Getting ISO-certified with Google G Suite
Avaus Marketing Innovations is a data driven marketing agency that aims to transform its customers’ marketing. The core service leverages both, data and modern marketing technologies. These two ingredients make it possible for Avaus to offer marketing services with intelligence. They believe in omni-channel communication, that is relevant, ongoing, and genuinely serves the chosen audience. Typical customers of Avaus are enterprises that possess large amounts of data of their customers.
It’s important for our customers to know that when they partner with us, their data is kept safe and secured.
On the 7th of September Avaus announced that it had received an ISO certification in data security. It’s among the first marketing agencies in the Nordics to receive such a certificate. Ben Ottoman, the Information Security Manager at Avaus comments the news; “We decided to apply for the ISO certificate because we wanted to show our customers that we meet certain minimum security criterias. It’s important for our customers to know that when they partner with us, their data is kept safe and secured.”
You need to have visibility and full control over your environment so you are able to audit events, in case something happens.
Before applying for the ISO certificate, Avaus was using Google G Suite Basic licences. However, the Basic licences did not cover all the business controls and security features that were essential to get certified. “You need to have visibility and full control over your environment so you are able to audit events, in case something happens”, Ottoman explains. “For this reason we needed to upgrade our licences to G Suite Enterprise. With the Enterprise licences we get the visibility needed but also data loss prevention for both, Gmail and Drive. This is very important not only to get certified but for our clients. I also value the notifications feature that helps me to take action and stay in control immediately when something in our environment needs attention”.
How does an ISO certification process look like?
For a company to get ISO certified, it needs to follow a strict process. First thing to do is to hire a Security Manager to lead the project. It’s not only a technical project so one needs to see the big picture and understand the full roadmap. After a company has a Security Manager in place it needs to follows these steps:
1st step: Establish Information Security Management System for a company
2nd step: Implement and operate the information security
3rd step: Monitor and review the information security, and optimize when needed
The process described above is simplified. In reality it’s a lot more complex than this, and it takes a lot more work. In total, the whole project can last from 6 to 18 months. One needs to train all employees to follow new policies, for example using a certain kind of a password when logging into a laptop, email or other. Everything also needs to be assessed. This will help to see if there are any gaps between policies and how they are followed in reality. When the actual audit takes place there will be two auditors who come to the office to interview employees, and audit all security systems, even physical ones like fire alarms. When a company receives an ISO certification the work does not end there. It’s an ongoing process and the security level attained needs to be kept at the same level, at all times. The audit will be done again in a year and again later on, to make sure the policies are still followed.
We care about our customers and take security seriously
What meaning does the ISO certificate have for Avaus?
Avaus is dealing with a lot of personal data when they plan and execute marketing campaigns for example to a company who has a loyalty program. Companies with loyalty programs have gathered a lot of insights from their customers and based on that data the marketing activities can be very well tailored to fit customers’ interests and needs.
“We care about our customers and take security seriously”, says Ottoman. “This certificate means that we have achieved a certain security level that has been verified by a 3rd party. It tells our customers that we do our best and invest heavily to comply with the standard security requirements”.