Information security with ISOPlanner: building on a solid foundation

Information security with ISOPlanner: building on a solid foundation

Information security with ISOPlanner: building on a solid foundation
Comments

Written by Ivar van Duuren

security island

One piece of advice we sometimes hear when it comes to ISO certification is that every ISO implementation is customized. On the one hand, that’s true, of course. Because every organization is different. So each organization itself has to look very carefully at exactly what the context of the organization is. And what risks apply to them. And how you want to implement certain measures to manage those risks.

In practice, the risks that organizations face at an abstract level are very often the same. Consider, for example, the risk of a cell phone being lost, or a laptop being left on the train. Every organization has that risk and many more you alike. Even when it comes to implementing risk mitigation measures, they are often the same measures in every organization.

So you can very well use the same basis for implementing ISO standards in different organizations. What that looks like, we explain here through three practical examples where ISOPlanner forms the foundation.

ISO 27001 certification within 3 months

A large multi-technology energy and communications service provider with nearly 8,000 employees across 41 locations, had already scheduled an external audit for ISO 27001 certification. However, they were far from ready for this audit internally.

When this customer engaged us, we suddenly had to get the implementation done under high time pressure. This organization consisted of multiple operating companies that were in different stages of implementation. So they needed a solution that allowed them to track implementation status for all these different operating companies within their Microsoft environment.

Overview of implementation status for multiple operating companies

We rolled out ISOPlanner as an Information Security Management System (ISMS). Not only did this ensure rapid implementation of the ISO 27001 standard, but the ISMS is also suitable for hooking up multiple operating companies in the future. For each operating company, an overview of the status of implementation is available. It is also easy to implement other sets of standards or update an existing set of standards quickly and easily.

In addition, we provided a standard documentation set with policies and sample documents that they only needed to tailor to their specific situations.

These two solutions saved this client an incredible amount of time. The entire implementation took place in just 3 months, which ultimately allowed them to be on time for the already-scheduled audit.

Getting CCV pen-testing certification with ISOPlanner

This example is about a client that helps other companies detect vulnerabilities within the Microsoft environment. For example, by detecting settings that provide improper access to third parties. In addition, this organization also performs pen tests.

This client had the desire to obtain the CCV pen-testing certificate for their pen tests, the standard in this form of security service provision. And with ISOPlanner’s software, you can do more than certify your organization for ISO standards.

Because ISOPlanner is an open framework and is designed to handle many diverse and specific sets of standards. The system allows for all kinds of certification processes.

Our solution for this client was to implement ISOPlanner as an Information Security Management System. This allowed them to implement the measures and policies from the pen-testing standard within their organization in a clear and fast way.

Documentation, policies, and measures linked

Not only is documentation linked to measures and policies, but it is also easy to keep track of the schedule. This made it possible for this client to keep a good overview of the progress of the implementation of all measures related to this CCV pen-testing certification. And to see which tasks were assigned to which employees.

Collecting continuous evidence for ISAE 3402 certification

Finally, another example of an application of ISOPlanner was for an ICT service provider that provides workplace management and cloud solutions. They wanted to obtain an ISAE 3402 statement for their organization. This is a non-mandatory standard that requires ongoing proof that certain technical measures are properly implemented on an ongoing basis.

It requires a lot of work from ICT staff within the organization to continually retrieve that evidence. The challenge this organization faced was keeping an overview of the heavy burden of proof. Who had to do what, when, and where would they record it?

The solution was to implement ISOPlanner as an Information Security Management System, where we chose the set of measures from the ISAE 3402 standard to implement within the organization. You can choose and compile that set of controls yourself within ISOPlanner. After which it is very easy to perform periodic checks and keep track of the periodic collection and storage of evidence.

Overview of collected evidence and division of tasks within the organization

It provides a very low-threshold way for the people performing the checks to provide that requested evidence. This gives you a good overview at any time of all the evidence that has been collected and where any tasks are assigned within the organization.

By using ISOPlanner, this organization now has a clear overview of all implemented controls, their status, and the planning of the work to be performed. ISOPlanner also links to Outlook, making it easy to schedule tasks in calendars and link evidence to the relevant task or action.

This gives this customer a lot of overview and structure and saves a lot of time internally. It also provides peace of mind to spot at a glance whether a task has been completed. Manually keeping Excel lists is a thing of the past!

More tips about ISO certification?

Feel free to contact us. We would love to talk to you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

5 Frequently Asked Questions and Answers About ISO 27001 Implementation

5 Frequently Asked Questions and Answers About ISO 27001 Implementation

5 Frequently Asked Questions and Answers About ISO 27001 Implementation
Comments

Written by Ivar van Duuren

security island
Are you considering certifying your organization to an ISO standard? In this article, Maurice Pasman of Instant 27001 and Ivar van Duuren of ISOPlanner answer the most frequently asked questions about ISO certification.

1. Who are responsible for implementing ISO 27001?

The standard states that the management of an organization has primary responsibility in the information security of the organization. On the one hand, this means making budget available and setting a good example. But in principle, it also means that the management should designate one or more employees within the organization to be given responsibility for implementing the standard.

The most commonly used role is that of Information Security Officer (CISO). This person is often given primary responsibility for implementing the Information Security Management System (ISMS). This is not the person who has to do everything, but who is given responsibility from management. And the ability to actually involve other people and take up their time.

There are also other people involved in the implementation. Think, for example, of someone from HR who looks at whether the responsibilities, rights and obligations are also well defined in the contracts. Also, people from software development are ideally involved to see if best practices in secure development have already been implemented.

And, for example, a software engineer who is involved to see if the setup of the cloud environment is going well. So in addition to the role of Security Officer, other people within the organization are also involved in ISO implementation.

2. Can you implement ISO 27001 and NEN 7510 together?

Many customers ask us if it is convenient or possible to certify the organization for ISO 27001 and NEN 7510 at the same time. This is indeed very convenient to do. If only because the overlap of the Information Security Management System (ISMS) is 100%.

Not familiar with NEN 7510? This is a Dutch-language standard in the field of information security, specifically for application within healthcare. And it is also a standard that has a legal obligation. So healthcare providers within the Netherlands are required by law to implement NEN 7510. Incidentally, this should not be confused with NEN 7510 certification, because that is not mandatory. Nevertheless, you see that many parties in healthcare and their service providers often proceed to certification, because that is the crowning glory of their work.

3. Can you substitute or ignore ISO measures?

If you look at the list of control measures from the Annex A of the ISO 27001 or NEN 7510 standard and you don’t support the measures, are you allowed to choose other measures? For example, because you want to come up with them yourself or because you want to use a different set of measures? The short answer is: yes, you may.

The ISO standard provides measure suggestions in Annex A that you can use as a checklist. To make sure you don’t forget anything. However, the measures you ultimately choose may come from anywhere. And if at some point you think: I need an additional measure, it would be weird if you didn’t take that measure.

If you continue along that line, then you can also decide that you don’t think the whole list of measures from Annex A is appropriate for your organization. And that you use a different set of example measures, for example from another ISO standard such as the 27017 or 27018.

The standard also wants you to prepare a Statement of Applicability. In that Statement of Applicability you indicate what measures you have taken, but you must also indicate what you have done with the measures from Annex A. And when you decide to completely ignore the measures from Annex A and apply, for example, the measures from the SIS controls, then you state in your Statement of Applicability which measures from the SIS controls you are using.

4. Is ISO 27001 also suitable for small businesses?

Many people think that ISO 27001 or ISO 9001 is suitable only for very large organizations. But the standard is written in a way that doesn’t actually make that distinction.

In fact, if you read the standard carefully, it sets requirements, for example, for the documentation that an organization must have. It explicitly states that the amount and manner in which that documentation is maintained must be appropriate to the organization.

That explicitly leaves open the possibility for a very small organization to also implement the management system. Be it without a huge pile of documentation. But with just some smaller policy documents, some simpler processes. That makes the standard perfectly applicable for a small organization.

5. How long must an organization exist for certification?

How long an organization must exist for ISO certification is a very interesting question. It has to do with the fact that during an audit you want to give the auditor the feeling that the processes you show and the policies you have written have been alive and well within your organization for a certain period of time.

So an organization that has just been in existence for two weeks and whose management system was also written two weeks ago, won’t give the average auditor the warm feeling that this is a well-rooted system.

If you look at what the standard says about it, there are no hard timelines in there. The standard only says that a management system qualifies for certification if it can be shown that all components have been implemented at least once (Chapter 4 through Chapter 10).

If all components of the Plan-Do-Check-Act cycle have been demonstrably implemented at least once, then you can certify the management system. In practice, we find that most consultants and audit firms do apply a minimum period of 3 months for this. But that does not come from the standard.

Failures in ISO certification

In practice, we still see many situations where processes run across multiple systems and involve multiple people. There is no proper transfer from one system to another. And what can go wrong is that things are simply forgotten.

So someone does enter an employee into the HR system, but forgets to inform another person that a ticket is needed to grant certain rights to that new employee.

Then the result is not what it should be, requiring remedial work afterwards. And the organization is shaken up wondering why something is not working and what went wrong.

What does an ideal compliance process look like?

In an ideal world, a new employee enters the organization or there is a new supplier. Where the process begins the moment that new employee or supplier is entered into the first system.

And where all subsequent steps resulting from that one process flow automatically from one system to another. Where each time the employees who need to do something are triggered at the place where they work. For example, with a Teams Notification, that something is ready for them to do. And if a step is skipped, the person concerned automatically receives a notification or reminder to still do the work.

In the ideal world, the result is also recorded in a central location in a system that everyone is already working with.

Set up compliance automation workflows in 3 steps

Want to automate compliance within your organization? How do you set up those compliance automation workflows and how do you properly maintain those processes? First, it is important that you make sure you have one system where you record the result of all those automated processes.

Second, it is good to identify which processes you want to automate. And when you have an idea of that, start quietly with one process. A process that perhaps now takes the most work in the organization. Or where perhaps the most mistakes are made. Or where you as an organization suffer the most mistakes. And then you start by automating that first process. Then you grab the next process and that’s how you slowly build on.

Finally, it is important to see which systems touch the processes. Which systems are involved in the various workflows? And what possibilities do those systems offer to link and collect information in a central system, allowing you to keep an overview of all the processes?

More tips on ISO certification?
Feel free to contact us. We’d like to help you out!

About Maurice Pasman of Instant 27001

Maurice Pasman is founder of Instant 27001, which helps organizations implement ISO 27001 efficiently by using sample documentation and templates. Since its launch in 2018, Instant 27001 already helped more than 1,500 organizations (in the Netherlands and abroad) optimize their information security, prevent data breaches and improve their competitive position.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification
Comments

Written by Ivar van Duuren

security island
What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains.

ISO 27001 certification in a nutshell

To give you an overview of the whole process, here I briefly explain the main steps you need to take. The first step to start with ISO certification is to look at the context of your organization. Which parties are involved with you as an organization? Think about employees, shareholders, clients, suppliers, and other parties like that. And what do those parties expect from you when it comes to information security?

The next step is to determine the risks. What risks do you see as an organization when it comes to information security? And then you usually start formulating a policy: you choose the measures you are going to use to mitigate those risks and how you want to implement them in your organization. And finally, you make sure that you periodically check whether you still comply with this policy.

What help do you need with ISO 27001 certification?

You may wonder if you need help implementing the ISO 27001 standard or if you and your colleagues can do it yourselves. This depends on a few things.

First, it depends on how much experience you already have within the organization with implementing ISO standards. If you don’t have any, then it might be nice to bring in an external consultant to help you with the implementation.

This also helps maintain progress. Implementing ISO 27001 may not always be the highest priority among the various departments involved. There are always things that take priority: customers who need help, and projects that need attention. Bringing in a consultant can help you keep pace with implementation.

In addition, your need for help also depends on your decision to purchase a sample documentation package, for example. Such a package already provides a lot of information and sample documents that you need during implementation. It also provides a lot of structure that will help you implement ISO 27001 independently in your organization.

Internal stakeholders in ISO 27001 implementation

So who within your organization should you involve in the implementation of ISO 27001?

First, your management must be involved. This is an important requirement of the ISO 27001 standard. Management must have an active role in controlling information security in the context of ISO 27001.

In addition, more roles within your organization are relevant to information security. Very often we see an IT manager involved, from the technical aspects of information security. In addition, we also often see an HR manager. Who has to control who enters the organization as an employee. So for such “in and out” processes, that HR manager is important.

And finally, there are often people involved who do executive work, such as making backups and setting them up. These are also people you want to involve in this project.

Required services with ISO 27001 certification

What external services do you need with an ISO 27001 certification? What you need in any case is an external auditor. This is a party that checks whether you as an organization ultimately meet the requirements of ISO 27001.

From the ISO 27001 standard, another mandatory part is an internal audit. ‘Internal’ sounds a bit confusing, because it seems to imply that you can pick up this part internally. In principle, you can, but you need internal people who have the competencies to perform internal audits. And who therefore have experience in doing so.

However, many organizations that start with ISO 27001 certification do not yet have that experience. So many organizations have an internal audit performed by an external auditor. This is not the same party that performs the real external audit. But in most cases, this is an external consultant who helps you implement ISO 27001 and who also takes on the internal audit.

Finally, one of the measures in the ISO 27001 standard requires an external check on the technical security of your own developed applications. Many organizations commission a pen test for this purpose. If that applies to you, you will of course need a specialist party for that as well.

Are all ISO 27001 measures mandatory?

Many organizations wonder which ISO 27001 measures are mandatory to implement. The standard contains an annex, Annex A, with many measures that you can implement. These measures aim to reduce your security risks.

Yet these measures are not mandatory, they are mere suggestions. The standard says that you must identify risks and take measures to control those risks. But you are not obliged to implement those suggested measures.

However, it is mandatory to indicate why you are implementing all these measures. For example, based on risks you see. Also, if you do not implement a measure, you indicate your reasoning. You are also free to create your own measures if you find them more appropriate to manage your identified risks.

How does an ISO 27001 certification audit work?

An external auditor checks whether your organization meets all the requirements of the ISO 27001 standard set. This is a certifying organization whose purpose is to verify that you meet all the requirements. This is done during the certification audit, which consists of two parts.

The first phase consists largely of checking the documentation in place. The auditor checks whether your organization has all the mandatory documents you must have for ISO 27001. And also whether you have started your improvement cycle where necessary.

In practice, he or she assesses whether you have a working process, or an information security management system (ISMS). Which involves the following questions:

  • Do you have an overview of all your organization’s stakeholders?
  • Have you inventoried all the risks?
  • Have you taken measures to control those risks?
  • Have you written out policies to do so?

In the second phase of the certification audit, the auditor not only looks at documentation and the policies that have been written. Now the auditor also checks whether you are complying with the established policy.

Also read: Expert Tips On ISO 27001 Implementation

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips on compliance automation?

Feel free to contact us. We would love to talk to you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation
Comments

Written by Ivar van Duuren

security island

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you’re getting into and can make this project a success!

The 3 benefits of ISO 27001 certification

The main advantage of obtaining an ISO 27001 certification is that you have the certificate. That means that you can demonstrate, for example to new customers who find it important that you as a supplier handle their data well, that you handle information security well. It may help that you no longer have to fill out an extensive information security checklist with new customers. But you can suffice by showing your certificate.

Certification can also make international business easier because ISO is an international organization. And ISO 27001 is an internationally recognized certificate. If you also want to do business across borders, having the certificate makes this a lot easier.

And, perhaps the most important benefit: implementing ISO 27001 makes you take information security much more seriously. No matter how well you are already doing as an organization, you will find that by implementing ISO 27001, the level of information security gets a whole lot better.

Also read: Benefits of ISO 27001 for cloud service companies

How long does it take to get ISO 27001 certified?

How long does it take to become ISO 27001 certified? That can vary quite a bit. Many organizations take at least a year. Other organizations opt to put all the available manpower into the project. And they do it in six months.

If you use an application that also provides you with the documentation you need for ISO 27001, it can be as quick as within three months.

Read also: ISO 27001 Step-By-Step Guide

What are the costs of an ISO 27001 certification process?

For an ISO 27001 certification process, you need several things. One of the things you need in any case is a certification audit. An auditor checks whether your organization meets the requirements of ISO 27001.

Those costs depend very much on the size of your organization. And also on how many branches your organization has. But for a small organization, you can count on €15,000 in three years.

Read also: What does an ISO certification auditor do?

Next, you may opt to hire a consultant to help you implement ISO 27001. Again, these costs can vary considerably. But as a starting point, you can figure around €10,000.

Finally, you may want to use software to help you structure your processes. The cost of this is generally limited. You can get good management software for as little as €1,500 a year.

And additionally, you could choose to purchase a package of documentation for between €2,000 – €4,000. With this, you get a lot of documentation that you need. This helps you cut your consultants’ fees.

Also read: Tips on asset risk management through ISO 27001

What is an ISMS?

ISMS stands for Information Security Management System. It’s the set of documentation, tasks, and things that you record to fulfill the requirements of ISO 27001. So ISMS is not necessarily software, it’s not necessarily a particular application.

It can be, for example, a combination of documents and tasks scattered throughout your system. But all of that together actually constitutes your ISMS.

You can also choose to use software for your ISMS. That has the advantage of bringing all the elements together. And so you have an overview of your information security management system in one place.

Also read: What are the benefits of ISMS software?

Challenges with ISO 27001 implementation

What do organizations encounter most when implementing ISO 27001? One is maintaining progress on the project. A project can take quite a while, approximately between 3-12 months. So you have to make sure that you stay involved during that time and that progress is maintained.

The second thing that can be challenging when implementing ISO 27001, is involving all your employees who have a role in this. Make sure they get the information they need and do what they need to do.

Finally, once you’ve achieved ISO 27001 certification, it can be a challenge to keep up with the measures after that. You have to check that policies are being followed. And whether things are set up as you agreed.

Is it mandatory to implement all ISO 27001 measures?

Are the measures included in ISO 27001 mandatory to implement? The short answer is: no.

You are obliged by the ISO 27001 norm, to take inventory of the risks your organization contains regarding information security. And then take measures to mitigate those risks. In doing so, you can take suggestions from the list of measures included in ISO 27001 to assess whether or not you can use them.

You are also obliged to state why you’re implementing the specific measure from that list. For example, because you spot a risk, or because it’s some kind of best practice. Also, for each measure that you don’t implement, you are required to indicate why you don’t implement it.

So in theory, you can choose not to implement all those measures. And put together your own set of measures and implement just those. All with good explanation and justification.

What are the benefits of using sample documentation?

What are the advantages of using sample documentation when implementing ISO 27001? The first advantage is that you save a lot of time. All the documents that you need for ISO 27001 are provided to you so you don’t have to write them yourself.

You also get a structure. Your documentation won’t consist of just a list of documents. It will be delivered in a structure so you’ll know which risks belong to which measures. And which policies belong to which measures. So everything related will be already linked together. This provides you with a tremendous overview.

The third advantage is you won’t just save time and be provided with an overview, but you also have peace of mind. Because you have an example that you know is already OK. And you’ll know when you implement the measure, that it will be enough. And you’ll never have to wonder again, “Is this enough?”.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about ISO 27001 certification?

Feel free to contact us. We would love to think with you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs
Comments

Written by Ivar van Duuren

security island

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system.

Often, it starts with one HR system, after which the HR person asks another colleague by email to create a ticket. After that, another person requests access to certain business applications in the IT ticket system. And many things are still maintained in Excel or other working documents.

Error-prone situation resulting in corrective measures

This situation is error-prone because processes span multiple systems involving multiple people. The chance of someone forgetting something is greater, so the result is not always what it should be.

As a result, subsequent remedial work is required and the organization is startled by things that don’t work. When entering a new employee, this can be overseen. But when it comes to information security and the risk of incidents, it is a different story.

The ideal world: automatic triggers and to-do’s

In an ideal world, every process starts at a certain defined place. For example, that new employee or supplier entering the organization. Then, all successive steps flow automatically from one system to another. 

Each time an employee needs to do something, he or she is triggered by a certain system he or she already uses. For example, with an MS Teams Notification. In the ideal world, the result is also recorded there. And if someone forgets something, a trigger is created for that person.

What are the benefits of compliance automation for organizations?

When organizations automate their processes like this, they save time. Employees spend less time emailing back and forth and checking things. Instead, there is a smooth flow, where the right person is asked to participate in the process at the right time. As a result, you’ll notice a rise in the quality of the process.

For example, if a new employee joins the company, you’ll notice that this process will be completed quicker when automated. All the rights are set up correctly in an effective way. This way, employees can focus on what’s important, which is getting access to the right resources. And all this is recorded in a place where you have a good overview of the result.

This is what we call compliance automation.

Typical challenges with compliance automation

When your organization starts with compliance automation, you’ll have to have an overview of the processes you want to automate. It takes some work to map that out properly. 

It helps to have a system that keeps track of the outcome of all those automated processes. For example, if you want to comply with a standard for information security. You also have to deal with an auditor who visits once a year to assess whether everything is going well. And of course, you want to have an overview yourself.

You’ll also have to figure out how to link all the systems you work with and how to create a smooth flow. That also means you have to have the internal or external capacity to properly automate those processes.

In short, it is very important to have one system that links with all your other systems and automated processes.

How to stay up-to-date with the standard?

Of course, it’s one thing to implement a standard. Then you have a process of maybe three months to a year, where you’re busy shaping the policy and implementing all the requirements the standard places on you.

The real work comes after because by then you’ll have to keep track. You’ve created policies, but how do you know that the policies are being implemented?

So you must have a system where you can record all actions, including repetitive actions. And where you make sure that those actions also end up with the right employees in a place where they already work. So that they don’t have to log into yet another system whose password they lose. For example when tasks end up in their Microsoft Outlook, so they can handle them quickly and conveniently.

This way, you make it easier to stay up-to-date with everything that this standard requires of your organization and employees.

How do you measure the success of compliance automation initiatives?

You can measure the success of compliance automation by assessing how much time an employee saves with the automated process. Before you start compliance automation, map out how many FTEs are engaged in the process. And afterward, you check: how much extra time do employees have now that the process is automated and no longer carried out manually?

Or assess the turnaround time of certain processes. For example, that new employee joining the company. How long does that whole process take now, from entering personal data to having the Certificate of Good Conduct (VOG) in and having access to certain company systems? After automating the process, you can see how much shorter the turnaround time has become.  

A third measure or Key Performance Indicator (KPI) is the quality of the process or the error rate. How often did things go wrong in the past and how often was a corrective action needed? Or were things forgotten that were needed for that particular process?

Also measure your success by goals, for example in the area of information security. Think of reducing the number of incidents as a KPI.

Overview and sample documentation

ISOPlanner was initially set up as an application to keep a good overview of all the policies and tasks involved in maintaining an ISO standard. However, after several successful implementations, we noticed that our customers also needed documentation for the specific ISO norm. For example, if they start with the ISO 27001 standard.

For this purpose, we partnered with Instant27001, which allows our customers to activate that entire package of documentation within ISOPlanner. This gives them a filled management system at once, including all the policies and processes they need. This also saves them a lot of time.

Case study: municipality and the BIO standard

One example of this collaboration was for a municipality in North Holland that wanted to comply with the BIO standard, an information security standard specifically for governments.

Working with ISOPlanner and Instant27001 gave them access to lots of templates for BIO policies and processes. They no longer had to create these themselves. The templates were loaded into the ISOPlanner system and, based on the documentation, they could very quickly start implementing the compliance standards. They also got a very good overview of all required activities and the status of implementation. In short, this overview and documentation saved them a lot of work and made them more efficient.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about compliance automation?

Feel free to contact us. We would love to think with you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights