Information security

Make the quality of your information security visible

Click here for the Dutch version (Nederlandse versie)

Background

You treat confidential information with care and you have adequately provided for your information security. You have now reached the point that you want to show this to the outside world. Because you think this to be important or because your customers require you to do so. Certification under the international standard of ISO 27001 is the perfect solution.

If your services involve the issuance of electronic certificates, you will be able to apply for a verification under ETSI 101 456. Your customers will then know that the certificates you have issued will be in line with the European directive for electronic signatures. Where necessary, you can also request an assessment on additional requirements of the Public Key Infrastructure of the Dutch government, also referred to as ‘PKI-overheid’.

What is certification?

Certification is the checking against (inter)national Standards by an independent authority, accredited by the Dutch Accreditation Council (‘Raad voor Accreditatie’).

The ISO 27001 and ETSI 101 456 standards are internationally recognised certification schemes for information security. ISO 27001 is a generic standard for the process management of information security systems (ISMS) and ETSI 101 456 is the standard for electronic signatures and qualified PKI certificates. Both standards are considered as leading both in the Netherlands and abroad. PricewaterhouseCoopers Certification (PwCC) has been appointed by the Dutch Accreditation Council as an authority entitled to assess against these Standards and issue certificates for this purpose.

Why a certification?

Certification of information security can bring advantages in various situations:

• In relation to risk management, your customers request a guarantee for information security from you.
• Your organisation is obliged to comply with the above standards, for example in the event of Requests for Proposal for outsourcing or tendering processes.
• Your organisation is subjected to various internal and/or external audits under which enquiries are made on the state of affairs around your information security. Certification has the advantage that you will save costs as you will not need to undergo audits every year or to provide statements for potential customers. 
• You want to make the quality of your information security visible internally. Certification of your information security enables you to make the quality clearly visible for the various stakeholders within your organisation. In particular within larger organisations with distributed responsibilities, it will be beneficial to have a certified information security system. 

For auditors, a certified environment will often be sufficient to completely or partially waive the requirement for further guarantees or audits. This will prevent that you need to give full disclosure of activities and to plan in time for additional assessments. Moreover, it will reduce costs and free up your organisation. Certification will also help maintain the quality of the processes themselves.

What does a certification process look like?

Trial audit: for the trial audit, an initial assessment will be made based on interviews and documentation. Your organisation will immediately get a  clear picture of the feasibility of a certification. In this way, your organisation will be adequately prepared for the certification process.
Handbook assessment: in this phase, the documentation relating to the management system that is available will be  assessed. Any particularities will be reported to you, so that you can dot the i’s and cross the t’s in preparation of the initial audit.
Implementation assessment: this assessment is intended to determine whether there is sufficient confidence that your organisation complies with the requirements stipulated in the standards applied. In this respect, an important area of focus is whether work is carried out in accordance with the documentation.
Certification decision: if the areas for improvement highlighted in the audit are addressed, the audit report will be assessed by the regulators within  PwCC  and the certificate will be issued to the organisation.
Surveillance audit: the certificate is valid for a period of three years. During this period of validity the so-called surveillance audits are carried out in order to assess whether the management system is complied with continuously and  the areas for improvement highlighted have been addressed adequately.
Reassessment: after the three –year period of validity has expired, the verification process needs to be started all over again in order to renew your certificate. This requires a reassessment of your management system. 

Does it matter who issues the certificate?

If your information security has been certified, you will firstly demonstrate that you have based your processes on internationally accepted best practice. If this certificate has been issued by an internationally highly regarded party as PwCC, you will be assured that you will really distinguish yourself.

As one of just a few companies, PwCC is able to carry out worldwide the certification of information security under ISO 27001 / 27002 and ETSI 101 456.

More information or a quote?

For more information on our services in the area of certification of your information security system or electronic signatures or a quote, please contact Otto Vermeulen (08879 26374 ), Fook Hwa Tan (08879 27556) or Eric Verheul (08879 27481).