soxes is ISO certified. What does that mean?

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). ISO 27001 certification protects the company and its value chains by selecting appropriate security mechanisms. For companies, ISO 27001 provides a structured approach to protect the integrity of operational data and its confidentiality. At the same time, it ensures the availability of all IT systems involved in business processes.

soxes wants to offer its customers the highest possible security. Because security has become more important than ever in the IT sector and is no longer exceptional, but mandatory!

Consequently, it is a top priority for soxes to design, implement and operate individual software solutions with the highest possible security standard. In the course of this, the introduction of the ISO-27001 standard was the only logical next milestone for us. After all, many customers expect their suppliers to comply with the relevant security guidelines. With ISO/IEC 27001 certification, we can prove this fact.

The most important and not directly visible benefit for a customer is the know-how of our employees. The entire company is permanently sensitised to the topic of security and their knowledge has been brought up to date. This knowledge is used to competently advise our customers on security issues and to make their processes and software more secure. An example of this is the audit we recently carried out at a customer’s premises, in which all processes of the entire company were reviewed. With the acquired background knowledge of our own ISO-27001 certification, we were able to provide important inputs and added value to his security requirements. After all, sensitive data is the highest asset of any company that needs to be protected.

The most challenging part of the certification process is figuring out how everything is set up. There are mandatory elements that must be fulfilled, but also a dispositive part. In the dispositive part, the company itself can determine which rules are to be emphasised for the company. This means that ISO is not a checklist that is ticked off one after the other, but much is determined by the company itself.

Furthermore, it must be understood and recognised which rules represent a must or a should in the rules. Finally, it should be mentioned that not only those responsible should know the process and the rules that go with it, but all stakeholders must be on board. For this reason, we made a conscious decision very early on to involve all employees in the process and to familiarise them with the topic of security and ISO 27001 with the help of workshops and meetings. Because the full ISO certification is not just a snapshot, soxes has to live ISO as a whole company in a sustainable way.

To be able to answer this question, you must look at the choice of different standards. There is currently no alternative besides ISO that offers a standard for information security on an international basis. The DIN EN standards have a similar model, but they are specific and product related. The best known is ISO 9001, which, however, focuses on customers and the process of the entire company.

ISO 27001, on the other hand, is all about information security intending to prove that an information security management system (ISMS) has been fully implemented. In tenders, companies nowadays increasingly demand that their suppliers are ISO-27001 certified. In my opinion, ISO-27001 will never disappear and will even become more popular in the near future.