ISO/IEC 27001:2013 is an information security standard that was published in 2013. It’s a specification for an information security management system. To be accredited the certification, LeadDesk needed to prove that we meet the specified security- and documentation standards. In our case, the compliance audit was conducted by Bureau Veritas.
We had carefully studied the requirements and made sure that we would pass the audit, before ever starting the process. Only minor changes were needed to be made in our software or internal processes during audit – the biggest improvement was documenting and defining our existing processes as well as communicating them to everyone. As a result, I think that the process of passing the audit made the entire company think about data security in a new way.
The audit process does not only include the technical staff, but also involves other divisions. Our entire management team took part in the process, so it forced us all to think about how to align and document our cross divisional processes.
As Information Security Manager at LeadDesk, I’m very happy to see how committed the entire company is to maintain a high level of data security. Ultimately data security is not only an IT issue, it involves the entire company. That’s something that our customers need to remember.
Yes and no. I remember when starting at LeadDesk 6 months ago, our CEO Olli Nokso-Koivisto told me that one of my first tasks would be to make sure we pass the ISO 27001 audit. So apparently, it’s been on our roadmap already for a while. That being said, maybe the upcoming EU regulations gave us a bit more motivation to get the audit done at this specific time. In addition, based on the documentation work done for this audit, it is easier to continue the process to ensure 100% compatibility with GDPR regulations that we expect to complete well in time before legislation is in effect.
On a short term the benefits will not be that visible to our customers. The purpose of this certificate is to ensure that there are adequate processes to lessen the risk of data breach. Mostly it’s just proof that we’re as secure as we’ve always known we are.
Working with certified tools, like LeadDesk, will also help our customers get certified themselves.
In some cases, having the certification is mandatory, for example if you’re working with large corporations or if you’re bidding for governmental contracts.
Once the new EU legislation is implemented in May of 2018, the certificate will make it easier for our customers to provide the needed data security documentations. The ISO 27001 is internationally recognized to prove that software vendors follow the highest security standards.