We value your privacy. We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Read our Privacy Policy for more information.
PreferencesAccept
back arrow icon
Back to Updates
Updates
Methodology

Our journey towards ISO27001 certification

Monday, October 10, 2022
Koen Verschooten
Operations manager
Egwin Avau
Founder & CEO

Back in 2021 we embarked on a mission together with PwC Belgium to make a thorough assessment of our data security practices compared to the ISO 27001 norm. What followed was a journey that led us to official ISO certification in July 2022. This article will highlight how we got there and what this certification means for our daily operations, our product portfolio, our clients and our whole team.

What is ISO 27001?

ISO/IEC 27001 is an international standard on how to manage information security, providing requirements for an information security management system (ISMS). This enables organizations to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Why ISO 27001?

We’ve been doing a balancing act for many years:

On the one hand: we love - and we need - to work in a fast-paced manner 

On the other hand: we cherish quality, including the information security aspects

Mature software products come with the assurance that data will be dealt with in a correct manner; both from an operational and technical point of view. With the ISO 27001 certification in hand we’re formalizing our high security standards across our product portfolio. Nothing we build will be shipped without our information security management system principles applied.

The certificate supports both our internal (employees and contractors) and external operations (clients, candidates, authorities and more).

The road towards ISO 27001 certification

  1. Defining the approach

We had been discussing the need for a certification for a while since security was becoming a recurring topic for our products. To streamline the process of implementing the ISMS, we got in touch with PwC for support. PwC has assisted us in the preparation of documents and guided us through the list of requirements and standards.

  1. Building an ISMS

The way we work is constantly changing but an ISMS that defines a policy and system is crucial. The current building blocks of our ISMS can be summarized as follows:

Policies:

  • ISMS policy: defining the scope of the ISMS and context of our organization
  • Internal security policy, the heart of the ISMS, covering among others:
  • Passwords and devices
  • Incidents
  • Data protection and classification
  • Secure development
  • Physical location security
  • Organizational security
  • Internal audit policy: a half-yearly internal audit and yearly external audit 
  • Performance evaluation process: measurements on how well our ISMS is operating

System:

  • Procedures: we don’t rely on extensive documentation, but prefer well defined checklists that we organize in our kanban boards that embody our information security principles. For example: product initiation, onboarding and offboarding procedures, (technical) audit of our product portfolio, default meeting agendas,...
  • Continuous improvement: as processes and standards evolve, we’ll make sure our ISMS will keep maturing as well.
  1. Time for audit

To officially obtain the official ISO 27001 certification, we had to pass a series of audits, which in our case happened in three stages:

  • Internal audit: internal checks and balances to ensure we do as we write.
  • Stage 1 audit: Preparation audit to verify if we were ready for the 2nd stage audit based on the documentation we had in place.
  • Stage 2 audit - certification: the last step was the final audit during which employees were interviewed and policies were thoroughly examined. We passed the final audit and received the certificate from DQS.
  1. Continuous improvement

Continuous improvement is in our DNA. The ISMS is no different for us. In the coming years, we’ll continue to build upon the foundations we have built in the past year in order to refine our information security processes as a team.

What’s next?

We see this certification will serve as a stepping stone towards new and larger scale partnerships and responsibilities. We come with all the benefits of a young and ambitious team, and we have the solid backing of our ISO 27001 certificate to demonstrate the same security assurances as the biggest players in our industry. “Move fast and break things” doesn’t apply to us. We move fast and deliver quality at the highest security standards.

We are so incredibly ready for what the future holds!

Koen Verschooten
Operations manager
Koen joined Panenco in 2019 as product manager. After gathering 3 years of in-depth product expertise, he took on a role as operations manager. Among other responsibilities, Koen created and continuously manages our information security management system in the context of our ISO27001 accreditation. Talk to him about: Software contracts (both service- and product oriented) ISO27001 ISMS (information security management system) Overall Panenco company operations
Egwin Avau
Founder & CEO
Egwin founded Panenco in 2014 based on a genuine passion and admiration for product development (done right!). Over the past 8 years he has initiated and guided 20+ product initiatives from early stage idea towards market traction. He’s always open to discuss possible partnerships and product roadmaps. Talk to him about: New partnerships, product strategy, product development methodology and growth principles.

See also

Bringing this SaaS product up to modern technical standards through an impactful refactoring trajectory

Bringing this SaaS product up to modern technical standards through an impactful refactoring trajectory

In a recent cooperation we assisted a well-established SaaS company in the medical industry to renew their technical foundations. By migrating to Google Cloud Platform, updating technology stacks, and simplifying the API and database setup, significant improvements were made, ensuring a more secure, efficient, and maintainable system.
Smart robotics: when AI powers autonomous task execution

Smart robotics: when AI powers autonomous task execution

Advancements in AI services, exemplified by the development of Budd-E, an AI-powered remote control robot, demonstrate the integration of natural language processing capabilities into hardware devices, mirroring the transformative journey of the Internet of Things (IoT). Utilizing OpenAI's GPT-4 and LangChain framework, Budd-E interprets unstructured text commands into structured actions, showcasing the potential of AI to enhance the intuitive interaction between humans and technology.
Infrastructure transition: from DIY Kubernetes to managed solutions in GCP

Infrastructure transition: from DIY Kubernetes to managed solutions in GCP

A customer's cloud infrastructure, initially a self-managed Kubernetes setup on DigitalOcean, underwent a transformation to a fully managed solution on Google Cloud Platform (GCP), optimizing operations and scalability. By migrating components to GCP's managed services and implementing advanced monitoring and logging, the system achieved enhanced efficiency, reliability, and cost-effectiveness.

Let's build!

Are you looking for an entrepreneurial digital partner?
Reach out to hello@panenco.com.

Egwin Avau
Founding CEO
Schedule a call
Koen Verschooten
Operations manager
Schedule a call

Subscribe to our newsletter

Quarterly hand-picked company updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.