To make things easy, both experts have the same first name. Ruben van der Kolk is CISO of the WoodWing Group, and Ruben Glasbergen is a quality consultant at Herrmann BV, the quality management consultancy firm that handles internal audits for WoodWing.
Ruben Glasbergen: “The hunger for data and the growing number of information systems in which data is recorded make it even more important to think about how you organize everything. After all, business information is only valuable if it is available, accessible and reliable. ISO 27001 gives you the tools to do this.”
Ruben van der Kolk: “We get asked in just about every customer conversation how we have organized our information security. Logical when you consider that they house their valuable documents and business information in our systems. The ISO 27001 certification is our proof that we have our information security management system (ISMS) in order, at all three levels. Indeed, what many don't know is that with ISO 27001 you demonstrate that your ISMS is correct in design, but also in terms of practical application and demonstrable effectiveness (i.e., design, operation and existence).”
Pitfall number one is paying too much attention to technology and too little to promoting security awareness throughout the organization. A second pitfall is that people get lost in details and therefore forget the ultimate objective. But the biggest misconception of all is pitfall number three: doing an ISO certification for a check mark from the auditor instead of continuously improving your information security.
Ruben Glasbergen: “The technical side of the ISO framework is often in order. Many companies use technology from large companies like Amazon and Microsoft, and they really have their affairs in order in terms of information security.” Ruben van der Kolk: “At WoodWing, in the beginning it was mainly those directly involved who were aware of the importance of information security. For other employees, it remained a far cry from my bed show because the guidelines were too far removed from their work in practice.”
Ruben van der Kolk: “Don't do things because you think you should, but focus on those parts that add something concrete.” Ruben Glasbergen: “You see the first in supplier management, for example. The standard says that you have to 'do something with it,' but that does not mean that you have to completely audit every supplier you have ever worked with every week.”
Ruben Glasbergen: “Why set up an ISMS to satisfy an external auditor? Try to keep it small so that what you're doing is effective, and keep building that up.” Ruben van der Kolk: “An ISMS should work primarily for your organization. Make information security relevant for your employees, then the translation to their own work is quicker and that's exactly where you can make the biggest gains.”
Ruben van der Kolk: “There are several ways you can avoid known pitfalls. At WoodWing, we do it as follows:”
“WoodWing's management itself has introduced KPIs for information security. Periodic awareness training must be completed by at least 98% of employees, and we are also working on an awareness score to gain more insight into effectiveness. In addition, the MT and MDs also propagate the importance of security awareness, for example during company-wide meetings.”
“Involving employees in information security starts on day one for us. It is part of the onboarding of new colleagues, including in the form of a personal interview with an ISO or the CISO.”
“With the tip of the month, we discuss a current example and tell employees the best thing to do in such cases. In internal audits, we actually select auditees who do the work instead of only interviewing managers who have the process set up and therefore know from A to Z how something works. That increases their awareness and involvement and gives a better understanding of our processes and whether they are working on the shop floor as worked out in your ISMS.”
“We look at how someone works and then determine what it takes to keep information secure in the process. By doing so, you bring ISO 27001 to the users and they don't have to figure out for themselves what information security looks like in their jobs. In addition, ISO guidelines are a regular part of projects, so we ask the right questions at the right time.”
“We are ISO 27001 certified because we want to work in a structured and sustainable way to improve information security. If a certain part of the standard adds something, then we make it as nice as possible. If it doesn't, then the basics suffice.”
Ruben Glasbergen: “If your approach to information security is larger and more complex, then you really can't do without modern tools. You can see that in a positive way at WoodWing. Every employee I ask is very aware of the importance and practical application of information security. Evidence of that awareness can easily be found in the Scienta quality management system in the form of the detailed rules and checks. Being able to present the information security guidelines in Scienta in an attractive way contributes to the overall accessibility of knowledge and information and keeps the subject alive.”
Ruben van der Kolk: “Internal audits are mandatory from the ISO 27001 standard. We see it primarily as an added benefit because anything picked up in the internal audit is out of bounds in the external audit. Of course, every audit is exciting, but Ruben Glasbergen knows exactly what to do to put employees at ease. Within two minutes, he creates a nice, open atmosphere where colleagues dare to talk freely about how they work. This gives us a good picture of how the flag is really flying and where we can learn and improve. And that is what we are ultimately all about.”