We prove to our customers every day on a technical level that we offer them first-class support as a cloud managed service provider; now it was time to check whether the organizational requirements were also met. At glueckkanja, we are receiving more and more requests from customers who want proof that our company has established industry-standard processes for information security. To meet this requirement, we have had ourselves certified in accordance with ISO 27001.
What is ISO 27001 certification about?
An information security management system, or ISMS for short, is less concerned with technology than with describing rules and organizational measures for holistic corporate and IT security management. The implementation is in turn based on technical and organizational rules in the previously defined areas (in our case: managed services and product development).
Our goal was to be ISO 27001 certified in the above-mentioned areas by the end of 2021 - in just 10 months! For this, we were ridiculed from various sides, because the introduction of an ISMS and the certification mean a significant amount of time.
What kind of implementation did we choose?
As a company, we think a little differently. We didn’t want to reinvent the wheel, but rather rely on people who see accompanying such a process as their core competence. That’s why we chose an “off-the-shelf” system, where the framework was already given and we just had to fill it with life.
As already mentioned, the implementation is based on technical and organizational rules. This is where our 100% cloud strategy and our Future Workplace Blueprint play into our hands. Because one of our maxims is to “eat your own dog food”. We therefore live in the cloud and the Blueprint is also being implemented within our company. Thus, many of the topics required in the framework could be referenced to the Blueprint or requirements could be answered with it.
The ISMS also takes a look at the area of corporate security. Among other things, it examines how business-critical situations are handled, e.g. power or internet outages. In our case, there were some exciting discussions with the auditor during the certification process, as these topics do not directly affect us. After all, thanks to our 100% cloud approach, our motto is: “Power gone, no matter - then I go where the power is. No internet, never mind - personal hotspot on mobile, off to the café around the corner or, boringly, home office.”
ISO 27001 certification also includes an assessment of the business facilities and infrastructure (data center). This might take up to an entire day. In our case, the assessment was completed within an hour. Why? Quite simple: 100% cloud. And since we use the Microsoft Cloud, which is already ISO 27001 certified, this point was quickly taken care of as well.
However, this raised further questions. If all the infrastructure is in the cloud, how is access secured and access monitored? We were again able to refer to our Blueprint, which also addresses the issue of conditional access. In terms of monitoring, we convinced with our glueckkanja CSOC service and eliminated the last doubts. Thus, we were ready for the final certification.
So what conclusion can we draw?
With our technical knowledge, which we put into our Blueprint, we also created the basis to convince on the organizational side. This enabled us to achieve ISO 27001 certification in a very short time and with manageable effort.
From now on, we can tick questions about an ISMS or certification with a clear conscience when we receive inquiries about managed services. And you as a customer can also benefit from our 100% cloud approach, because the standardized approach can also help you in your company with issues such as information and business security.