In September 2023, Fenêtre achieved ISO 27001 certification for information security after a process of almost a year. Eric Kruis (partner) talks about a process with ups and downs, but also how his view on information security has completely changed. Eric believes that information security may be higher on the agenda of entrepreneurs.
By going through the steps for certification, Fenêtre has identified blind spots and connected the dots. Read how Fenêtre experienced ISO 27001 certification and what insights they gained.
About Fenêtre
Fenêtre was founded in 2006 by Eric Kruis and Roger Hendriks. Fenêtre now employs 60 people and operates from The Hague, Leiden and Utrecht.
Fenêtre is a full-service internet development company that supports organisations with consultancy, software development and maintenance. Whereby they focus on custom-made applications, for the somewhat larger small and medium-sized enterprises (from 100 persons), mainly in the business and financial services sector. This includes applications for administration systems, portals, websites and other (mainly administrative) processes that play a role in the B2B world.
Choice of ISO 27001
Fenêtre works for insurers in the B2B market, such as insuring property and vehicles, among others. Information security is high on the agenda with these parties, so if they want to serve these clients, they need to be ISO 27001 certified.
In addition, Eric says: ‘We have grown as an organisation, we serve larger and larger customers, who also demand more from us. With 10 people, you can still decide something at the kitchen table, but with 60 people, you have to standardise processes and that is also becoming increasingly important.’
Why the choice of Protify?
Danielle de Vaal is a contact from Eric’s business network; they met ten years ago at a common client. Besides Protify, Eric approached two other parties, but they did not click in the same way. ‘It turned out to fit and particularly, because they are also a relatively small company and we quickly understood each other. It led to a very pleasant collaboration.’
Trust is important when choosing a supplier in the field of information security. ‘You’re pretty much going out on a limb when you go into a process like this,’ says Eric.
The team for ISO certification
Eric Kruis is responsible for resources, personnel and operations; everything that had to do with the primary process was part of his duties. Which meant he had to describe many of the processes. His associate Roger Hendriks has the role of Chief Information Security Officer (CISO) and focused more on information security, CVE issues and notifications.
The organisation is informed through a monthly meeting, here information security is now firmly on the agenda, sharing updates and (new) procedures, among other things. Once the procedures were in place, those internally responsible were deployed, executive. For example, to review personnel files based on the new structure or to check the information security of servers.
Working with the ProActive Compliance Tool (PCT)
Fenêtre uses the PCT: ‘The great thing is: is in a proven structure and it works well for us. Because that structure is separate from the standardisation, we could quite easily move from ISO 27001 version 2017 to 2022. We did this during the certification process on Danielle’s advice.’
‘When your company is like 17 years old, you find out that what you’ve been doing doesn’t all fit into the way of working, which requires certification. That means you have to do overdue work, which is quite a lot of work. That’s why the ‘coat rack’ (ed.: starter texts in the PCT) that Protify provided was really worth its weight in gold, this gave us a good foothold to draw up the procedures.’
Time commitment and the process of certification
It has been a process with peaks and valleys. It takes time, effort and discipline, but it is interesting. As Eric looks back on this, “I am happy that we have now mapped out the process. We know what our blind spots are and have connected the dots. We can say in retrospect that we can be quite proud, of what we all do.’
Normally Fenêtre is the project leader in a process, now it was nice to have someone else pulling the cart. Once every four weeks, there was a meeting with Protify to go through an element of the ISO 27001 process. The work had to be carried out by Eric and Roger alongside other work, so it involved a lot of evening hours.
‘I now notice with everything I do, both within the company, and even privately, I look at information security very differently. While I dare say I was already very aware of that, but this course has made me much more aware.’
Since Fenêtre obtained ISO 27001 certification, it still remains a challenge to keep the certification work on a structural basis. However, the periodic consultations do help to include the necessary actions. But it remains a focus of attention, ‘we have to keep the focus on it.’
What does Fenêtre do differently now because of ISO 27001?
Fenêtre has made great strides by implementing ISO 27001. Operations have been redesigned, internal processes optimised. There is now continuity and consistency in the organisation.
Eric gives some examples of procedures and/or processes that have been tightened or established:
- We think more consciously about effects and the necessity of our actions, such as reputational damage. What if a document gets into the wrong hands?
- When something hasn’t gone well, they see what they can learn from this, besides fixing it, of course.
- Executed projects and related information are properly closed and cleaned up when necessary.
- External suppliers are accompanied on the premises, for example when working on the server room.
- Employees should treat to cake if they leave their PC unattended.
- There is more internal awareness on phishing: crazy or unusual examples of phishing emails are shared.
Tips and insights for other organisations?
Eric shares his insights: ‘At first I thought much too small; we make software and it has to be very secure. It’s very technical, you have to make sure the firewalls and the backups are well organised. Gradually, you discuss the primary process and put it against the information security bar, and you see that information is in many more places. And therefore also the danger. Which has made the subject much bigger and awareness of it too.’
‘It works both ways, you do it for yourself to improve your services and to be more aware of information. But it has also changed my outlook on who I work with, I look at things differently and more consciously. As we have started to behave more maturely, it has also had an effect on those around us, and we check them more closely now.’
Meanwhile, Eric thinks it should become a mandatory component, ‘as early as when you establish your company at the Chamber of Commerce (CoC). Information security should be higher on the agenda among entrepreneurs. Because you do have quite a responsibility to your customers.’
- Hire an ISO expert, it is a waste of your own time and you will have earned it back in no time.
- Take it seriously.
- Really take your time.
Partnering with Protify?
Eric is keen to stress that he is very happy with Protify and he doesn’t say that easily about a supplier.
‘I am very positive about that, of course I found them a ‘pain in the ass’ sometimes but that was not because of their way of working, but because we had to go through a whole step-by-step plan that generated a lot of work.’
‘They thought along well, they understood us, were pragmatic, how can we do this smartly, so don’t deviate from the norm, but do, I would do it like this. Through their tank of experience, they gave us a flying start.’
Do you want to go through the ISO 27001 certification process with proper guidance?
Get in touch with us and we will be happy to discuss with you which route best suits your organisation.
