COMPILIONS GRC CUSTOMERS ON THE BENEFITS OF WORKING WITH GRCCONTROL
Why is Odin Group certified?
For us it is a “license to operate”. We are ISO9001, ISO14001 and ISO27001 certified, because this is very often requested. We also have other specialist certifications such as DigiD, NEN7510 and a SOC2 report, which are prerequisites for being able to serve specific customer groups.
Was Odin Groep already certified before CompLions-GRC came into the picture?
Yes, but that method no longer met our requirements. It was too labour-intensive and partly because of that the involvement in the organization was in our view insufficient.
What has changed as a result of switching to CompLions-GRC?
Quite a lot. To start with, we have definitively left the Excel sheet phase behind us. In addition, partly due to the simple operation and the insight provided by the CompLions-GRC tooling, the involvement throughout the Odin Group has increased. More awareness, more focus on permanent improvement and that leads to more efficiency. That is a positive change. When I say more involvement, I mean that attention to certifications is no longer the job of the quality auditor, the Security Officer and the CFO. Everyone, all departments and the entire management now understand more easily what it means in concrete terms and what the advantages are. For the external auditor, in our case BSI, things have also changed. They receive the data in a more structured way, which saves them time.
Does it save you time?
Absolutely, we can now, for example, roll over certain matters, so that a year later the same activities can be carried out much more quickly. It is also important that the GRC tooling identifies and deduplicates overlap in the normsetting. In this way, a considerable amount of time can be saved.
What can Odin Groep do now, which used to be unfeasible?
Partly on the basis of the GRC tooling and in accordance with ISO14001, we now have an annual sustainability report. From the tooling comes data with which the quality manager can draw up the report more efficiently. We have two versions of this. A detailed version for internal use and a more compact, easy to read online version for customers and interested parties.
What are the ambitions of Odin Groep and how does CompLions-GRC help?
Our ambition is to remain one of the top Dutch IT companies and to enter into long-term and strategic relationships with our customer groups. We want to remain relevant in the long term in a rapidly changing market. This is often the case for customers who also demand certification because they have to go for the highest quality. In order to be able to demonstrate this, we need the GRC tooling. Even in cases where the audits are purely customised, which is mandatory for some customers, the GRC tooling remains an important basis.
We expect to be among the first in the Netherlands to achieve AVG certification soon. To this end, we will once again use the GRC tooling, which will be expanded for this purpose.
CYSO UIT ALKMAAR IS A MANAGED HOSTING PROVIDER. THE COMPANY ENSURES THAT CUSTOMERS’ WEBSITES AND WEB APPLICATIONS ARE AVAILABLE ONLINE. CO-FOUNDER, SVEN VISSER ANSWERED THE QUESTIONS.
Why is Cyso certified?
Of course we have to deal with questions from our customers. In addition, as a company, we want to be able to handle information security professionally and to be able to demonstrate that. Then ISO27001 and NEN7510 are indispensable. We also have ISO20000, which is the standard for IT Service Management.
Was Cyso already certified before CompLions-GRC came into the picture?
No. When I drew up the shortlist, I noticed that there were parties who wanted to support us in the certification processes in the traditional way, with many Excel sheets. That didn’t appeal to me very much. At Cyso, we did everything we needed to do in this way, and I wanted to get rid of that. CompLions-GRC was one of the few providers that had a SaaS solution. That appealed to me more, especially when I understood what we could do with it. In addition, there was an immediate click between the companies, which is also important.
What has changed as a result of using the CompLions-GRC tooling?
What we notice is that certainly the auditors of larger customers always want to know how we work and which methodologies are applied. If we then indicate that we are using the CompLions-GRC tooling, she will be reassured. Then they know that nothing has been skipped and that everything is clear. That is part of the story. There is also an internal aspect to mention. The risk analyses we made previously inevitably knew the authors’ own interpretation. This often led to discussions. Now there is a neutral framework of standards that everyone adheres to.
Does it save you time?
As I said, with the risk analyses, we now all have the same framework. We’re all talking about the same thing now. That is, of course, an improvement in efficiency, so it also saves time.
What can Cyso do now, which was not possible in the past?
By using the CompLions-GRC tooling we are better able to pay attention to more than the technology. By that I mean that we are a technical company and have a tendency to look for a technical solution for every challenge. With IB you have to take a broader view and the GRC tooling forces us to do this at every step. As a result, our processes and solutions are getting better and better.
Furthermore, we can now fully integrate special customer requirements with the audit. For example, an additional requirement about Disaster Recovery. By including the rules for this in the GRC tooling, the procedures and agreements are 100% guaranteed and it becomes auditable
What are Cyso’s ambitions and how does CompLions-GRC help with this?
We have a healthy growth ambition and expect to grow to 100 employees. We will continue to focus on the mid-market segment. What we see is that the certification requirements set by the corporates inevitably seep through to our customers. Thanks to the CompLions-GRC tooling, we are prepared for this, but it cannot be ruled out that we will need even more certifications. A form of AVG certification or an ISAE3402 declaration could then be one of them.