Foleon recently received its ISO 27001 certification, the international standard that provides specifications for best-practice information security management systems (ISMS).
In a nutshell, this certification demonstrates that Foleon is effective in protecting user data, minimizing risk exposure, and fostering a culture of information security.
Jeroen Bulters has been building software for over 20 years. In 2017, he founded Nerd as a Service (NaaS), a tactical software consultancy agency, to help organizations bridge the gap between management and the fast-changing world of software developers.
Jeroen helped us waterproof our information security and prepare for the ISO 27001 audit. We interviewed him about the process.
Why is ISO 27001 so important for SaaS companies?
“SaaS” is still quite a young concept and few SaaS companies are structured or governed to the extent more mature organizations are. Because information security is one of the most important quality aspects of software, certification for the system that manages information security is key to becoming and staying a trustworthy software provider.
How did you approach helping Foleon become ISO 27001 certified?
Like always, we start by getting to know the organization and its challenges, both technical and organizational. After gaining an understanding of how Foleon worked, we (i.e. NaaS) drafted an information security policy outlining the management system.
After putting this in place, we performed a complete internal control cycle, over the period of about a year, to iterate on that first draft. This was to ensure we implemented a management system appropriate for Foleon while minimizing the “burden” on employees.
What, in your eyes, was the biggest infosec challenge Foleon faced?
Foleon, like many organizations of the same size, faced a number of challenges associated with growth. At a certain point, you’re suddenly no longer that small start-up with an org-chart 2 levels deep. You’re introducing the concepts of “direct reportees,” “management,” and more compartmentalization. Accepting this fact and living up to the expectations of a more mature organization is difficult.
How would you say Foleon addressed this specific challenge and the overall preparation for becoming ISO 27001 compliant?
From the moment we decided that Foleon could benefit from an ISO 27001 certification, management dedicated themselves to achieving it. Dedication is essential, it can be one of the main risks associated with formalizing processes in an organization.
After that, everyone at Foleon took it as a given fact that “this has to be done” — illustrating a great company culture and level of adaptability.
One really neat thing that also illustrated the way Foleon embedded security into their culture, was the way employees continuously promoted security awareness. They even put up funny posters in the restrooms: “only leak here, don’t leak information!”
Now that Foleon is ISO 27001 certified, what does it say about our company?
Quite simple: Foleon is committed to being — and remaining — a safe organization with respect to information security and to continuously grow in the way they design, implement, and execute everything concerning it.
What is your advice for other organizations that strive for this level of infosec?
Be open to change, accept the fact that growth will change your organization, and realize that a formal management system does not mean the end of a certain company culture… on the contrary!