When considering new business partners, there are multiple individual areas to review in order to gauge their suitability for the job.
One of the most useful ones can be to examine a company’s external certifications.
ISO Certifications are globally recognised standards that apply to a variety of management practices and processes.
In the words of ISO Quality Services Limited:
“The certification can be used to tender for business as a proof of a company’s credibility but also to instil confidence in the potential client that you will keep your promises.”
Therefore, when companies make reference to their ISO Certifications, it’s generally a positive sign as to their level of competence.
However, things are not always as they appear.
When is a certification not a certification?
They reflect a commitment to, and competence in, protecting confidential information as well as an overall approach to business management that delivers a consistently high level of service to customers.
If you look at the bottom of this page, you’ll see two round logos, which show that Gatekeeper has these two certifications.
There’s also further confirmation on this page and the certificates themselves can be provided upon request.
All of which go to prove that Gatekeeper has met the required standards for these relevant ISO certifications.
So far, so clear. So where does the opportunity for confusion come in?
Gatekeeper, like the vast majority of contract management solutions, is cloud-based. Our platform, and the data contained within it, is hosted using Amazon Web Services (AWS), in our case across five global instances.
This secure and flexible solution is a common approach across our sector.
To demonstrate its credibility and suitability as a hosting service, AWS itself has also attained ISO 27001 and 9001 certifications.
So in the case of a company like Gatekeeper, its customers have the added reassurance that not only does Gatekeeper itself work to the highest standards when it comes to information security and quality management, but so does its hosting partner.
However, this isn’t the case for all companies in the sector.
It’s not uncommon to see promotional material making reference to “certified data centres” or similar as well as including the specific names of the ISO certifications (27001 & 9001).
It’s easy to read this and make the assumption that the business itself is certified to those standards.
The distinction is important, especially if information security is one of the key criteria that a prospective buyer is rating companies against.
Of course it’s reassuring to know that the underlying data centres of a prospective partner are run to the highest standards. However, it’s not necessarily a point of differentiation if you have several companies hosted on AWS, none of which themselves are actually certified.
Given the prevalence of cloud hosting, this level of security certification could be considered “table stakes” when it comes to working with companies’ sensitive contract and vendor data.
The certification is of course important as the hosting company works at the ‘data layer’ of the application only. The ‘software layer’ is provided by the software company.
In the case of Gatekeeper, our ISO certification ensures the same very high level of process and security is maintained from the data layer all the way to the software layer. If the software company has not achieved their own ISO certification then there is no standard approach applied and this can leave you and your data exposed.
It’s therefore important to understand that no matter the level of information security achieved by the underlying hosting services, this can all be undone if the company itself is negligent or adopts poor practices in relation to the data it manages on behalf of its customers.
This is why it’s vital, if there’s any ambiguity or confusion, to request copies of a company’s ISO certificates so the details can be checked and verified.
To receive a copy of Gatekeeper’s Security Pack, including relevant ISO certifications, please contact us today.