Emprover obtained its certificate for ISO 27001 certification in May 2023. When they embarked on this journey in 2021, they had no knowledge of certification and therefore went looking for a partner who could guide them in this process. In an interview, Fleur Dobbelsteen-Muit talks about how Emprover went through a professionalisation process, gives tips if your organisation is looking to get certified and tells how this project went for them and how information security has taken a central place in their operations.
About Emprover
Emprover activates and secures strategic engagement in organisations by methodically structuring development in a strong and permanently visible way. Emprover helps teams and organisations, both in the public domain and in SMEs, structure work and connect work to strategic ambitions. So that strategic engagement is secured, collaboration is improved and job satisfaction is enhanced. Emprover offers digital proven working methods, which are often based on agile thinking. Which method they apply depends on the target group, organisation and what it is to be applied to. The work the team has to do and how they (want to) work together.
“Our great love is to get all employees in an organisation to participate in thinking about strategy in an organisation. So that employees’ job satisfaction is increased, they get hooked and really feel ‘this is what I want to contribute to’.”
In addition to services to improve collaboration, Emprover also provides digital support in the form of an app that allows organisations to work visibly with each other. This app is also called Emprover this is a digital tool, which allows organisations to work very visibly with each other on the goals they have set together. Because they use a software tool for their customers, information security is important, which is why they opted for ISO 27001 certification.
Emprover’s team consists of about 20 people consisting of consultants and developers. The certification team consists of Jan Nouwens (director) whose role is technical security officer, Fleur Dobbelsteen- Muit operational security officer and Mitchell van Gerwen of Pearl-IT is involved as an external to support mainly the technical area, including in the field of Microsoft 365 and Azure.
Why Protify?
Emprover had no knowledge of certification yet and therefore decided to look for a partner who could guide them in this process, so that ongoing (customer) work could continue. After talking to three parties, the choice fell on Protify. ‘We immediately had a good click with Danielle de Vaal and the pragmatic approach appealed to us. Danielle and Eveline are good at understanding the work within a small organisation and made it clear how information security could be part of this.’ says Fleur.
‘Protify we definitely needed because without them we really wouldn’t have managed this.’
Why choose ISO 27001 certification?
‘We consider information security very important and noticed that, because of the Baseline Information Security Government (BIO), our public customers often also want to see certain standards confirmed. Our customers’ data needs to be secured, because of course we absolutely don’t want anything ending up on the street. That’s why we felt it was important to be able to record it in a more professional way. And to demonstrate to our customers, that we have arranged this in a good way.’ indicates Fleur.
Emprover is an online application where customer information is stored digitally. It was therefore important for them to secure this data and keep it safe. The information security standard is then a logical choice.
Internal organisation: annual planning and improvement cycle
Emprover has a fortnightly ‘circle consultation’ called: ‘working on the shop’. This consultation focuses on strategy and internal processes, where information security is a fixed agenda item. During this consultation, tasks are divided and what has come in is dealt with. Emprover works in periods; cycles of three months, what has been achieved, what successes have been achieved and what are the focal points for the next cycle? The tasks following the consultations are placed in their own tooling and form part of the annual operational planning, which together with task management are housed in their own system. The PCT is used for risk analysis and policy documentation, and links have been established with the PCT from Emprover.
Continuous improvement process
Emprover grew rapidly during COVID, so they wanted to pause and take a good look at their own operations. ISO 27001 certification makes you scrutinise your own operations and determine where adjustments are needed. ISO 27001 talks about continuous improvement and fits Emprover perfectly, as it is woven into the methodology they teach their customers.
The certification process ensures that you review things annually, see if it still fits or works and take action when necessary. Precisely because information security is standard on the agenda, you can no longer avoid it.
Have any issues in operations changed as a result of certification?
‘Absolutely! What I hadn’t realised are the rules around your employees and staff you hire. The management measures related to (hiring) staff, indicate that you need to monitor them, but also record their entry and exit. So being aware of information security and your staff. Now we have recorded this well and this is also provided to the employees, which again makes them more aware of their role.’
Fleur goes on to say, “The management review is good for our own process as well as the supplier review. We have been working with our developers since 2016 and because we now have good input from the supplier assessment, we have more substantive discussions with them and you go more into expectation using the supplier assessment template. We are now more aware of what issues to include in terms and conditions in discussions with our suppliers. All in all, this has led to a more mature and professional management, which fits well with the growth we have experienced as an organisation.’
Tips for other organisations on ISO 27001 certification?
- Be aware of the policies you write, that you need to be able to review and monitor them.
- Make several people from your organisation responsible.
- Reserve a ‘fixed’ half-day per week for activities arising from certification.
- Don’t try to “push it through” your organisation in a short time. Quality will improve if you really put some things on hold for a while.
It’s nice working with Protify. They are very flexible. They always answer my questions. They try very hard to empathise with where you are as an organisation. We get practical tips, which I like.
Like Emprover looking for the expertise partner for ISO27001 certification ?
Take contact us and we will be happy to tell you more about the possibilities for your organisation.
