Information security with ISOPlanner: building on a solid foundation

Written by Ivar van Duuren

March 11, 2024

security island

One piece of advice we sometimes hear when it comes to ISO certification is that every ISO implementation is customized. On the one hand, that’s true, of course. Because every organization is different. So each organization itself has to look very carefully at exactly what the context of the organization is. And what risks apply to them. And how you want to implement certain measures to manage those risks.

In practice, the risks that organizations face at an abstract level are very often the same. Consider, for example, the risk of a cell phone being lost, or a laptop being left on the train. Every organization has that risk and many more you alike. Even when it comes to implementing risk mitigation measures, they are often the same measures in every organization.

So you can very well use the same basis for implementing ISO standards in different organizations. What that looks like, we explain here through three practical examples where ISOPlanner forms the foundation.

ISO 27001 certification within 3 months

A large multi-technology energy and communications service provider with nearly 8,000 employees across 41 locations, had already scheduled an external audit for ISO 27001 certification. However, they were far from ready for this audit internally.

When this customer engaged us, we suddenly had to get the implementation done under high time pressure. This organization consisted of multiple operating companies that were in different stages of implementation. So they needed a solution that allowed them to track implementation status for all these different operating companies within their Microsoft environment.

Overview of implementation status for multiple operating companies

We rolled out ISOPlanner as an Information Security Management System (ISMS). Not only did this ensure rapid implementation of the ISO 27001 standard, but the ISMS is also suitable for hooking up multiple operating companies in the future. For each operating company, an overview of the status of implementation is available. It is also easy to implement other sets of standards or update an existing set of standards quickly and easily.

In addition, we provided a standard documentation set with policies and sample documents that they only needed to tailor to their specific situations.

These two solutions saved this client an incredible amount of time. The entire implementation took place in just 3 months, which ultimately allowed them to be on time for the already-scheduled audit.

Getting CCV pen-testing certification with ISOPlanner

This example is about a client that helps other companies detect vulnerabilities within the Microsoft environment. For example, by detecting settings that provide improper access to third parties. In addition, this organization also performs pen tests.

This client had the desire to obtain the CCV pen-testing certificate for their pen tests, the standard in this form of security service provision. And with ISOPlanner’s software, you can do more than certify your organization for ISO standards.

Because ISOPlanner is an open framework and is designed to handle many diverse and specific sets of standards. The system allows for all kinds of certification processes.

Our solution for this client was to implement ISOPlanner as an Information Security Management System. This allowed them to implement the measures and policies from the pen-testing standard within their organization in a clear and fast way.

Documentation, policies, and measures linked

Not only is documentation linked to measures and policies, but it is also easy to keep track of the schedule. This made it possible for this client to keep a good overview of the progress of the implementation of all measures related to this CCV pen-testing certification. And to see which tasks were assigned to which employees.

Collecting continuous evidence for ISAE 3402 certification

Finally, another example of an application of ISOPlanner was for an ICT service provider that provides workplace management and cloud solutions. They wanted to obtain an ISAE 3402 statement for their organization. This is a non-mandatory standard that requires ongoing proof that certain technical measures are properly implemented on an ongoing basis.

It requires a lot of work from ICT staff within the organization to continually retrieve that evidence. The challenge this organization faced was keeping an overview of the heavy burden of proof. Who had to do what, when, and where would they record it?

The solution was to implement ISOPlanner as an Information Security Management System, where we chose the set of measures from the ISAE 3402 standard to implement within the organization. You can choose and compile that set of controls yourself within ISOPlanner. After which it is very easy to perform periodic checks and keep track of the periodic collection and storage of evidence.

Overview of collected evidence and division of tasks within the organization

It provides a very low-threshold way for the people performing the checks to provide that requested evidence. This gives you a good overview at any time of all the evidence that has been collected and where any tasks are assigned within the organization.

By using ISOPlanner, this organization now has a clear overview of all implemented controls, their status, and the planning of the work to be performed. ISOPlanner also links to Outlook, making it easy to schedule tasks in calendars and link evidence to the relevant task or action.

This gives this customer a lot of overview and structure and saves a lot of time internally. It also provides peace of mind to spot at a glance whether a task has been completed. Manually keeping Excel lists is a thing of the past!

More tips about ISO certification?

Feel free to contact us. We would love to talk to you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights