much more time to complete. Now every new starter can use the tools, read the documentation that’s been put in place and contribute accordingly.
- Take internal feedback seriously: The work does not end with the certification. The real experts sit inside your organization, they will share valuable opinions and insight into things that might not work as expected. Even though you may not always like what they have to tell you, it is crucial that you listen carefully, try to understand and take their feedback seriously. Security-related issues are easily overlooked, even if you do external tests and audits –internal feedback is incredibly valuable and easily rewarded if your teams can see that you put their feedback into action.
- Publicize the benefits: Also known as marketing! At OX we can easily see that our work in this area pays off. We have been able to win business that would have been otherwise hard or impossible to win. It is a direct benefit that you see in almost every RFP. Something seen by few as a “bureaucratic monster” becomes a key business advantage when positioned correctly!
It is always rewarding to pass an audit process and a big reward for the team that made it possible. Certification has a number of benefits for customers, but most of all it provides reassurance that a service provider has met certain exacting, industry-recognized levels of performance.
I would like to take this opportunity to congratulate all members of the Open-Xchange team for their continued efforts in helping make Open-Xchange and our products as secure as can be.