MRPeasy Certified to ISO 27001
ISO 27001 is an international standard for information security, conformity to which demonstrates the safety of data held at a business. Although data security has been a top priority of MRPeasy since its founding, now the company holds the certificates to prove it. CMO Karl H. Lauri explains what this means and why it matters.
What is ISO 27001?
ISO 27001 is the most important information security management standard in the world today. It is awarded by the International Organization for Standardization (ISO) to companies that have proven to have a secure system for managing customer and employee data, financial data, intellectual property, and other information kept within the company.
For how long has MRPeasy prepared for this?
MRPeasy has paid great attention to information security from the very founding of the company 9 years ago. Even though we were largely already ISO 27001 compliant, we decided to get certified in mid-2022. Since our initial assessment, we have gone through two audits by the accredited certification company Bureau Veritas. The final audit was held in February 2023 and we passed it with honors.
Why is the certificate important?
Becoming ISO 27001 certified proves to our customers and partners that their data is kept safe with us. Although we do not request sensitive data from customers, they still may store it within our system. If not stored and handled diligently, this data can be stolen or lost quite easily. Being ISO 27001 compliant shows that we have the necessary processes and policies in place to prevent this.
What does it take to get certified?
It is a rigorous system so it does take significant investment in both time and resources if you start from scratch. But as we were focusing on information security from the start, the actual process of becoming certified was fairly painless. We did have to implement a few improvements in the physical security of our office, the third-party software we use, as well as employee training, but these were quite minor adjustments. Going forth, an auditor will review our system once per year, which is why we have to constantly review and improve our data security processes.
Do customers specifically request this certification?
Some companies explicitly require it, while others do not. However, there are very few organizations that do not care about their data being safe. And even though a company might not have the ISO 27001 certification as a requirement when choosing a software partner, it is becoming an increasingly important selling point.
Should other IT companies get this certification?
I would say it is worth investing in, especially for fast-growing companies like MRPeasy. First of all, getting these policies and procedures in place before reaching 100 employees is so much easier. Rather than spending double or triple the time on training hundreds of employees later, you can just let the compliance system grow with your company. Secondly, it is an important signal that you can be trusted with your customers’ data. And thirdly, perhaps most importantly, having ISO 27001 compliant processes and policies in place will protect your company from a variety of threats that could end up costing much more than becoming certified.