Information security and quality system standards

Recently VTENEXT obtained the ISO 27001 and ISO 9001 certifications, the international standard on how to manage the information and data security, the first, and the international standard to implement within an organization a quality system, the second.

We decided to interview Mauro Sanguinetti, our Auditor. In this article we reported the benefits a company abtains from those certifications, the steps that needs to be followed and how a process mapping tool like vtenext can help obtain and mantain the certifications.

           Hello Mauro, tell us about yourself and about DNV GL.

My name is Mauro Sanguinetti and I work as an Area Manager in the North Ovest of Italy for DNV GL with the responsibility of the operative results, the team management and the organization of the area I’m in charge with.
During the years, after a degree in electronic engineering and a master in the IT field at the University of Padua I’ve had several experiences in the development of software projects working with important Italian IT companies; after joining DNV GL in 1999 I had the chance to develop some significant skills and experiences in the security of information and data in various fields, in particular ICT, Automotive and Aerospace.

DNV GL is a Norwegian company owned by the independent foundation Det Norske Veritas. Our roots go back to 1864, when the naval classification society was founded. The Headquarter of the Group is based in Oslo, Norway. DNV GL counts more than 350 offices in more than 100 countries all over the world.

What drives our daily activities has always been our mission “the protection of life, propriety and the environment”.

Why a company should get an ISO certification, where to begin and the main steps

DNV GL – Business Assurance is one of the business areas of the group and is one of the main certification body worldwide.

The organization works following its mission and with the aim to help organizations to increment the security and the sustainability of their activities. In particular, what we do in this area of business is to ensure through certifications, verifications, evaluation and training that the companies are able to guarantee efficient and certified managements, products, staff and structures.

          Why an organization should get a certification? Which are the main benefits? For both ISO27001 and ISO9001.

For a company to obtain certifications like the ISO27001 or the ISO9001 – the international standard on how to manage the information and data security, the first, and the international standard to implement within an organization a quality system, the second – means first of all to consolidate sustainable company performance, to show the commitment to the quality of its processes, to show that all information and data are managed following the international standard and that the company is able to manage and overcome risks, to improve the stakeholder’s trust and, last but not least, to increase the customer loyalty and satisfaction.

          But where to begin? What has to do a company to get certified?
The begin of the path is related to the Management System, it has to be documented and has to respect the requirements defined by the standard of each certification.

In few words, to obtain a certification, the company has to show that, from an operational point of view, uses the defined Management System following all the rules and the requirements defined by the System itself in accordance on what foresees the standard that rules the company certification.

           Which are the steps to follow to obtain a certification?

The certification process that companies must undergo basically consists of two initial phases.

The first phase involves an Evaluation Audit of the System Documentation and involves a Preliminary Audit. In this phase, the company is called upon to demonstrate the operation of its Management System and must do so by providing some documented information, which are:

  • depending on the applicable certification scheme, documented information in a controlled form (eg Manual and / or Procedures) of the System in force, information that is needed to evaluate the system itself;
  • general information on the company and on the type of products and / or services involved in the certification;

In the phase – that takes place directly in the customer company – we support our customers evaluating the documentation, their compliance to the standard and we release a preliminary audit documental report.

The second phase, the so called Initial Audit, is the one that leads to the actual release of the certification.

The Initial Audit aims to examine the structure and consistency of the organization’s policies, goals, procedures and processes and confirm whether they meet all the necessary requirements to obtain the certification. In this phase, the company is required to demonstrate “on the field” the application of the Management System.

At the conclusion of these two phases, the Audit team transmits the documentation to the technical function of DNV GL which has the task of evaluating and approving the certification proposal.
If approved, all certification documents will be issued certifying compliance by the company with the reference standard and the scope of the Management System.

The guarantees a company like VTENEXT can provide to its customers

In the past, the importance of Information Security was limited to the protection of accounting and financial data. Today, the globalization and the free trading, increased the importance of the information security.

Even several national regulation define the information as precious assets that need to be protected. The number of viruses, cyber-attacks and intrusions that need to be faced everyday are the proof of the importance to safeguard the data contained in the informatic systems.

Data are not only stored in computers and servers; they can be on paper, on a disc and in the minds of those that work in the organization. The information is part of the company heritage and therefore has to be preserved during their entire lifecycle.

The system of information security adopted by a certified company, like VTENEXT in this case, – that obtained the ISO/ICE 27001 certification – shows that the organization has analysed and evaluated in a systemic and complete way all the risks related to the information security, coming from external or internal attacks, cyber and non-cyber, and from risks coming from errors or from non compliant behaviours.

          Why a customer should choose a certified company over a non-certified one?

With the ISO/IEC 27001:2013 certification a company shows to its existing and potential customer, vendors and shareholders the integrity of the data and the systems where are stored in addition to the commitment to secure them.

This can open the doors to new commercial opportunities, improve the ethics of the employee and reinforce the notion of confidentiality throughout the work environment.

With the ISO 9001 certification, in addition to demonstrating the organization’s commitment to the quality of its processes and customer satisfaction, it is also possible to demonstrate the desire for continuous improvement of the company’s organizational performance, increase in credibility and improvement of the image towards the outside world, reduction of costs due to rework or management ineffectiveness and reduction of complaints and disputes from customers.

“The adoption of vtenext meant having all the processes mapped and profiled, thus allowing us to burn the steps towards the achieving of the certifications”

How a tool to map and automate processes can help companies get the certifications

          What does it mean for a certification body to count on an efficient mapping of the business processes?

The choice of a CRM system such as vtenext (in use by both VTENEXT itself and by CRMVillage) proved to be a winning decision because it has allowed the two organizations to store and analyze the data of all its customers and prospects in an orderly and effective way. All information are organized in the best possible way and stored in a single point, which greatly simplifies the Audit operations by eliminating onerous researches and useless and wasteful paper notes.

          What impression did you get when you came into contact with a process mapping tool like vtenext?

I was impressed by the high ability to map all business cycles and flows, from administrative ones to after-sales assistance, and by the ability to create automated processes that help respond in ever faster times and methods to customer requests.

          How can a tool like vtenext be decisive for obtaining the certification?

If correctly set according to the organizational needs of a company and correctly used by the users, the system allows organizations to keep the data of all customers and potential ones in an orderly and effective way (all information are available and accessible from a single point).
The system can help give confidence that the organization’s processes are conducted as planned and therefore there are no risks for auditing and obtaining or maintaining the certification.

Are you looking for a certified vendor? Do not hesitate contacting us!