D4InfoNet

A new management system – How does your company prepare in the best possible way?

A NEW MANAGEMENT TOOL

How does your company prepare in the best possible way?

With D4InfoNet, we help companies increase their efficiency, but before our management system bears fruit, we always advise our customers to prepare as best they can, because it can be a major project to establish a consistent structure in the company’s workflows in everyday life.

How does your company prepare in the best possible way?

A management system is a powerful tool for companies to increase efficiency and create an overview of the organization’s daily processes, but before the system can bear fruit, it is important that you prepare your company in the best possible way. For many, it can be a major project to establish a consistent structure in the company’s workflows.

Below we share 5 good tips on how to best prepare for integrating a new management system into your company.

1. Internal expectation reconciliation

It takes time and resources to integrate a new management system, and we therefore advise our customers to make some basic considerations about which parts of their business they want described and optimized in the new system. For some companies, it is solely about complying with the requirements for a certification, while for others it is also a tool to map the workflows of the various processes and thereby gain an understanding of where there is room for optimization. New workflows takes time to integrate. This is why we recommend that you plan and coordinate accordingly.

2. Know the users of the system

It is important to have a sense of the users’ needs and qualifications. If, for example, you want to integrate a new management system in a production company, we recommend that you make some considerations about how the system should be included in the production workflows. Many procedures continues to be recorded on paper and archived in physical folders, but there are many benefits to transferring it to a digital management system.
You should therefore be ready to invest in more computers or tablets so that the system reaches all relevant users in the company. Be aware that for some employees, using a computer can be a challenge. We therefore recommend that you set aside resources for education and training, and establish a supportive work culture, where you encourage employees to ask questions if there is something they do not understand.

3. Know the daily workflows

A management system is a positive tool for optimizing everyday workflows. In order to get the full benefit of what such a system can do for your company, we recommend that you map the company’s processes to reach a common understanding on how to carry out its work. The management system helps to describe the organization’s processes, so that you get a nuanced overview of what the workflows look like. Then you can optimize in the relevant areas because you understand where the critical transitions in everyday processes take place. Those critical processes is what you have to start taking care of, because that is where you get the biggest gain.

We also recommend involving users by asking them to visualize the work processes step by step. In this way, you get a realistic understanding of the employees’ daily lives at the same time as they gain ownership of the new system, because it is based on their everyday life and mapping.

4. Find your ambassadors

When embarking on implementing a new management system, it is always important that users are involved and informed about what new processes awaits. This also applies to employees who potentially do not thrive on change. It can therefore be crucial that you select a small group that represents the company’s various employees in the best possible way, to be the project’s ambassadors. They contribute knowledge and experience from their respective departments, and this forms the basis for an important understanding among the management of how the company can best integrate and benefit from the new tools. In addition, the ambassadors help colleagues to understand how they use the new system and how it benefits their daily workflows.

5. Understand the possibilities of a management system

Often, when you hear the words “management system” and “quality assurance“, it raises a concern among employees to be checked and measured. Therefore, it is important to prepare them for the fact that the new tools are not about controlling people, but instead about gaining an understanding of everyday processes, in order to be able to be as efficient as possible. The system also makes it easier to assess whether the registrations you typically make in a production are necessary or whether you need to do something else. The system is also there to facilitate the employees’ daily processes.
The latest ISO Standards supports the risk-based way of thinking, and a management system can help to locate where in the company you can optimize and strengthen your development.

A management system is a positive optimization tool.

How does a whistleblower scheme provide value?

INSPIRATION

What you need to know about the
whistleblower scheme

A whistleblower scheme is a powerful tool because it helps to shed light on serious conditions in the company that are either harmful or can develop into this over time. Whether it is fraud or person-related matters, a whistleblower scheme is a tool for maintaining an open and honest form of business.

Why is everyone
talking about whistleblowers?

From December 17, 2021, it became mandatory to have a whistleblower scheme if one is a private company with more than 249 employees. From December 17, 2022, the same will apply if you are a small company with more than 49 employees. We look at where the legal requirement for a whistleblower scheme originates and what such a scheme tries to come to terms with.

Where does the legal requirement for a whistleblower scheme originate?

On February 25, 2021, the Ministry of Justice submitted a proposal for a law on the protection of whistleblowers in accordance with the European Parliament’s directive, which was adopted on October 23, 2019. In short, the directive requires companies of various sizes to establish a whistleblower scheme.

Later in the year, on June 29, 2021, the Danish Parliament passed a law on the whistleblower scheme valid from December 17, 2021, for private companies with more than 249 employees and for public institutions with more than 49 employees.

The Whistleblower Act also applies to smaller companies with more than 49 employees. For these, the whistleblower scheme must not be implemented until 17 December 2023.

In addition to reports of violations of EU legal rules, which relate to e.g. public procurement, financial services, products and markets, the prevention of money laundering and the financing of terrorism, etc., the law will also cover “serious offenses in general, or other serious matters“.

Serious offenses in general are understood to be offenses of criminal law rules. This can be, for example, fraud, embezzlement and theft.

In other serious matters, these are generally matters of such a nature that a disclosure will be in the best interests of society or the public. This means, among other things, that the scope of the scheme includes sexual abuse and harassment in various guises. If it affects freedoms or personal integrity, it falls within the core area of the scheme. However, it is always a concrete assessment from report to report to find out whether the notified case falls outside or within the scope of the Act.

Legal requirements for the implementation of a whistleblower scheme

From December 17, 2021, companies with more than 249 employees were required to establish an internal whistleblower scheme where employees anonymously can report violations.

The term internal whistleblower scheme means that the scheme is only made available to the company’s own employees, but it can also be made available to others, such as external suppliers, volunteers, trainees or former employees.

In relation to a report, an impartial, independent unit must be appointed internally. Either in the form of a person or a department that administers the whistleblower scheme. A unit that, in other words, receives alerts and has contact with the whistleblower without receiving instructions regarding the specific case processing. In relation to the designation of a whistleblower unit, there must be an organizational distance between the unit and the management. It is therefore advantageous to outsource the whistleblower scheme in whole or in part to third parties, e.g. lawyers, if these live up to the law’s requirement of impartiality.

In addition, an independent and independent external whistleblower scheme will be established at the Danish Data Protection Agency, which can deal with violations of the above matters.

How does a whistleblower scheme add value to a company?

A whistleblower scheme is a powerful tool because it helps to shed light on serious conditions in the company that are either harmful or can develop into this over time. Whether it is fraud or person-related matters, a whistleblower scheme is a tool for maintaining an open and honest form of business.

The Whistleblower Act stipulates that as a company you must establish procedures on how to handle reports from whistleblowers, and in addition there are also documentation obligations.
In practice, this will mean that you must document that you have implemented anonymous reporting channels and that you have appointed impartial members of a whistleblower unit. Furthermore that you have described specific procedures on how the unit can receive reports, provide a confirmation to the whistleblower, make a follow-up on the report itself and give a feedback – being, a message to the whistleblower about what follow-up actions you have done. All within some deadlines described in the Whistleblower Act.

There are several administrative tasks in maintaining a whistleblower scheme, and it is therefore advantageous to implement a whistleblower system, where the procedures are prepared for practice in accordance with current legal requirements, where high security around the whistleblower is guaranteed, and where the GDPR regulations are complied. In addition, a whistleblower system can increase the security and well-being of your company, because anonymous communication channels have been established and specific procedures for how reports of various grades are to be handled.

Do you want to hear more about what D4Whistler can offer your company?

ISO Standard 27001 – Why it is so important?

ISO STANDARD 27001

ISO Standard 27001

The standard descriptions and questions makes it easier to make decisions on how collected data should move through the organization. Overall, it helps to ensure a consistency in the company’s procedures on how data and information are handled.

ISO/IEC standard 27001 –
An important risk assessment

The ISO/IEC-27001 standard, most recently revised in 2017, contains a number of requirements for managing the information security of companies and organizations, to avoid loss of data confidentiality, integrity and accessibility. It is not just about protecting PCs, mobile phones and underlying databases against cyber-attacks or the like. There is also physical security so data is not lost or gets out of control in relation to burglary, theft, espionage, broken vessels in their own ranks, fire, explosions, natural disasters or the like.

The standard is based on the fact that recognized experts have joined forces to carry out a general risk assessment of organizations’ vulnerabilities in the field of information security.

With such a risk assessment, potential hazards and weaknesses are identified, and these are largely the same for any organization regardless of framework, terms, size, type and organization. The mapping will therefore be broad and relevant for many companies. Digitization, information security, privacy and other protection of interests mean a lot to all organizations – whether large or small, public or private.

The mapping has formed the basis for the development of the so-called Annex A in the 27001 standard.

Here, the entire risk picture has been divided into 14 areas, where each area is again divided into a number of governing or protective measures – 114 in total. All measures must be addressed if an organization wants to avoid the irreparable loss of the confidentiality, integrity or availability of information or data in ways that lead to financial losses or even limited opportunities for business continuity.

The 114 security factors should be considered as a list of possible and appropriate measures that all companies with an interest in information security should consider implementing in their own organization. However, it is possible that not all 114 measures are equally relevant for everyone.
If you do not deal with e.g. software development, there are at least 10 measures that can be deselected solely for the reason that you do not have a development environment in the company.
If you do not experience customer requirements for encrypting data, other measures repeals. If you do not manage your own servers behind your own firewall, there are also measures that can be deselected.

In order to get an overview of which measures can be chosen from, it is a requirement in ISO / IEC 27001 that you must make a list of assets (LoA), where you get a timely overview of the company’s business processes, databases, hardware , software, networks, personnel assets as well as buildings and premises. Once you have a complete overview of your assets, you will know where vulnerabilities or deficiencies can occur.

In relation to the personnel assets, you should be aware that a lot of knowledge and data in a company is not necessarily documented and written down. Therefore it can be fragile if a key person leaves the organization – in such a situation, important knowledge can be lost quickly.

The 14 main risk areas in ISO / IEC 27001 are:

Requirements for GDPR

More and more legal requirements are constantly emerging, which are linked to maintaining effective information security. One of the good examples is the GDPR and the Data Protection Act from 2018.
These special requirements for the processing of personal data and the protection of privacy led to the introduction in 2019 from ISO/IEC of another standard in the field, namely DS/EN ISO/IEC 27701, which contains requirements for management systems for privacy protection. The latter standard includes the supplementary GDPR requirements, which are not immediately apparent from ISO/IEC 27001, as it was developed prior to the GDPR.

If you comply with the requirements of both requirements standards from the ISO/IEC 27000 series, you will automatically comply with all requirements in the GDPR and the Data Protection Act. Simultaneously further prevention against information security deficiencies is carried out.

Good reasons to comply with ISO/IEC 27001

By certification of management systems is meant an internationally recognized third party attestation, in other words an endorsement of an organization’s management system’s actual compliance with the requirements of selected standards.

With an accredited certification, there will be independent and competent auditors who assess whether the organization’s LoA and SoA are intact, adequate and genuinely leading to the security that stakeholders want and expect. Here you look at whether the rules and practical procedures contained in the introduced security and protection measures work and are implemented in practice.

Once the conformity has been established by collecting evidence through extensive sampling by the auditors and when any deviations from the requirements have been closed, the certification body issues certificates. They are an expression of the fact that one can indisputably have full confidence in the organization’s security system.

The certificates are thus diplomas that serve to the stakeholders and the public as visible proof that access control, backup, virus protection, etc. are effective, sufficient and work in practice. Evidence is often provided through tests and trials.

The certifications substantiate that an organization is very unlikely to be disabled because it has not done well enough in terms of preventing security breaches, including cyber-attacks and violating the right of individuals to the protection of sensitive information about themselves.

Worst case scenario

Worst case scenario
If you do not want to spend resources on introducing a management system for information security and privacy, there is a risk that there is no real resilience or defiance to cyber-attacks, severe technical crashes, fire, severe weather, terrorist attacks, vandalism, violent pandemics, acts of war or similar.

For example, if you have never tried to use your backups to restore an entire enterprise system from scratch to the fullest extent on a brand new PC, you really do not know if it can be done and how long it will take, and it can be absolutely crucial for preparedness and business continuity.

The biggest motivating factor for implementing a management system for information security and privacy is to prevent large financial losses, which can be triggered by common disorder and lack of structure and procedures. The examples can be many, such as:

    • Expected orders that are never invoiced because the records disappear
    • Important research results, which disappear because there are no written procedures for documentation
    • CPR numbers and patient records, which fall into the wrong hands
    • Manufacturing secrets that inadvertently end up with competitors
    • Expelled employees leaving with all the know-how when they leave the company for the last time
    • Exposure of information about journalists’ otherwise protected sources by mistake
    • Configuration data and traceability information not stored properly
    • Software codes that are released without being properly tested or verified
    • Copyright Provisions that are intentionally or unintentionally violated
    • Confidential board documents and business plans that are leaked by mistake
    • Secret contracts forgotten in the photocopier
    • Credit card information and banking information misused in relation to e-commerce
    • Risk of fraud cases, e.g. because function separation on key items is not sufficient
    • Ministers and officials text messages deleted by mistake
    • Secret notes disappearing at City Hall

– The list is long.

An information security management system is thus a tool that requires ongoing maintenance.

If rules and safety procedures do not keep pace with technical progress, if they are not regularly audited, if information security deficiencies are not recorded and dealt with properly, if responsibility for day-to-day operational tasks disappears, it will firstly lead to deviations in the certification body’s ongoing follow-up. Secondly, it will give a false sense of security in the boardroom.

One can go so far as to say that an information security system that has no will, resources, know-how and defined responsibilities behind it is worse than nothing. Certification must help ensure that it does not go so far.

Can ISO/IEC 27001 eliminate cyber-attacks?

The short answer is no.

The cyber-criminal environments at the global level will typically be one step ahead of information security and IT experts from more authorized environments, who seek to curb attacks with preventive measures, emergency preparedness, emergency and deterrence measures and the like.

Briefly described, cyber warfare is an act committed by relatively organized groups of cyber-criminals or terrorists who have been set to illegally take control of unsuspecting users’ PCs or to penetrate an organization’s PCs and networks in order to cause maximum destruction or disruption of infrastructure, including logistics and supply systems. A kind of warfare carried out with digital weapons. Cyber-attacks are pretty much the same, but are often carried out by less organized hackers for their own gain.

Information security management systems complying with the requirements of ISO/IEC 27001 cannot prevent attempts at illegitimate intrusion or intrusion into systems for malicious and unethical reasons, but the better the information security, the fewer vulnerabilities there are, which overall reduces the risk of people with fraudulent intentions succeeding in their system penetration.
Systematic management of information security also means that the attacked organization will have a better chance of overcoming the consequences and limiting the damage and accidents resulting from incidents of breach of security.

Søg på D4InfoNet.dk

Search on D4InfoNet

Få en gennemgang af D4InfoNet

Book en tid med en af vores konsulenter.
Udfyld navn og telefonnummer, så kontakter vi dig hurtigst muligt.

Få en gennemgang af D4InfoNet

Book en tid med en af vores konsulenter. Udfyld navn og telefonnummer, så kontakter vi dig hurtigst muligt.

Get an overview of D4InfoNet

Book an appointment with one of our consultants.
Fill in your name and telephone number and we will contact you as soon as possible.

Get an overview of D4InfoNet

Book an appointment with one of our consultants.
Fill in your name and telephone number and we will contact you as soon as possible.

Sign up for a course
Fill in the fields and we will contact you.
Sign up for a course
Fill in the fields and we will contact you.