ISO/IEC 27001 is an international standard for information security management systems. It concerns requirements for the establishment, maintenance and development of systems used to protect information from a wide range of threats in order to ensure continuity and minimise business risk. It is a set of best practices which guarantee that our clients’ data are safe. Does it matter? Bearing in mind that as part of incentive programs we process sales and personal data, as well as data on the distribution structure and investment budgets allocated to sales support activities that we take for our clients, this is a very important issue.
When a company wants to obtain the certificate, an independent entity, in our case TÜV Rheinland, sends auditors to the company that wishes to apply for the certificate or extend its validity. The auditors’ main task is to verify whether the implemented information security procedures comply with the international standard. ISO certification audits are never easy. The pandemic forced us to apply the necessary precautions, so we had to face extra challenges to organize our annual meeting with TÜV Rheinland auditors.
How does the ISO/IEC 27001:2013 audit work?
The purpose of the audit was to:
- determine the capacity of the management system implemented at i360 to ensure that our organisation complies with applicable legal, regulatory and contract requirements;
- determine how effectively the management system ensures rational expectations towards the achievement of specific objectives set by i360;
- assess the conformity of the management system with the use of the sampling method to maintain the existing certification.
Contrary to popular belief, auditing compliance with the international information security standard does not concern solely IT issues. The audit covers the entire organisation, starting from the management board, through the heads of departments and ending with randomly selected employees. Particular emphasis is placed on information security, which is why most of the time is devoted to meetings with the compliance department, IT department and the Management Representative for Information Security Management System.
What is audited are information security policies, processes, contracts, management methods, instructions, security measures, backup copies, change management methodology, incident management plans and business continuity, software legality, IT system validity, access control policies, standard operating procedures and many other areas and aspects of business operations, including those unrelated to IT, such as the operability of fire protection equipment.
What is demonstrated by the ISO/IEC 27001:2013 certificate?
Our clients are interested in whether i360 guarantees the highest possible level of security. Every entity which professionally manages loyalty programs and incentive programs will try to assure you of its reliability and security. But only i360 can document its statements with positive results of five audits and a management system implemented under the ISO standard.
The result of the audit is a report. The most important sentence in the audit report is as follows: “The organisation has established and implemented an effective system to achieve its policy and objectives. The auditing team confirms, in accordance with the objectives of the audit, that the management system of the organisation meets the requirements of ISO/IEC 27001:2013 and is maintained and improved appropriately.” Reading these words, we know that we are doing a good job and that the identified areas of improvement set the course of our further development.
Our experience with previous audits is described here:
- Why it is worth working with an agency holding the ISO 27001:2013 standard
- ISO/IEC 27001:2013 for i360 Sp. z o.o.
Does the entity which manages your loyalty program have a management system compliant with ISO?
If you are interested in implementing a B2C loyalty program or a B2B incentive program or would like to check how i360 can improve your program with regard to its procedural, legal, tax, logistic or performance aspects, feel free to contact us.
Contact us to learn more.
We know everything about loyalty programs.