Do you know your ISO from your GDPR? Would you struggle to tell data protection and information security apart in a line up? Well, you aren’t the only one. Whatever function you’re in - from HR and internal communications to IT or the C-suite - secure information management has no doubt added an extra layer of challenge to your working life.
To celebrate Speakap being awarded with ISO 27001 certification, we caught up with managing director and co-founder Patrick van der Mijl as well as chief technology officer Bart van Wissen to discuss what ISO certification means and to pick up some handy tips for companies currently tackling the big question of information security.
Why are data security and information management such trending topics right now?
PATRICK: The recent introduction of the General Data Protection Regulation, of course, has made these hot topics, but there also seems to constantly be high profile breaches and scandals in the news. At Speakap, we’ve always held the view that our customers should own their data, and thus have always fiercely protected data privacy, so we see the increased attention on these topics as being great for all companies and consumers.
And at Speakap, we’ve gone a step further than mere GDPR compliance and recently been granted ISO 27001 Certification. What does the certification process involve and what does it mean for our clients?
BART: Although Information Security has always been an important aspect of all processes at Speakap, as the company grew, the need for a formalized Information Security Management System (ISMS) became more and more clear. Over the past few years, we’ve documented procedures and policies, setting up regular checks and audits. We've also reviewed our systems and assets and assigned owners with specific, documented responsibilities. Finally, we've introduced a risk assessment procedure, which helps us to direct our efforts when it comes to improving and implementing information security controls.
Having an ISO 27001 compliant management system definitely helps us to comply with regulations such as GDPR, but it also ensures that we fulfil our contractual obligations with clients and suppliers.
So, what steps should companies take to make sure their internal comms and HR tools are secure?
PATRICK: There are three main things to consider:
Check whether the software vendors who have access to your employees’ data are compliant with GDPR. As a data controller, you are directly responsible for what happens with data collected from your employees. In short, the buck stops with you - not your provider.
- Do those vendors have additional security credentials? It’s a good sign when they comply with international security standards like ISO 27001. If they follow these standards, you know that they have an Information Security Management System in place.
- Make sure you sign Data Processing Agreements (DPA) with them. If the software vendor has presented some reasonable proof that they’ll provide a level of privacy appropriate for your employees data, get a DPA in place. It should specify the data they have access to, the scope of use of that data, and any existing compliance plan that might be in effect.
Thanks for the in-depth info gents. Any final advice?
BART: Don’t follow this advice now and then forget all about information security and data privacy. This is a landscape that’s shifting and it’s vital both you and your solutions providers work hard to stay ahead of the game.