As of the of 30th of October 2017 The Hyve is ISO 27001 certified. This means that we comply with the security requirements of the ISO 27001 standards for the development, hosting and support of open source software, data services and data-analysis for biomedical informatics.
Why information security is important
We all know how important information security is, especially nowadays, when the density of information and the amount of data we exchange is growing by the day. Just as in your private life, you also want business related information or data to stay disclosed and secure.
One might say that the best way to maintain the safety and security of your data is to never share it with a third party, however, this is not likely nowadays. You often have no choice but to work with an outside vendor and outsource certain tasks, which gives that vendor access to your precious data.
So how do you make sure that you do not just have to trust your vendor on their word? How do you also get proof from an independent authority on the information security of that vendor? This is where ISO 27001 comes in.
How ISO certification relates to information security
The International Organization of Standards (ISO) is an organization that develops and publishes international standards. It has made a big step in the direction of formulating what information security actually means and developed ISO 270001. This is a quality standard that lists the requirements for establishing, implementing, maintaining and continually improving an “Information Security Management System” (ISMS).
As soon as you implement ISMS within your organization, you can ask for an external audit. Your organization is inspected to ensure the system is working properly and it meets all the required criteria. On top of that, all the employees of your organization should be aware of it and use it in their day to day work. If the audit is successful, you receive an ISO 270001 certificate.
ISO 270001 is a commonly used and widely adopted tool in the field of ICT Quality Management.
Like many quality standards, it is based on the Deming Cycle (also known as the PDCA cycle) that describes a cycle of actions to systematically improve quality (in this case, the quality of information security). This includes requirements such as never sharing unencrypted data, following password policy and not leaving laptops or computers unlocked when unattended.
The long road towards ISO 270001
At The Hyve we started the process of preparing for the ISO 270001 audit in 2016. The main reason for starting this process was that we want to show our clients that we are a certified trustworthy partner.
Additionally, we had also noticed that more and more companies, governmental institutions and tender or grant applications demand of vendors to have an ISO certification. A good example is a tender for a data infrastructure system for for the Dutch Trial Registry (that we recently won), which had a prerequisite for the applicants to be ISO 270001 certified.
We can easily imagine that in a few years all public services will ask you for such certification if you want to be their supplier. So we choose to be prepared.
All the hard work paid off in the end and we have received the ISO 270001 certificate on October 30 2017! The certificate is valid for three years and includes a yearly audit.
How do you benefit from the fact that The Hyve has an ISO 27001 certificate
Do you, as a customer, actually benefit from working with The Hyve now that we are an ISO 270001-certified vendor? Does an ISO certificate mean you can trust us more, or that we became more reliable?
ISO 270001 is not a guarantee that your data will never be lost or jeopardised, and most probably no vendor can ever give such a guarantee. However, The Hyve being ISO 270001-certified shows that we take information security very seriously, beyond just asking all our employees to keep sensitive information safe and secure. We approach it in a systematic way by introducing ISMS. Every employee knows which precautions he or she has to follow when working with different types of sensitive data, and we constantly monitor it to check that the requirements are being met without exception.
In other words, we take security seriously and data safety is a part of our way of thinking and working