Acquiring the ISO 27001 certificate – and what it means to our customers
To be accredited for the certification, LeadDesk needs to prove that we meet certain specified security and documentation standards.
schedule3 minute read
This article was originally written in 2018 when LeadDesk first acquired the ISO 27001 certification. Since then, LeadDesk has been regularly reviewed by an independent auditor to confirm and certify that we comply with the security standards. LeadDesk was last audited, and received certification on 25 August 2023, and the article has been updated to reflect this.
This article is based on an interview with Jarno Tenni, VP of Engineering at LeadDesk.
Jarno is responsible for LeadDesk’s 45+ people Engineering function which consists of 8 teams in Finland, Sweden and Norway working on product development and application infrastructure. Jarno is also responsible for LeadDesk’s AI project portfolio (reporting to board) as well as information security (ISO27001, ISAE3000 SOC 2). Jarno is a member of the management team.
The interview was originally conducted in 2018, and this article has been updated regularly as LeadDesk renews their ISO 27001 Certification.
What is ISO 27001?
ISO/IEC 27001:2013 is an information security standard that was published in 2013. It’s a specification for an information security management system. To be accredited the certification, LeadDesk needs to prove that we meet the specified security and documentation standards. In our case, the compliance audit was conducted by Bureau Veritas.
ISO 27001 is internationally recognised to prove that software vendors follow the highest security standards.
What did you learn from the audit process?
We had carefully studied the requirements and made sure that we would pass the audit, before ever starting the process. Only minor changes were needed to be made in our software or internal processes during audit – the biggest improvement was documenting and defining our existing processes as well as communicating them to everyone. As a result, I think that the process of passing the audit made the entire company think about data security in a new way.
The audit process does not only include the technical staff, but also involves other divisions. Our entire management team took part in the process, so it forced us all to think about how to align and document our cross divisional processes.
As I am responsible for our data security at LeadDesk, I’m very happy to see how committed the entire company is to maintain a high level of data security. Ultimately data security is not only an IT issue, it involves the entire company. That’s something that our customers need to remember.
Is the audit related to EU data protection regulations?
Yes and no. I remember when starting at LeadDesk 2018, our CEO Olli Nokso-Koivisto told me that one of my first tasks would be to make sure we pass the ISO 27001 audit. So apparently, it had been on our roadmap already for a while. That being said, maybe the upcoming EU regulations gave us a bit more motivation to get the audit done at this specific time. In addition, based on the documentation work done for this audit, it is easier to continue the process to ensure 100% compatibility with GDPR regulations that we expect to complete well in time before legislation is in effect.
What’s the benefits for LeadDesk’s customers?
On a short term the benefits will not be that visible to our customers. The purpose of this certificate is to ensure that there are adequate processes to lessen the risk of data breach. Mostly it’s just proof that we’re as secure as we’ve always known we are.
Working with certified tools, like LeadDesk, will also help our customers get certified themselves.
In some cases, having the certification is mandatory, for example if you’re working with large corporations or if you’re bidding for governmental contracts.
Once the new EU legislation was implemented in May 2018, the certificate made it easier for our customers to provide the needed data security documentations. The ISO 27001 is internationally recognised to prove that software vendors follow the highest security standards.