‘ISO 27001 certification solid basis for information security’

Since 1991 Dutch company H&R Business IT Solutions has been supporting organizations in developing and managing their complete IT environment. The Utrecht family business offers an extensive service portfolio to this end, varying from consultancy, project management, implementation and migration to workplace design and data and cloud solutions. Personal service in a business that is becoming increasingly impersonal, that is H&R's motto. This includes handling customer and company data in a responsible and confidential manner, which is why H&R recently certified for the ISO 27001 standard with Kiwa. Project manager Junior van Rooij tells more about it.

What distinguishes H&R Business IT Solutions from competitors?

At H&R we develop the IT environment of the future for our clients and install and manage that throughout the entire lifecycle. We don’t just look at the technical IT requirements, but strive to help our customers to really develop their organization further. We believe that IT should support the business to enable organizations to focus on their own development. Our strength lies in the personal attention we give to our customers. We want offer our clients the opportunity to quickly get in touch with the right H&R specialist for any IT issue. We notice that personal and accessible contact is something that customers really need.

How did H&R deal with information security before the ISO 27001 process was started?

On a technical level, many things were already well arranged. We have been managing IT environments for our customers for years and security is an important pillar for a successful managed service. Yet this certification has forced us to take a critical look at what is already there and this helped us to think more company-wide. In the past, our people tended to think a bit more from a departmental point of view and decisions were more often taken and recorded in a decentralized manner. With this ISO certification, departments are better coordinated so we can follow one clear line when it comes to information security.

Why did H&R decide to go for ISO 27001 certification?

We want our customers and other stakeholders to feel confident when it comes to our services and also wanted to take a critical look at our internal security. We already did a lot in the field of security, but this certification is a valuable recognition that we take this very seriously, especially for parties who are not yet familiar with us. In addition, we are increasingly encountering the demand for ISO certification in the market, for example in tenders.

Why did you choose Kiwa?

Kiwa is a renowned name in the market, also in the IT sector. Besides the fact that ISO 27001 is a globally recognized quality standard that demonstrates that a company handles information securely, certification by Kiwa adds further recognition to the fact that we take certification seriously. We did not just want to achieve it for commercial reasons. Emotionally, this strengthens confidence even further.

What did the certification process look like?

The entire process took a year. We have started formulating a joint approach and conditions. We then had a weekly meeting with the ISO team. In the beginning, there was a lot of searching for the right working method and how the information security management system (ISMS) should ultimately be built up. We already went live internally halfway through and shortly afterwards we had an internal audit carried out by an external party. This enabled us to see what works well in practice and what needed extra attention.

What were those points of attention?

There are always things you can improve. We will now continue with that. There are currently no major points open, but we do want to further tighten our policy in the field of mobile device management.

How does H&R benefit from ISO 27001 certificate?

Overall professionalism has increased. A solid foundation has been laid on which to build further. Certification also ensures that you do not 'slack', but are forced to regularly reflect on the current state of affairs. Processes have been scrutinized, improved and recorded. People have started working more consciously. For our customers it is a confirmation that their IT environment is in good hands with us. After we announced that we had received our ISO 27001 certificate, we immediately got many compliments and congratulations from our relations. I also think certification will help us strengthen our proposition outwardly.

How do you look back on the process?

We see it primarily as an educational process. The challenge was, as we predicted, the time everyone has to invest in it. The certification process ran parallel to our daily operation. That sometimes presented a challenge. During the process we also paid a lot of attention to stimulating the awareness of our employees, for example with posters, a quiz, news items, etc. You can see that people are now taking it even more seriously. We have to make sure we hold on to this.