In cooperation with Deloitte, TimePlan Software is launching an extensive process of IT and information security. Tobias Frandsen is the Project Coordinator for TimePlan Software’s ISAE 3402 accreditation, and he explains how the process will benefit TimePlan’s customers.
Hi Tobias, thank you for joining us today. What is an ISAE 3402 accreditation?
An ISAE 3402 is an assurance statement that documents the IT practices within a company, that can prove we manage our processes to a recognised standard, and that TimePlan Software meets the legal requirements and good IT practices.
The ISAE 3402 statement covers the company’s development, operation, preparedness and documentation, as well as physical conditions, such as where our servers and data centres are located.
Why should TimePlan Software have an ISAE 3402 accreditation?
Two of our largest customers have requested the statement, and the new General Data Protection Regulation (GDPR) is just around the corner. We need to give our customers the best possible guarantee that we are in control of security. Words are not enough, we need to document our actions.
The ISAE 3402 is in fact our “blue print” to handle IT data security, so our customers can safely use us as a data processor. We’ve seen the big hacking cases at Google, Yahoo and Apple, and many of our partners demand documentation showing that we manage our information security policies safely and correctly.
What does the process of the ISAE 3402 entail?
We met with Deloitte this spring and they explained the construction of the statement. First, we went over our policies and controls. How do we store information? How do we handle security when it comes to hosting? How is access to sensitive data controlled? We have implemented these based on ISO 27001, which concerns IT data security, and now we will restructure and implement the new procedures through our department managers.
What are the benefits of getting an ISAE 3402 statement?
Much of what the statement focuses on, we already had policies and procedures for, but now we have gained an improved overview and direction when it comes to how we follow the procedures. There will be follow-up and controls along the way. We perform internal controls and Deloitte performs external controls.
How does ISAE 3402 benefit TimePlan Software’s customers?
During the clarification process, we have discovered quite a few things we have never thought of before. For example, we have created an improved procedure for releasing TimePlan versions from the customer’s perspective. The customer will receive a TimePlan update rather than thinking that we need to release a new version. We see the process from the customer’s perspective. It provides better customer service and understanding. Our procedures are becoming more holistic. The ISAE 3402 accreditation gives us a unique, standardized way of dealing with our processes.
When is the declaration expected to be in house?
We’ll have an internal audit during the winter and we have a level 2 audit with Deloitte scheduled for early summer 2018.
Thank you, Tobias. Anything else you would like to add?
The ISAE 3402 material may be dry at times, but the process really benefits our customers, employees and the company’s security.