Jukka Pirinen
When we at Qridi decided — for reasons I’ll return to later — to begin the process of obtaining the ISO 27001 information security certificate,I pictured, in my mind’s eye, a dusty binder occupying a prestigious spot on the company bookshelf: a quality manual in which all company processes are described in meticulous detail, and a quality manager, a dull but proper figure, more or less detached from the realities of daily office life, perhaps an older, practically minded engineer or even a master’s-level engineer, someone for whom quality systems are practically a calling.
Once the work towards certification began, my stereotypical image quickly proved to be both outdated and inaccurate. In reality, ISO 27001 is not a quality system, but a standard that defines an information security management system. This system enables organisations to protect their information assets. The standard also does not require any particular format for documentation — so instead of physical binders, we use a documentation platform provided by a cloud service, which in our case is Confluence. And nowadays, bookshelves are, in fact, a rare sight in most company offices.
As the work progressed, we encountered what is likely a fairly typical situation for a small software company: information security along with the associated processes and practices had been based on legal requirements and customer contracts. From the perspective of the standard, these were partly insufficient and documented at best in a passable manner. An external auditor had already reviewed the technical information security of the Qridi software service twice, so that aspect was in good shape. Fortunately, implementation of the standard didn’t result in the kind of rigid quality manual I initially imagined. Instead, the modern tools we use in software development adapted well to the standard’s requirements for collecting and documenting evidence.
Adopting the standard was a major effort for the entire company. There were dozens of planning meetings, and in addition at least as much time was spent by employees working independently. As a result, our company’s processes and practices related to information security improved significantly. It’s also worth remembering that information security should not be understood too narrowly. It’s often summarised with the acronym CIA — Confidentiality, Integrity, Availability — all of which are essential components. Of these, availability particularly broadens the concept of information security to encompass nearly all areas of company operations.
So, what were the reasons I mentioned at the beginning? They were almost entirely business-driven: an information security certificate boosts a company’s credibility in the market. This is especially true in one of Qridi’s main sectors, the international education market, where major private school networks, in particular, essentially require such a certificate before moving beyond the pilot stage. The certificate also has features of a quality system, which in turn facilitates company growth. Moreover, the standardisation process forces a company to examine its operations from a new perspective. Even if there are no binders gathering dust on a shelf, it’s still worthwhile to metaphorically dust off the way things are done from time to time.
Obtaining the information security certificate is only the beginning of the journey. One of the most important requirements of the certificate is continuous improvement, meaning that a company’s information security is never truly finished or ready. This continuous improvement is tracked through internal reviews and ensured by annual audits conducted by the certifying body. In addition to significantly benefiting Qridi’s operations as a whole, the ISO 27001 certificate also benefits all of Qridi’s current and future customers by ensuring even stronger information security. The effort to obtain the ISO 27001 certificate was well worth it.