Understand the why of ISO 27001
The practical case study of MedITall
An IT specialist in healthcare understands the importance of strong information security. But how do you ensure that managing and maintaining an ISO 27001 certification remains workable and creates value instead of costing energy?
In this practical case study, we show how MedITall found an approach that is both manageable and future proof.
About MedITall
MedITall consists of a close team of around twenty IT specialists, fully focused on dental care.
With more than 125 practices in the Netherlands, MedITall supports the setup and management of smart IT-environments. Thanks to their sector specific knowledge, they speak the language of dental practices and understand the daily reality of healthcare providers.
How it started
A few years ago, MedITall achieved ISO 27001 certification. It soon became clear that obtaining the certificate was only the beginning.
“Obtaining the certificate is one thing. After that, the real work begins. For us, as a relatively small company, ISO should not be an administrative burden, but something that helps us continuously improve.”
Jurgen Weijer, founder and IT architect
The existing way of working felt too much like meeting requirements and too little like helping the organization improve. That had to change.
The approach
The initial certification was based on templates that covered the full standard. As a result, the process effectively worked backwards: from standard outcomes, without always checking whether these were relevant to MedITall’s daily practice.
The shift came with a new approach based on the organization’s own processes. Employees were actively involved and gained insight into why ISO 27001 is applied and what an ISMS means in practice.
“Protify helped us start from our own processes. As a result, the outcomes are immediately practical and relevant.”
Why Protify?
The choice for Protify was driven by their pragmatic and personal approach. Combined with the ProActive Compliance Tool, PCT, this provides a solid and workable foundation.
” Protify understands SMEs. We do not have a full time employee for the ISMS. That is exactly why their approach helps us integrate ISO 27001 into our daily work.”
ISO therefore became not a separate project, but a logical part of daily operations.
Results
Through the new approach, all processes have been clearly and concretely documented. This leads to more conscious decision making, better safeguarding of procedures, and transferable ways of working within the team.
A practical example is replacing a door lock. In that situation, the team does not only look at the technical benefits, but also at the impact on policies and procedures, such as the access policy.
The onboarding and offboarding process has also been fully developed and tightly documented, making it practically watertight. Tasks can easily be handed over without steps being missed.
The combination of PCT and the organization’s own ticketing system also provides real time insight into ongoing processes.
In addition, the ISO 27001 certification has delivered commercial results: new customers, retention of existing relationships, and a stronger position in a market where information security is increasingly a prerequisite.
Take-away
Jurgen: What I would like to share with other organizations:
“Be careful with recurring tasks. Think carefully about what is truly necessary. Checking more often is not automatically better. Simplifying afterwards is harder than consciously deciding in advance what is relevant.”
Do you also want to achieve ISO 27001 certification?
Are you considering taking the step toward ISO 27001 and do you want to approach it in a practical and workable way?
Feel free to contact us to plan a no obligation introductory meeting. Together, we will ensure that your organization works on information security in a demonstrable and sustainable way.
