ICT Institute is ISO 27001 certified

| Sieuwert van Otterloo | Other

ICT Institute has a ISO 27001-certified information security management system. After helping many other companies, we decided that we should ‘eat our own advice”. We used our own templates and workshop material to create procedures for our own company. We have been certified in December 2021 and will be reaudited every year.

Norm and scope

We have been certified against the norm ‘NEN-EN-ISO/IEC 27001:2017+A11:2020 nl‘. This is the latest version of the ISO 27001 norm. This norm applies to the information security processes of the company. To get certified, we had to create a policy (published here). We also had to create procedures, do an internal internal audit and a two-phase external audit.

The scope of our certification includes all our activities. The formal scope statement is:

The information security related to advisory services (consultancy), research, training and supporting processes.

This includes all our professional services. Nothing has been placed out of scope.

We have been audited by Digitrust, one of the accredited ISO-certification firms in The Netherlands. We conduct many audits and have several ISO 27001 lead auditors, but a company cannot audit and certify itself.

What does ISO 27001 certification mean

Certification does not guarantee that we will never be hacked or make mistakes. It means that we have processes in place to control information security risks. We have procedures for for instance access control, logging and monitoring and incident management.

Anyone who has followed the news in 2021 will understand that cyber security incidents can happen at any company, large or small. We will continue to do our best to minimise risks and act professionally and use our certified processes to our advantage.

Want to know more?

If you want to know more about our information security, download our main policy, check our privacy policy, ask for a PDF copy of our certificate and statement of applicability. If you need additional guarantees, ask for a non-disclosure policy. If you need additional security measures, make sure that these are included in the project proposal. We will treat all client data as confidential even if no NDA is in place, but we sign NDAs for client projects if additional assurance is required. If you would like to improve your own information security or get certified: we have many relevant articles on our information security page and a good article in Dutch (Hoe vraag je ISO 27001 certificatie aan).

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.