ISO27001 Certification – we f**king did it!

Written By Cloud2

An ambitious goal, a demanding process, but worth all the effort. This summarizes Cloud2’s journey to obtaining the ISO27001 certification. 

What is ISO27001 Certification? 

ISO27001 is an international standard that defines the requirements for an Information Security Management System (ISMS). It demonstrates that an organization identifies information security risks and works systematically to develop its information security. The certification sends a strong message to customers and partners that the company takes the confidentiality, integrity, and availability of information seriously. 

Cloud2's Journey: Towards Better Information Security 

"An enormous amount of process integration," is how Mikko Laakkonen describes Cloud2's journey to obtaining the ISO27001 certification.
"It requires time, pulling everything together, and understanding the whole structure." 

Jussi Isosomppi adds: "We worked intensively and ended up putting in a tremendous number of hours. We spent a long time examining the same documents and reviewing them repeatedly. It was rewarding because we had already been doing things right from the beginning, and this just proved it." 

The journey wasn't straightforward. Cloud2 chose Nixu as their auditor, which is known as a demanding domestic certifier.

"The auditor was very demanding, and that's how it should be," states Jussi Isosomppi.

The certification was only achieved during the second round, after implementing the six-month improvement plan. The demanding process and auditor ensured that information security was brought to prime condition right from the start. 

Why ISO27001 Was Important for Cloud2 

Cloud2's motivation for obtaining the certification was multifaceted: 

  • Risk management and supply chain security – A systematic way to identify and manage information security risks, while recognizing the critical need to protect not only their own operations but also their customers. The EU Network and Information Security Directive (NIS2) sets requirements for supply chains, and Cloud2 understood that there might be a risk of targeting their customers through them. This means their security needs to be at higher than their most critical customers. 

  • Customer requirements – Although customers did not yet require certification, they strongly encouraged it 

  • Competitive advantage"If you want to stand out as a partner and stay relevant, you need to keep up with the industry's various requirements" 

 

The Business Impact of Certification 

As Cloud2 grows, our customers grow as well, and the company's significance in customer ecosystems increases. This leads to a natural progression where both Cloud2 itself and customers demand more. 

"We're handling increasingly larger portions of our customers' environments. Customer requirements are growing, and requirements in their own risk management are increasing"

Our customers include energy, finance, healthcare and life science providers, who are already subject to extensive requirements including NIS2 regulations. 

The ISO27001 certification enhances the company's credibility in a highly competitive field.

"We compete alongside large companies for major clients. Competitors have certifications, so it's important that we have them too. This way, we're competing on an equal footing"

The certification is an official demonstration of expertise and a natural step in growth. 

Scope and Continuity of the Certification 

Cloud2's certification scope is defined as follows: "Cloud2 Finland internal operations including: Professional services, Managed services, Sales, Marketing, Administration and Management, and excluding self-developed SaaS applications (Spotter)." 

The certification is valid for three years, but the process continues regularly. The operation of the information security management system is regularly reviewed with management and the board. The auditor also conducts spot checks during the 1-2 year period and gives correction plans, if needed. 

"The management system's operation will be tested. The system is continuously running, and it needs to be verified"

At the core of the system is the continuous improvement cycle, or PDCA process (Plan, Do, Check, Act). 

A Collective Effort 

Obtaining the ISO27001 certification was a collective effort by the entire company. The process involved Jussi Isosomppi, Mikko Laakkonen, Juha-Matti Ohvo, Teemu Ijäs, Joni Kiukas, as well as representatives from various stakeholder groups. Additionally, the entire staff participated in learning the new approach. 

Cloud2's experience with ISO27001 certification demonstrates that while the process is laborious, it is also rewarding. It provides the company with a clear framework to systematically develop information security and shows externally that information security is taken seriously. 

In the IT industry, where the importance of information security continues to grow, ISO27001 certification is increasingly becoming a requirement rather than just a competitive advantage.

 

More information:

Jussi Isosomppi, CISO

jussi.isosomppi@cloud2.fi

Cloud2
Next

Prepare for Azure Default Outbound Access Retirement