Information security at Copernicus fully certified
Marcel van Osenbruggen, security officer at Copernicus, has played a prominent role in obtaining our certification in the field of information security. A certification such as ISO 27001 and NEN 7510 does not just fall into your lap. This is preceded by a careful and intensive process.
Marcel has gained the necessary experience during his career, which enabled him to steer the process in the right direction. “I have been working in IT and information security for a long time. I have always had a hankering for orderly work and structured processes. I gained a large part of my experience in managing systems. Later, in banking, I moved more and more into the security work area, did less management and shifted the focus to information security.’
“At a certain point in my career I started to focus again on the system administration part. That is how I stepped into a similar administrator position at Copernicus. When ISO and NEN came into play, people came to me: “Say didn’t you do something with..?” The rest is history.”
Why has the process started for ISO and NEN certification?
“When the ISO and NEN certification came into play at Copernicus, it was mainly prompted by the expectations and requirements of customers. This was especially important for customers from our CoperniCare customer base. Logical, because if a lot of data is processed, in particular data from patients, then secure data processing must be in order.”
‘The processing of data from our customers is done very carefully. Even before we started with certification, we ensured a safe environment in which we process and exchange information. By obtaining these official certifications, customers know where we stand in the field of information security and that this has our full attention.”
“You can’t escape it in the news either: you will come across reports about information security everywhere. It is and remains a very topical subject. That cannot be otherwise with the ever-growing automation of processes and the data flows that come with it.”
What is the added value for us to be officially certified?
“These certifications make it easier for us to communicate externally that we not only think carefully about information security, but that this is also recorded in processes. This means that we are dealing with all matters responsibly and meeting the requirements in black and white.”
“When I look internally, I notice a great willingness to support the certification. Even if it sometimes goes against the way someone used to work. I saw this willingness from the start of the process. That naturally makes my work a much easier. Where it was really necessary, we have therefore changed work processes so that they fit within the set standard. We noticed, for example, the smooth migration of MediTracker that this new way of working is bearing fruit. It’s nice to see that this new way of working has done its part so that our strong team could manage this major migration.”
How do you encourage colleagues to continue to work according to the guidelines and to keep their awareness high?
“The Blue Book also describes how we deal with awareness among our colleagues. This includes mutual discussions and a clean desk check. It also states that the year-end presentation always calls for attention to information security and our ISO and NEN certification.
This can of course also be done in our internal newsletter, which our employees receive every month. And this interview is also a good example.”
“What does NOT work, by the way, is scaring and punishing, so you shouldn’t talk about that. You have to convince people that something is better for the company and reward them for their attention and for that point of which they are a part. The we-feeling create: we do it together and everyone has an influence on information security.You can include every question from colleagues about this in that process.
Not everyone notices it continuously, but information security is an everyday issue. That’s great, because then you do it unconsciously yourself.”
What was the biggest challenge in this process?
“That actually starts with the management and the organization of the company. Through all ranks within our organization you have to be able to convince everyone of the change process. You cannot sit still once certified. It is important that you stay with the right reasons So not being technically driven, but based on an intrinsic conviction that information security is crucial.”
How do you envision the future of information security?
“The challenge will come this and next year. We cannot yet show that we are doing what we say we are doing for a number of things. The reports must now be demonstrable. And all points for improvement must be measurable and visible. In addition, we are now working very different from a year ago. Where before everyone was primarily at the office, now everyone mainly works from home. It is important that we keep a grip and insight on how everyone works. Where is all the data and how do you secure it.”
“The importance of the data we work with, all the data that our customers entrust to us, deserves to be treated with respect.”