Intus about why certifications are becoming increasingly important to them
Why certifications are becoming increasingly important for Intus
Certification says a lot about how an organisation has arranged the security of things like personal data. As a result, more and more organisations claim this as a requirement when they are looking for a supplier. Intus sees that trend too. They tell us about their practical experience with certifications.
Intus in Zeist has been supplying its own SaaS application for ten years for planning and scheduling staff: InPlanning. The application runs on the Fundaments’ IaaS platform. Intus customers are companies, governments and healthcare institutions in the Netherlands that schedule professionally. InPlanning can create and publish more than rosters; With self-rostering and online exchange, for example, end-users can arrange a lot themselves.
Processing of personal data
Timetable planning is a process that allows itself to be automated, but it does make the necessary demands. Hans Leideman, CEO of Intus, points out that personal data is processed, of course, but that’s not all. “The scheduling of working hours also means that something about the rewards becomes clear. Consider notifications for whether it concerns overtime or whether a weekend allowance applies. Processing of both personal data and financial data has strict requirements for how we do things and therefore on what we require from our chain partners. ”
“We have chosen Fundaments for several reasons. Per customer it may concern up to 10,000 end users. If they all start the application at the same time, that requires a lot from the platform. That’s why we were looking for a provider in which the uptime, stability and performance are well organised, “explains Leideman. “We also apply strict quality requirements, partly because we process personal data. We are ISO27001 and NEN7510 certified. We also require this from our chain partners. Fundaments have these certifications and therefore comply with the requirements that apply to us. And very important: they simply get data security right.”
Certifications are becoming increasingly important
Leideman indicates that ISO27001 and NEN7510 certifications are becoming hygiene factors for Intus customers. They are necessary, and it’s immediately noticeable if they’re not in place. “We notice that it’s increasingly on the agenda in sales conversations with our customers. We can show that we are in control of our part of the chain. And we can demonstrate that our partners, up to and including the datacentre, also meet the requirements. With our major customers these questions are asked early on and they are sometimes very detailed. Smaller companies sometimes have a little less knowledge about certification, but once again, once it is discussed, it is understood that doing business with certified suppliers makes a difference. It is quickly classified as a must have factor.” Certifications are therefore increasingly important according to Leideman, because they provide an objective answer to the question of how a company has arranged the security of personal data.
The same requirements for the chain
The increasing demanded for certification is a development that can’t be separated from the GDPR. Intus has concluded Processor Agreements with all its clients for this purpose. After all, with the SaaS service from Intus, customers process personal data. The Processor Agreement states that Intus works with subcontractors. Fundaments is one of them. The requirements that apply to Intus are translated one by one to the subcontractor. “That may sound cumbersome, because Processor agreements are part of the regular contracts. But it’s a good thing to have insight into a whole chain meeting the same requirements,” says Leideman.
Intus regards the increase in additional questions to demonstrate quality of service as a development in the market. Moreover, these questions are becoming more and more specialised. For example, how the financial data contained in the application is secured should be transparent for customers. If that transparency is lacking, then there is non-compliancy. This question can partly be answered with ISO27001 and NEN7510 certifications, but not entirely. This is possible with an ISAE3402 Type II certificate.
ISAE3402 Type II means that the location of the data and the application must be tested to determine whether correct processing and storage of financial data is guaranteed. In the case of Intus, this processing takes place on the Fundaments IaaS platform. It is important for Intus that Fundaments can have this statement drawn up. Only then will Intus be able to meet these additional customer requirements.
Leideman: “We can see that Fundaments understands very well what the developments in the market are and that, for example, an ISAE3402 Type II is becoming increasingly important. Without it we don’t meet the requirements of certain customers. Fundaments also understands that we operate less and less as independent companies and increasingly as a chain.” The trend towards more certifications means that companies in a chain will consult and cooperate more. “You have to have regular contact with each other to see if certifications and statements match and are working and up to the mark, that will never be an issue for Fundaments”, observes Leideman finally.
“Fundaments know that customers are looking for more than a technically stable IaaS environment. Thinking about and anticipating new conditions that end customers have to set for a partner is something we take very seriously.”