ISO 27001 implementation at Kreuze: from gap analysis to certificate

An interview with Yvo Dolmans

Kreuze decided in 2021 they wanted to get certified for ISO 27001 , the information security standard. They wanted to improve internal affairs and respond to market forces; as more and more customers are demanding this standard. As Kreuze had no experience in the field of certification, they decided to go with Protify after selecting from several parties. Do you want to implement ISO 27001 in your organisation? Read how the preparation for the audit and subsequent certification went at Kreuze and which tips Yvo Dolmans has.

About Kreuze

Kreuze looks at business communications in a new, broader perspective. They offer customised integrated communication solutions, from fixed & mobile telephony, to business online communication and customised solutions. Therefore, choosing ISO 27001 fits well with their services, as handling confidential and personal information is part of their daily business.

Start project – Gap analysis

In March 2021, Kreuze started the project. Because they wanted to approach ISO 27001 certification properly, they decided to set up an ISO team, consisting of four people Mischa Walraven (Managing Director), Ceriel Roland (Technical Director), Daan Lambrix (Technical Security Officer) and Yvo Dolmans (Operational Security Officer), and HR was also involved. This team was given the space and time by the management to take up this task, in addition to their regular duties. Together with consultant Danielle de Vaal from Protify, Kreuze’s ISO team started the certification process. First, a Gap analysis was carried out; this analysis showed that Kreuze had already implemented many parts according to the ISO standard and acted accordingly, but it was not all described. This Gap analysis gave them good insight into what was needed to set up their ISMS.

Yvo Dolmans says: ‘Things became visible, you always think you have your IT security in order, but how do you see this? You only see that when things threaten to go wrong. We learned how important it is to have those things in place to be able to secure and safeguard against unexpected issues. As an example when Corona broke out, we started working from home with all colleagues overnight. This was possible because we can work site-independent and were therefore not tied to our premises. During the Gap analysis, we realised that we already had this well set up.’

Protify as consultant and project leader

As a consultant, Danielle de Vaal went through the standard with Kreuze’s ISO team. By dividing it into pieces; divided into sprints, information was retrieved for each part through interviews. On the basis of these interviews, Protify made a foray with this information by incorporating it into the ISMS. Kreuze could then add its own information or make changes. These ‘blocks of information’ eventually formed a large whole, which served as the basis for the ISMS, which is part of the ISO 27001 for information security.

What did you start doing differently after introducing ISO 27001?

• ‘We have started working even more with Security awareness. Creating awareness among our people, for example by running tests with phising mails.
• We put our documentation in even better order, working with classifications of secure documents or trusted persons or public documents.
• Instructions for employees on how to store documents and what can and cannot be shared. In order to raise awareness.
• We make employees think about their actions based on security and safety and how they should handle documents from there.
• We have included ISO compliance internally in the assessment of our employees.’

Are there any noticeable effects of your ISO certification yet?

Yvo says:-‘Yes we won a tender process where ISO 27001 was a requirement and we could now demonstrate that. Of course it has a commercial interest for us, we have customers in governments and municipalities who require this certification from us. But that was not the biggest driver. Just for ourselves, setting up the process properly and knowing that you have your affairs in order is even more important. Eventually, though, more and more companies are going to demand that you have your security in good order. And for us that is now well in order.’

How is that going now? You set up your ISMS, has your approach changed now?

Yvo says: ‘The ISO team still exists, we have now created a certification consultation. Where we discuss matters that have something to do with information security but also the recurring tasks that arise from the ISO standard. The nice thing about the tool (PCT) is that you receive a trigger that a task is open. Because this tool proactively works with you, it also becomes part of your daily process. And you discuss it and act accordingly. It is no longer that you are working on it daily, like setting up the ISMS but it is part of your work. It comes back weekly. What is the state of open tasks, have we had the awareness consultation? What’s left on the schedule?’

Tips if you want to achieve ISO 27001 certification?

• Don’t underestimate it and give the staff involved the space to work on this. Because we, as the ISO team, were able to focus our attention on setting up the ISMS and the certification process, we succeeded in a relatively short period of time.
• Find an expert partner like Protify to explain the ISO matter. The subject matter can be quite complex, especially if you have never encountered it before.
• Make sure you make ISO 27001 part of your business process.
• Do it for the right reason! Not primarily to get more commercial activity. Yes, it is a derivative, but make sure it is not the main one!
• Think of it as a kind of insurance for your organisation in terms of information security. It gives peace of mind as you carry out checks throughout the year.

How to proceed now?

Protify supported us in setting up the ISMS and made us aware of it. Now, as an ISO team, we are pulling that further into the organisation. Now that we are certified, it really only begins. Compare it to a driving licence: after you get it, you really learn to drive. We do plan to use Protify’s services for the next internal audit. You do notice that the questions can really be very specific, I think it is too early in the first year to do this all by yourself. So we are happy to still be taken by the hand. We look forward to further cooperation.