'ISO 27001 shows we have control over our risks'

An ISO 27001 certificate remains valid for three years, provided you submit to an annual verification audit and heed its findings. In the meantime, RINIS has had its first verification audit at RINIS. Good enough reason to speak to Oscar Varas Roman, Information Security Officer (ISO, on the right in the picture) and Marc Hagemeijer, Chief Information Security Officer (CISO, on the left in the picture).

What are the implications for RINIS having been awarded ISO 27001 certification?

‘This shows that RINIS has a management system in place to protect its information, known as an Information Security Management System (ISMS). This does not refer to a software system, but to a process to control risks in the area of information security. The certificate shows that RINIS’s management has a due understanding of the main risks in the area of information security and has put in place steps to control or reduce those risks .’

Why is ISO 27001 so important?

‘RINIS is all about guaranteed, reliable and secure data communications. With this certificate, especially as it is an international certificate, we are telling the world we are on top of the main security risks. Which is important given the rising number of international exchanges we handle.’

‘The ISO 27001 certificate enables us to serve proof of the fact that we adopt a conscientious and systematic approach to information security. We are very much a pioneer in government circles in this respect.’

Is this a distinctive feature for RINIS that enables us to stand out?

‘In the world of business, the ISO 27001 certificate is very widespread. But not quite so among government organisations. This certificate sees us show the world at large that we are taking a deliberate and structural approach to information security. This really is an area in which we are at the forefront within the government. And not without good reason, as we play a key part in the roll-out of eGovernment. The certificate is one of the ways in which we unburden our participants and customers.’

What is the link with BIO, the Government Information Security Baseline (Baseline Informatiebeveiliging Overheid)?

‘In amongst other things, the ISO 27001 norm describes a set of measures, which are required to be considered as having an acceptable level of security. The government has adopted these measures, beefed them up and imposed them as compulsory on government organisations under the BIO header. We are aiming to become BIO-compliant ourselves some time this year. Something which we will be demonstrating by way of an ISAE3000 statement’.

Is there such a thing as a certificate for compliance with the GDPR, the General Data Protection Regulation?

‘Right now, organisations and businesses cannot have themselves GDPR-certified, but efforts are in hand. And this is not something we are just hanging around for. As soon as we are BIO-compliant, we plan to augment our business policy with additional requirements arising from the GDPR and the ISO27701 standard.’

How do you make sure we are compliant, i.e. that we meet the requirements of applicable laws and regulations?

‘As a first step, we did a stock-take of the main laws and regulations that govern the field of information security. We are now in the process of going through them in detail along with a lawyer: what is relevant to RINIS and what does it mean in practical terms? The next step will be for us to then incorporate the practical significance and applicability of pertinent laws and regulations into a single integrated business policy. We will render this as a SMART policy. Compliance therewith will be ensured up and down the organisation as a whole. So all we will need to do is to simply abide by our business policy to meet the requirements of the entire body of laws and regulations in the area of information security.’

How do you make sure the business policy is observed?

‘The business policy is enshrined in Confluence, our knowledge management system, whereby we link the responsibilities for the operational measures within the business policy to roles. So everybody knows exactly which role is responsible for which measures and what the assessment criteria area. In the third quarter of this year, we plan to conduct an internal audit to rate the maturity level of each measure, so we know to what extent we are compliant with our own business policy and consequently with the pertinent laws and regulations.’

So what happens if the law is made to change?

‘In that case, the compliance officer will first map the differences with the current situation and establish whether they are relevant to RINIS. If so, we will decide whether or not the business policy is to amended. In that case, only those members of staff will be informed who are in charge of the related measures. In other words, employees will not be expected to worm their way through a new version of the GDPR by themselves. They will get all the assistance they need to comply with the laws and regulations.’