Over the past year, DNV GL Group has revised CheckWare's system for information security. Just after the summer holidays, the message came that the certification according to the ISO 27001 standard is in place.
- We are very satisfied, says Chief Information Security Officer (CISO) in CheckWare, Stig Husby. - This is a solid confirmation that CheckWare is a safe and sound choice.
ISO / IEC 27001 is the world's most recognized standard for data security. The standard has a holistic approach to IT security and describes best practices for protecting data and digital content.
The management system shall ensure the necessary confidentiality, integrity and availability within the handling of companies' information. At the core is a risk management process with the aim of giving the company's stakeholders confidence that security risks in information are handled in a responsible manner.
The main requirements for achieving the ISO certification are that the company establishes, implements, maintains and improves a functioning information security system. What is needed to meet the requirements must be planned, implemented and controlled. The company must be in control of all changes, and evaluate the consequences of unexpected changes, in order to be able to quickly take the necessary steps that reduce the consequences of the unforeseen that has occurred.
- It is basically a tough standard, because it is resource-intensive to meet all the requirements. It is not at all common for small and medium-sized businesses to take that burden. CheckWare has always lived by these requirements, and it is good to have the official confirmation in place.
For CheckWare, it is business critical to have proper information security at all levels. The formal process with the auditing company DNV first started in September 2019, with interviews of employees, inspections from the auditor, submitted documentation and improvements along the way.
Requirements from customers
Husby makes no secret of the fact that it is a requirement from the market that a health technology company of CheckWare's caliber takes care of this.
What is reassuring, when external actors checks our procedures, is that our own assumptions are correct: We now have the proof that the procedures actually hold up. It is a confirmation from a third party that we are implementing what we actually say we will do, he says. - Also internationally, it is ISO that applies when it comes to quality assurance, says Husby.
CheckWare has not taken the easiest path to the goal of certification either. Some choose to certify only the technical part of the business, while CheckWare has chosen a more holistic approach, where all parts of the business have been ISO certified.
- It's as simple as everything we do in CheckWare being affected by information security. All employees and all routines have been assessed. For us, it is extra satisfying with the general feedback from the auditor: DNV believes that it seems that we are extremely concerned about information security at all levels. We are of course very pleased with such positive observations from a control body, says Stig Husby, who is the CTO of the company on a daily basis.