We sat down with our very own Chief Information Security Officer Fabian Wiedemann to talk about our recent certification of the international ISO27001 standard for information security. He explains what this means for Staffbase and for our customers.
What is the ISO 27001 certification and why is it so important for Staffbase?
The ISO 270001 is an international standard that defines how information security should be handled at a company. As we are working with our customer's data, their user's and their employee's and all the other data we have from them, it is very important for them to have a trustworthy and reliable partner.
With the ISO 270001 we received a certificate that shows all the customers and all prospects out there that we are compliant with this industry standard and that information security for our employee app and employee experience intranet platform is well established at Staffbase.
What did the certification process involve?
The process for getting this very nice certificate behind me started around a year ago. We kicked it off with an external consultant to identify the status quo of the information security here at Staffbase. And the very cool thing was that we realized that information security was always one of our key focus points here at Staffbase and that our living processes and tools were always on that very high level in terms of information security.
But we also identified some lacks where we were not as good as what the ISO demands, like some documentation points and then some enterprise-ready features and things like that. So we created working packages for getting compliant with the ISO 270001. In the past year we were working on it to get all these things done. Then it ended with a couple of audits with the experts from the external agency TÜV Süd here in Germany to successfully certify that we are compliant with the ISO 270001.
What does the ISO certification mean for our customers?
For future customers, this is a very good point because most of our customers are very big enterprises, and they need to deal with information security at some point anyway. So their purchasing processes almost always include some checks for information security for their suppliers. In the past we needed to fill out a lot of questionnaires, needed to do a lot of paperwork and had a lot of discussions to show that information security is on a high level here at Staffbase.
With this certificate, it just speeds up the processes for purchasing to get their own employee app, because everybody knows this standard and knows what it means. So they can trust in Staffbase without doing a lot of paperwork there.
For our existing customers, there will not be a big change at all, because the information security is still on the high level as it was in the past. But now, they can trust more than ever that information security is very important here at Staffbase, and it's on a high level and that their information they give to Staffbase are secure here.
What are the next steps after the certification?
In the future, we still have a lot of things to do because the ISO 270001 needs a re-evaluation audit every year and a re-certification audit every three years, where we show that the standard is still established here at Staffbase and to show that we are still doing the stuff we promised to do. Besides that, we still have some points where we can improve ourselves and where we can establish much more reliable processes and tools to grow in a sustainable way in the future.