PAQT.com takes the next step with ISAE 3402 Type I certification
Reading time 3 min
PAQT's clients can trust that we set the bar as high as possible when it comes to the reliability, availability, and security of their business-critical application.
That’s why PAQT has been ISO 9001, ISO 27001, and NEN 7510 certified for years. We continuously consider options to raise that bar even higher. This summer, we reached a new milestone: we obtained the ISAE 3402 Type I certification. What does this certification entail? We sat down with the audit’s three key players to discuss what it means for PAQT and its clients, partners, and employees.
"The human factor is incredibly important"
As the head of people at PAQT, Germa Versteijnen is involved in all facets of our co-workers’ peaks and troughs — from onboarding till offboarding. What does this certification mean in terms of ‘People?’ “The ISO and NEN certifications are mainly about security, procedures, and guidelines. But if you have procedures in place without embedding them in your organization, they’re not very useful. So, from a ‘People’s perspective,’ it also really matters how you communicate them — how you familiarize people with them. They are the ones who have to implement and follow them. If this doesn’t happen, it’s safe to say you’re dealing with a hollow procedure. So, the auditor had a close look at the implementation. In this case, the emphasis is on communication and how it manifests itself — for example, in the various meeting structures. Not only is it important that we have these structures, but we also need to show that we really discuss these things during those meetings — for instance, during management team meetings. And merely discussing them isn’t enough. Actions should be the result.”
At PAQT, a standard component of the onboarding process for new employees is the certificate of conduct (Verklaring Omtrent het Gedrag — VOG). “Besides taking on internal communications, Team People also ensures, among other things, that the people who work here are capable. For example, a new employee cannot have a history of security incidents. So, how does our recruitment and selection process ensure we can actually deliver the quality we promise? To give an example, there’s an assignment during recruitment. How do you make sure these assignments are structurally and uniformly assessed? And when the labor market is tight, how do you avoid hiring someone you usually wouldn’t have hired due to insufficient experience or skills? Do you stick with your standards and procedures? These are promises we make, but this certification is an assurance that we actually follow through on them. it really totals up to many pieces of evidence.”
The foundation
“New co-workers often indirectly tell us they notice everything is well organized here. That is, of course, the foundation. Our quality level is really high and we don’t compromise on it. When it comes to quality, taking shortcuts is absolutely out of the question.”
The certification is a baseline measurement, but it also offers opportunities for the future: “It makes us sharper with regards to the future, too. Is there an area where we can achieve an even higher level of quality? Suppose you currently provide someone with verbal feedback on their assignment. Now, we might look into the options of offering it in writing as well. For putting something in writing ensures a bit more uniformity in your way of working.”
As with the ISO and NEN certifications, an audit like this keeps us on our toes, too. “Someone from outside the organization is taking an inside look and gives feedback on how you can further improve things. This helps you avoid developing blinders — which can happen when you’ve done the same thing in the same way for a very long time.”
"New co-workers often indirectly tell us they notice everything is well organized here. That is, of course, the foundation. Our quality level is really high and we don't compromise on it. When it comes to quality, taking shortcuts is absolutely out of the question."
"We want to be the strongest link in our clients' software chain"
Maurits Dijkgraaf, business strategist and director, says, “Our clients entrust us with their business-critical applications. They should rest assured that these are in good hands. In many applications that we manage, an absolute wealth of sensitive personal and financial data is sent back and forth. But it’s not just about information security — the certification also reflects business continuity, people, technology, and processes. For example, the certification checks contracts with our suppliers, too. Are they keeping their agreements with us as well?”
“For our clients, important software is increasingly part of a chain. And we want to be the strongest link in that software chain. Our clients’ customers also want to know who is behind the technology. Of course, it’s really great to have an ISO 27001 certification. But with this new certification, our clients can prove that their tech partner’s way of working is as they claim it to be. More and more large companies across the globe want to get insight into this as part of a standard procedure. The fact that we’ve obtained this certification sets the stage for our clients to attract larger and strategically more important customers.”
“So, if PAQT wants to serve the highest level of clients, we need to demand the highest level of control. Obtaining this certification is proof that we actually achieve the highest standard we aim for.”
The highest standard you can achieve
“We believe it’s always good to have an external party look at your company. The annual ISO certification already had us do that, but now this certification does the same. It keeps us on our toes. I am happy to further reinforce the company’s foundation. A good connection and goodwill are important when it comes to clients, but this report shows that this good feeling is justified. This certification is the highest standard you can achieve in this area. In our market, hardly anyone has obtained it.”
"So, if PAQT wants to serve the highest level of clients, we need to demand the highest level of control. Obtaining this certification is proof that we actually achieve the highest standard we aim for."
“Procedures aren’t worth much if you don’t perform them”
“For Team Tech, Access Management, Vulnerability Scans, Backups, and Capacity Management are interesting to highlight,” says Arlon Antonius, software architect at PAQT. Backups are a great example. “One of our procedures, for instance, is that we perform a backup test every 3 months. The ISO certification requires you to have such a process in place. The ISAE 3402 Type I certification poses a follow-up question: ‘How have you guaranteed it?’ But also: ‘How do you make sure it goes the way it should go?’ We’ve agreed that should something go wrong, our hosting partner will let us know. And this certification requires us to provide evidence of that. It doesn’t just take a very critical look at us, but it also checks whether our suppliers perform their tasks for us in the agreed upon manner.”
Be specific
“It’s really obvious that someone with tech knowledge has vetted us — someone who also asks sharp follow-up questions. An example includes server access (part of Access Management). If you simply state that PAQT’s employees have access, you’re being pretty vague. You only want to grant this right to specific co-workers and substantiate the reason for it. That’s something we’ve included in this report, too.”
"It's called an assurance report for a reason: we assure that we verifiably do what we promise — instead of just talking about it."
“The same goes for Vulnerability Scans and Capacity Management, among other things:
- With Vulnerability Scans, you perform a test prior to every software implementation to detect and resolve vulnerabilities.
- With Capacity Management, we ensure an application always has enough capacity to perform.
Our auditor requested documentary evidence of both procedures that proves we have recently done these things every single time. These are great procedures that help you keep the quality of the software high, but they aren’t worth much if you don’t perform them. It’s called an assurance report for a reason: we assure that we verifiably do what we promise — instead of just talking about it.”
Choose certainty
Ensure quality and durability. We make it easy for you.
Contact us
The fastest way to reach me is by phone:
Fill out the form, and I will respond no later than the next business day.
Of course, you can also send me a message via mail.
Talk soon!
