Clientcase Pulse: 'ISO 27001 certification increased our data security awareness'
Microsoft Dynamics 365 service provider Pulse was certified by Kiwa against the ISO 27001 standard in June 2018. For Pascal Thönissen, service delivery manager and security officer at Pulse, this certification cuts both ways: 'We demonstrate our information security processes are in order and we can now help our customers with their data security issues.'
Pulse, part of CRM Partners Group, improves and supports the business processes of its customers - mainly production and trading companies - based on the Microsoft Dynamics 365 platform. 'We implement Dynamics ERP and CRM applications for our customers and, if required, connect them with other software solutions that they use. We also develop additional apps, on top of the Dynamics 365 environment. And of course, we also provide our customers with full 24/7 support for those products.'
As part of this service, Pulse’s activities regularly become the domain of confidential information. 'Of course we do not simply run an export of customer data', says Thönissen. 'As a rule, we do not want to have customer data in our own infrastructure. But if we help customers with a change request or a malfunction, it could be possible that the anonymized information we use for test scenarios contains some real data. In such cases it is important that you can show that you handle confidential data the right way.'
According to Thönissen the processor agreements that companies and their ICT suppliers conclude under the new GDPR privacy law also played a role in Pulse decision to apply for ISO 27001 certification. 'An audit of the information security processes is often an integral part of such a processor agreement. By streamlining these processes according to the ISO 27001 and making them transparent, you avoid having to reinvent the wheel every time, and that saves you a lot of time.'
Pulse did not go overnight for the ISO 27001 certification. 'Together with a consultancy firm, we have mapped the risks within our company and set up an information security management system, an ISMS. This revealed some points for improvement that we addressed before we received Kiwa for the actual certification. That lasted two days. In advance Kiwa made it perfectly clear what we could expect in those two days. As a result, the certification process went very smoothly. We did not always agree, but the discussions were always constructive. I think it is a good thing if a certifier is pragmatic and does not lose sight of what matters first: managing the actual risks surrounding data security.'
Asked about the most important thing the ISO 27001 certificate brought Pulse, Pascal Thönissen does not have to think long: 'Awareness. As an organization - both the management and the employees - we were already well aware of our responsibilities in the field of information security and dealing with customer data. But because of the certification process, that awareness has only increased. At Pulse we believe in people, our employees and our customers, but when it comes to information security, it requires extra attention, by formalizing business and by creating a necessary structure.'
Want to know more?
For more information about the NEN 7510 and cyber security please visit our theme page on information security and cyber security.