LEVEL27 and ISO certification

ISO certificaten

Level27 has ISO27001 certification (information security) and ISO9001 certification (quality). In this article we share our personal experiences during the certification process.

Level27 has ISO27001 certification (information security) and ISO9001 certification (quality). In this article we share our personal experiences during the certification process.

Why?

ISO27001 is important in the hosting sector. As a client, you want to feel confident that your data is in safe hands, and this certificate gives you that confidence.

As a professional hosting partner, we feel obligated to obtain this certification. Given our motto (‘Hosting. Better.’), we wanted to highlight safety in particular.

The vision

We wanted more than just your basic certification. Given the considerable investment in terms of both time and materials, we wanted to get certified for strategic reasons as well. Instead of keeping an ISO reference book on hand, we wanted to actually implement ISO elements to improve our organisation. This is why we ended up pursuing both the ISO27001 certificate and the equally important ISO9001 certificate.

Our partners

An ISO audit calls for an auditor, an organisation authorised by ISO to determine whether a company is eligible for certification. The reputation of this organisation is also important. After thorough market research, we settled on BSI Group.

An ISO audit consists of a pre-audit, during which BSI checks whether all of the basic requirements have been met. The real audit is carried out a few weeks later and involves an extensive investigation into the entire company.

An annual update is carried out to check whether the organisation still meets the criteria or whether certain points need to be addressed. Every three years a new full audit is carried out.

Anyone can request an audit from BSI Group. Common sense will get you a long way for most of the requirements, but some of the more technical and legal aspects prompted us to seek outside support. We found that support in Bob from KVGM-IS, who was our rock throughout the entire process.

Our process

What does the audit process look like? I’ll share our experiences, our approach and the successes and challenges we encountered along the way.

Starting up

Let me start by saying the audit is hard but not impossible. By hard I mean it takes a lot of effort. Simply hiring an external ISO expert like Bob, having him do all the work and then handing the ISO book to the auditor a few months later is not enough. At least, not according to the vision we had in mind. It also has to be a team effort, meaning the entire organisation has to be involved in the process.

That said, it’s not impossible. In our case, we had a lot of instructions and processes before we started the audit process. Throughout the audit, we had to update and optimise a lot of those instructions in order to meet the ISO standard.

We spent the first few days identifying what we had. We then evaluated the existing processes with Bob from KVGM-IS.

The tools

The next step was to set up a system to structure all of our documentation. We were lucky we already had Confluence, a kind of collaborative Wiki tool to create structure and where everyone can edit texts and documentation.

Confluence is not loved by everyone, but it is in constant development and has all the features we need!

An example of a KPI page and the general structure of our Operations department:

Confluence contains a lot of information, documentation and registrations. We keep track of activities and to-dos in Trello, which is managed by the creator of Confluence: Atlassian. Trello offers considerable freedom while also ensuring a structural approach.

It’s the digital equivalent of this:

The road to the pre-audit

In the months leading up to the pre-audit, we focused on streamlining our processes. We further identified our risks and defined action points in Trello.

The most important thing at this stage was to involve all employees in the project. To achieve this, all employees were made aware of how important this project was. Everyone had their own responsibilities.

As things progressed and as the pre-audit deadline approached, it became clear that we were on the right path. The milestones we’d set at the start of the project certainly helped.

The pre-audit

Before BSI Group starts the audit process, they first carry out a kind of inspection known as the pre-audit. The purpose of this short pre-audit is to save time and money if it turns out the organisation is not yet ready for an ISO audit. It's also the perfect opportunity to identify things that should be addressed before the real audit.

Our pre-audit went well :)

The road to the audit

We spent the few weeks between the pre-audit and the audit to finalise everything. We tied up loose ends, we added asset tags to our devices, and we put the finishing touches on our risk and Confluence documentation.

The audit

Then it was finally time for the audit. A full ISO audit (in our case two: 9001 and 27001) takes several days to complete and is carried out in meticulous detail. The auditor reviews the entire management system and records his findings. Given that all of our employees were involved in the process, the auditor had to review each item separately with them.

During an audit, an auditor may note the following findings:

  • potential improvements
  • minor nonconformities
  • major nonconformities

Major nonconformities result in failing the audit, which requires corrective measures to be implemented before certification can be granted. During our audit, no major nonconformities were found!

 

‘What particularly struck me during my visit was the tranquillity – as if Level27 was immune to stress and problems. The reason for this is the impressive technical expertise, highly advanced automation and concrete and measurable objectives. This combination of factors, coupled with a clear delineation of the hosting activities and a pragmatic interpretation of the standard requirements, resulted in an effective management system for quality and information security.’

Koen Beroudiaux

BSI auditor

The result

Two weeks after our audit we received our certificates by mail. Level27 was officially ISO27001 and ISO9001 certified!

And now?

The BSI Group auditor will visit us every year to determine whether we still meet the requirements. If so, our certification will be renewed for one year.

What did we learn and what can you learn from our experience?

The key takeaway for us was that even small organisations can become ISO certified. We waited until we were big enough, but that's not necessary at all! That would be my advice to other companies: don’t wait! Your organisation will be ready for an ISO audit sooner than you might think. If you're not ready yet, the ISO process helps you to reflect and professionalise.

I’m also convinced that you have to embrace this process organisation-wide. You can't just saddle one or two people with the burden of ISO certification. Many organisations do just that, which results in a paper tiger that everyone avoids. The ISO process should be experienced by the entire organisation and consciously embraced by all. Otherwise it's a waste of time and money.

‘General conclusion: it was worth it!’

Peter Fastré

Level27 Business Owner

Vragen of opmerkingen?

Laat het ons zeker weten via onze chatbox!
We helpen je graag verder.

Share this blog post via

Other subjects