ISO 27001 external audit with only one observation!
Stefan van Aalst
unburden & empower academic research & collaborations - incl secondary use of health data
At anDREa BV we do take Information Security seriously. But is a 100% score with one observation good enough?
Publicly we go nearly the full Monty with our Information Security Management System (ISMS) for ISO 27001. Our certificate, our statement-of-applicability, all relevant clauses and policies, pentest results, etc are for all to see, including the results:
Trust = describe how you do things (our ISMS) and demonstrate that you do it (audits, reports)
The only thing that is not publicly accessible are the underlying records and details of some reports. However, our clients can request to see the underacted versions as make use of the standing invitation to directly observe the internal and external audits. I.e. we go the full Monty and for good reason.
From time to time researchers need to answer questions related to ISO 27001 for grant applications, in their collaborations, and from internal auditors. Questions like: what is the access policy, our answer, imagine that the answer is just a link to https://support.mydre.org/portal/en/kb/articles/a-9-access-control-27-12-2022. Does this unburden the researchers? Does this help them to have and create trust with their stakeholders?
#ISO27001 #myDRE #anDREa #trust #unburden #SPE #TPE #DRE