soxes is ISO certified. What does that mean?

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). ISO 27001 certification protects the company and its value chains by selecting appropriate security mechanisms. For companies, ISO 27001 provides a structured approach to protect the integrity of operational data and its confidentiality. At the same time, it ensures the availability of all IT systems involved in business processes.

soxes wants to offer its customers the highest possible security. Because security has become more important than ever in the IT sector and is no longer exceptional, but mandatory!

Today, security is no longer remarkable, but obligatory!

Patrick Büchler, CEO soxes AG.

Consequently, it is a top priority for soxes to design, implement and operate individual software solutions with the highest possible security standard. In the course of this, the introduction of the ISO-27001 standard was the only logical next milestone for us. After all, many customers expect their suppliers to comply with the relevant security guidelines. With ISO/IEC 27001 certification, we can prove this fact.

In addition, the certification process has sensitised the entire company, from development to sales, to the issue of security. All links involved in the chain of the value creation process must have the same high standards and a high level of understanding of the topic of security and information security.

ISO-27001 enables soxes to guarantee to the customer that all processes have the highest possible security standard.

Patrick Büchler, CEO soxes AG.

The most important and not directly visible benefit for a customer is the know-how of our employees. The entire company is permanently sensitised to the topic of security and their knowledge has been brought up to date. This knowledge is used to competently advise our customers on security issues and to make their processes and software more secure. An example of this is the audit we recently carried out at a customer’s premises, in which all processes of the entire company were reviewed. With the acquired background knowledge of our own ISO-27001 certification, we were able to provide important inputs and added value to his security requirements. After all, sensitive data is the highest asset of any company that needs to be protected.

The most challenging part of the certification process is figuring out how everything is set up. There are mandatory elements that must be fulfilled, but also a dispositive part. In the dispositive part, the company itself can determine which rules are to be emphasised for the company. This means that ISO is not a checklist that is ticked off one after the other, but much is determined by the company itself. Furthermore, it must be understood and recognised which rules represent a must or a should in the rules. Finally, it should be mentioned that not only those responsible should know the process and the rules that go with it, but all stakeholders must be on board. For this reason, we made a conscious decision very early on to involve all employees in the process and to familiarise them with the topic of security and ISO 27001 with the help of workshops and meetings. Because the full ISO certification is not just a snapshot, soxes has to live ISO as a whole company in a sustainable way.

The ISO certification system does not assume that everything is 100% correct, but rather that one must constantly optimise – but only the promotion of an error culture that is capable of learning allows this.

Patrick Büchler, CEO soxes AG.

To move the ISO certification forward quickly, soxes decided to train its safety officers accordingly to realise the entire process of ISO certification on its own.

The partner we initially used to support us in the process did not bring the necessary efficiency and effectiveness. So, in short, we decided to take matters into our own hands and implement them. This decision proved to be a real challenge, but also the right one and a very valuable experience.

To be able to answer this question, you must look at the choice of different standards. There is currently no alternative besides ISO that offers a standard for information security on an international basis. The DIN EN standards have a similar model, but they are specific and product related. The best known is ISO 9001, which, however, focuses on customers and the process of the entire company. ISO 27001, on the other hand, is all about information security intending to prove that an information security management system (ISMS) has been fully implemented. In tenders, companies nowadays increasingly demand that their suppliers are ISO-27001 certified. In my opinion, ISO-27001 will never disappear and will even become more popular in the near future.