Certification? Look beyond fancy logos

These days we are being bombarded by certificates and quality labels, so it’s quite difficult sometimes to see the wood for the trees. Sustainability, security or quality: there are certificates for them all. DocWolves, the company behind OurMeeting is ISO-certified. But what exactly does that mean?

Many DocWolves customers work with confidential and sensitive information that should not fall into the wrong hands. Security is a number one priority, and that is why the company has been ISO 27001:2013 certified since May 2015. DocWolves therefore meets the international standard for a reliable and verifiable management system for information security. It is the proof that an organization has taken the necessary control measures to protect sensitive information against unauthorised access and processing. This is quite a mouth full, but what exactly does it all mean?

Does certification equal security?

The certification is issued by a competent authority. Which means that the processes with regard to information security have been surveyed, implemented and monitored. The data centers in which DocWolves houses its servers are also certified, as well as the suppliers that immediately contribute to the final product.
The ISO certification says something about information security but not about everything. “It means that there is a very reasonable degree of certainty that the security is adequate”, says Theo Krens. As information security advisor he counseled DocWolves during the certification process. He assessed the application and reviewed the documentation produced by DocWolves. He chooses his words carefully, because watertight security can’t be a 100 percent guaranteed. The world, and most definitely the IT world, is changing constantly. ” Taking security measures once is not enough. You have to stay on top of security all the time,” says Krens.

We must arm ourselves

Chris Bevelander, the DocWolves Chief Operations Officer (COO) recognizes the importance of permanent security. But he also acknowledges that the notion of absolutely security is a farce. “When I buy a new lock, I’m convinced it’s completely secure. Until a burglar finds an even more modern technique to break it.”

Chris Bevelander – COO DocWolves: “We monitor continuously. That is our mindset.”

The same applies to processes with regard to information security. Bevelander: “We monitor continuously. That is our mindset. We take many security measures for the software we use. The moment someone breaks through the security, there’s a leak . You can arm yourself against this by monitoring all the time. Only then you can take immediate action when something is wrong.”

Fancy logo

An ISO 27001 certificate is not a quality label that is given to just any company. It’s not just a matter of filling in some forms, sending them in, and putting a fancy label on your website. “It’s a lenghty process”, says Krens. “A company has to meet many standards.” As information security advisor he guided DocWolves through the process step by step.

Theo Krens (r) presents the ISO certificate to compliance officer Niels Broeks.

“DocWolves has implemented the certification in a very neat, transparent and consistent manner, and in record time”, he says, looking back on the process. “It’s important to find the right balance between an effective work process and security. The company processes must be secure, but also workable. DocWolves has found this balance.”

Suppliers

Getting certified was only the beginning. In order to stay certified, DocWolves must have its company processes audited on a regular basis. In the first year this meant that the whole organisation was carefully examined. After that, an auditor anually checks the security of the company processes at random. The certification can be renewed for two years, after that the company must apply for recertification. Not only DocWolves, but suppliers that contribute directly to the final product must be ISO 27001 certified. This can also be checked by the auditor. Bevelander: “We are talking about companies that are an essential part of the service, like suppliers of certain software we purchase, or data centers.”

Hackers

DocWolves regularly invites external, so-called ethical hackers to test the security of the private-cloud platform. This exposes the weakest links in the security, after which measures can be taken. This is external monitoring, but we think it’s important that there’s monitoring within the company as well. “Self-assessment is very much part of the way we work”, says Bevelander. “We have a security monitor roster, in which we determine who checks what and when. Colleagues regularly check each other’s programme code. We always ask ourselves: has this been done according to the standard?”

Security is much more than just paper documentation: it must be a living, breathing part of each working day. “It’s important that an organization does not regard security as a temporary project only to get the certification. It must implement security as part of the work process and it must keep on testing the security systematically”, says Theo Krens. “DocWolves has most certainly done this. Each employee has helped to procedurally improve parts of the security and has contributed to get the certification. It is therefore also their achievement. They feel involved. There are not many companies that do that. Often a major part of the work is outsourced.”

Data centers

DocWolves wants, where possible, to maintain control. “We program everything ourselves. From start to finish, nobody else gets access to the system or software”, says Bevelander. To ensure security, the servers are not stored in the building. If a malicious person were to take these away, the data would dissappear – or worse. This is why the company has chosen to place the servers in two data centers, buildings where critical computer systems can be housed under optimum conditions.
In addition to certification, some companies have further requirement to ensure that their data is in safe hands. “This is particularly true for banks and insurance companies. “, says Krens. They demand a statement from an independent auditor that the security guidelines for web applications of the National Cyber Security Centre have been met, or a ISAE-3000 statement. DocWolves can produce these statements upon the customer’s request. “Large customers in particular make a risk assessment before they agree to work with us. They then request a report”, says Bevelander.

Extra step

Every two years DocWolves hires an independent expert. This is not part of the certification standards, but is an extra security measure. “He checks when the software was last updated, for instance”, says Bevelander. “It’s important to update regularly or it becomes outdated. We take this extra measure, because we want to make sure that when it comes to security, absolutely nothing is left to chance.”