‘ISO 27001 certificate builds trust’
Heijmans, one of the largest construction companies in the Netherlands, celebrated its centenary in 2023 and has since been granted the title "Royal." With a diverse portfolio ranging from real estate development to infrastructure and technical installations, the company places great emphasis on quality, safety, and sustainability. Recently, Kiwa extended Heijmans' ISO 27001 certification, affirming Heijmans' efforts in information security. Raymond van Ommeren, quality coordinator at Heijmans, discusses the importance of this certification.
Within Heijmans, quality certification plays a crucial role. The company has a Safety, Improvement, and Quality (Veiligheid, Verbeteren en Kwaliteit (VVK), red.) cluster that supports all business activities. ‘The Quality department within this cluster manages the majority of certified standards. We work daily on maintaining and improving our management system,’ Van Ommeren explains. ‘Standards such as VCA, ISO 9001, 14001, 55001 and 27001, along with various assessment guidelines (BRLs), form the backbone of this system.’
Handling information safely and responsibly
The ISO 27001 certification, issued by Kiwa since the initial certification in 2017, plays a special role. ‘Information security is essential for us,’ says Van Ommeren. ‘We process a lot of information daily, both digitally and on paper. ISO 27001 helps us handle this information safely and responsibly and demonstrate this to clients and stakeholders. Additionally, it serves as a tool to measure and improve internal processes, including the control measures from ISO 27002.’
ISO 27001:2022 standard update
Heijmans chose to gradually align the organization with ISO 27001. This process started on a small scale with the first ISO 27001 certificate. ‘Over the years, we have phased in more business units to this certificate. With this growth, we have also been able to further professionalize our Information Security Management System (ISMS). When the ISO 27001:2022 standard update was announced, we decided to get started right away. In a relatively short time, we adapted our ISMS and included the already connected business units in this transition.’
Experienced auditors
Choosing Kiwa as a certification partner was logical for Heijmans. Positive experiences with Kiwa in other schemes such as the CO₂ Performance Ladder and the Safety Culture Ladder played a major role. ‘The practical implementation of the audits by Kiwa fits well with Heijmans. The auditors are experienced and bring a lot of knowledge from the construction world. This made Kiwa the right choice for ISO 27001 as well.’
Further refining the ISMS
The audits with Kiwa have always been conducted in a good atmosphere over the years. ‘We have always been able to identify with the findings from the audits, allowing us to further refine our ISMS,’ says Van Ommeren. ‘With the transition to ISO 27001:2022, we have created special roles per certified business unit. Colleagues in these roles perform various information security tasks to comply with the standard's requirements. By distributing responsibilities, the ISMS remains better maintained and it is easier to add new business units to the certificate.’
Ongoing process
The certification and accompanying audits are not only important internally but also for Heijmans' clients. ‘The ISO 27001 certificate builds trust and makes information security demonstrable,’ says Van Ommeren. ‘It shows that we take information security seriously, which strengthens the trust of our clients.’ Van Ommeren sees certification as an ongoing process. ‘Our ISMS is constantly evolving and we try to improve it wherever possible. The annual audit round conducted by Kiwa confirms that we are on the right track. It offers us the opportunity to reflect and discuss the interpretation of standard elements.’
Increased security awareness
According to Van Ommeren, the ISO 27001 certification process has also contributed to increased security awareness among Heijmans employees. ‘Heijmans already has an extensive program to inform employees about the risks surrounding information security. Employees from the certified business units all have a clear foundation. Additionally, these colleagues are further informed about risks specific to their field of work. However, the certification process and associated tasks have certainly contributed to increased awareness among our employees.’
Necessary factor
Heijmans receives relatively few questions from the market about ISO 27001 certification. ‘In the construction industry, ISO 27001 is not yet commonplace. Depending on the nature of the work, we see a growing need among clients. At the moment, I still consider this certification to be distinctive. However, in the coming years, more companies will strive for certification and the distinctive factor will change into a necessary factor.’
Asking the right questions
Maintaining the ISO 27001 certificate requires continuous effort, but Van Ommeren is optimistic about the future. ‘Digitization will increase in the construction industry and with the growing role of technologies such as AI, new risks will emerge alongside opportunities. ISO 27001 will help us keep asking the right questions and adapt to these changes.’
More info
Visit our website for more information about ISO 27001 certification.