Marja Colak
April 8, 2019
Is it possible for a SaaS company to implement ISO standards, and how and why should SaaS companies get certified? On your way to success, this is an important step, and this is just what Doccle did, when it broke out as a unique digital player in Belgium and beyond. It decided to implement ISO 9001 and ISO 27001 as a SaaS.
This fast-growing online platform for administration began as a startup in 2014, and today numbers at 13 employees and 1.4 million end users subscribed, with a wide range of more than 100 companies delivering invoices and other documents. Doccle’s Chief Operating Officer Peter De Rudder (47), who has been in the IT business for 25 years, talks exclusively for the Advisera website about what ISO implementation brought to the company, what problems they faced during the implementation, and how they resist the security and privacy threats related to online payment processing and document handling.
Doccle wants to be the trusted platform in these times of increasing risks. GDPR regulation also played a role. Customers today are more vigilant about entering into an agreement with a vendor that does not take security seriously.
The concept of Doccle is really unique in Belgium, but also across Belgium’s borders. It is accessible to anyone, on mobile or PC, and your entire administration is located on one single platform. There’s a guarantee of the legal retention period, you have full control of your document, security and privacy are at the core of our organization, and we are free forever for our end users, because our income comes from the companies that put documents on Doccle.
We expect some big changes in the payment market once PSD2 is really up to speed.
The online payment business is strictly controlled and security levels are really high. The same goes for the data handling of our users. The whole GDPR wave brought us more awareness on privacy and security, and as a company, you cannot neglect the importance that people are giving to this topic.
Without going into details, it all starts with a secure development process and security testing. We put a lot of effort in there. Next to that, we have a partner responsible for our vulnerability scanning of the platform.
Employees get regular awareness training through regular security tips. The Advisera security awareness training is a good way to start quickly. As for the end users, we have a whole section on our website to help them.
We have technical measures in place: DDOS protection, IPS/IDS, Firewalls, and Web Application Firewalls.
We have set up “Chinese walls” between the senders of documents. We have a Privacy Policy, and our goal is to be clear about the data we collect so that you are as well informed as possible about how your data is used.
With ISO implementation, our company undoubtedly earns a higher level of respect. Other objectives were improving our market image, strengthening our product, preventing the damage caused by potential incidents, and preparing for Eidas European regulation and certification. Also, we needed to align with procedures and policies as defined in our GDPR program, and to comply with the security requirements coming from our senders. Compliance with Eidas regulation is another important reason.
We now have better documented processes and better security awareness of employees and partners. We document the “unwritten knowledge” of the company, and there is a lot of unknown knowledge in every company. But when doing an ISO exercise, you have to document it.
The biggest problem is to get the project running. In most medium or small companies, there is no dedicated personnel to do the implementation. So, you need to find enough time to get it started. It’s important to get management commitment.
The good thing about the toolkit is that the documents all have the same structure. By doing this, your ISO management system looks much more professional than if you had used Google for ISO templates. The toolkit also comes with a list of mandatory documents, which is very handy. With the Advisera toolkit, you get a quick start on the implementation. There are also a lot of webinars and other documentation available.
Regarding the exams, I took the ISO 9001 and ISO 27001 exam. As I did not have a lot of time, I used the transcripts instead of the spoken tutorials. I would recommend taking the exam after the implementation in your company, because then you are far more experienced.
What I liked the most was the helpful documentation and clear structure, aligned with the ISO standards. There are also relations between the different products like GDPR vs. ISO 27001. They are easy to adapt to your own situation.
We were able to implement ISO in our company within six months. Without the Advisera toolkit, this would never have worked. It is structured well and provides a head start for your implementation. The Advisera team is also willing to help if you have questions. I used their support during the implementation. The product is especially useful for smaller or medium-sized companies.
Advisera will gladly publish your story – if you are an Advisera client, feel free to contact us here.