Zooma certifies to ISO 27001 at once
At Zooma, the ISO 27001 certificate recently shines on the wall. This certificate proves that all risks around confidentiality and availability of sensitive information are adequately and honestly covered.
At Zooma, the ISO 27001 certificate recently shines on the wall. This certificate proves that all risks around confidentiality and availability of sensitive information are adequately and honestly covered. William Kulk, our consultant from QSN, and our managing director, Tim Griffioen, talk about the successful process.
Logical next step
Tim kicks off: 'We had been thinking about ISO 27001 certification for some time. Our workforce continues to grow, we have a new office building and we are helping to build business-critical apps, websites and digital platforms for great clients such as Vattenfall, ONVZ, Princeton University, FNV Veiligheid and the EU.'
Information security was, of course, always a high priority at Zooma. But it was time for us to really make this demonstrable, and to professionalise further. Obtaining the ISO 27001 certification was therefore a logical next step. Together with all employees, we have worked hard for the past 12 months. And with success!
A system that fits
Tim: 'It was very important to us that the management system fitted well with our organisation. We are not fans of enormously complex Excel files. We therefore chose to process William's elaborations in Notion. This 'all-in-one workspace' actually brings together our entire organisation. Think, for example, of an extensive code knowledge base, staff directory, retrospectives and agreements around internal and client projects.'
'Actually, we see this system as our 'second brain'. Notion contains our ISO objectives, operational planning and the right people receive automatic notifications when certain tasks need to be carried out. Setting up the system was quite a challenge in addition to our regular work. Via online meetings from our holiday addresses in France and Spain last summer, we made the first version of the risk analysis. William could laugh about it, I believe!
William adds: 'I have experienced the team at Zooma as an ambitious, nice club of people with a strong sense of humour. Besides hard work, we therefore had a lot of laughter. I find it particularly clever how quickly Zooma managed to digitalise the management system in Notion. The look-and-feel and functionalities fit Zooma well, for example by including an operational annual planning in a Kanban board, automatic notifications around actions and linking to underlying documents in Google Drive.'
The system belongs to all of us
Tim: 'What I mainly realised during the certification process is that it is crucial that knowledge is shared. In fact, quite a lot of specific knowledge around information security was in the heads of certain key people in the organisation. It is a huge improvement that we now have everything available centrally. The system belongs to all of us. We are sharper and can check each other easily. It gives peace of mind that I can now be sure, for example, that backups have been checked. I am also happy that new employees are now always trained in the right way. That way we can ensure that we continue to deliver the right quality.'
William continues: 'By involving everyone from the beginning, information security really lives within the organisation. It is great to see that all employees became increasingly aware of the risks surrounding information security and came up with improvement proposals themselves. Surely that is the ultimate goal.'
Successful certification audit
Tim: 'We all found it quite exciting, such a first internal and external audit. Fortunately, we were reassured by William after the internal audit. Everyone was pretty cut up, but ready for the external audit. Notion was another big plus for the audits. The DNV GL auditors were given a temporary login and could click through all the evidence very easily during the audit days.'
William concludes: 'It is mega clever that Zooma passed the certification audit without any major findings. Secretly, I regret that I can no longer have a fortnightly (digital) cup of coffee with them. Hopefully we will see each other again soon, because there is talk of a follow-up process in which I will continue to conduct internal audits for the organisation, among other things.'