Following a lengthy auditing process, NORDUnet’s management regime for data security is certified as complying with the leading international standard.
In recent years, ISO 27001 has become the world’s leading information security management system (ISMS) standard. By late June 2025, NORDUnet received the certificate documenting compliance with the standard.
“Given the rising level of cyberthreats, it is only natural that still more external partners take interest in what we are doing in the field. And often they ask specifically about ISO 27001. For instance, this is often a requirement in EU tenders,” says Josva Kleist, Chief Technology Officer at NORDUnet.
ISO 27001 does not require specific technical solutions to be implemented. Instead, an organization under audit must do a comprehensive initial risk assessment, the CTO explains:
“For instance, we mapped the security risks associated with each of the services we provide. Next, we would assess if these risks were at an acceptable level – meaning they could be managed during daily operation – or if they were unacceptable, meaning we would have to implement more radical measures to reduce these risks. “
Better documentation is the main improvement
The auditing has not resulted in any major changes in the way NORDUnet handles cybersecurity, according to Josva Kleist:
“Still, this has been a very healthy exercise. We had to scrutinize in detail how we handle data security. In close to all cases, we knew we were already addressing the issue appropriately, but we were not always able to document this. We are now. Notably, the people responsible for the data security of our services have obtained a methodology allowing them to explain to management, what they are doing.”
The certification process has added to the work hours of the technical staff, the CTO admits:
“We spend more time on documentation now, but it is worth it. Anybody can claim they have a high level of data security, but thanks to the certification we can document this.”
A never-ending process
While valuable, the ISO certification is just a first step, Josva Kleist explains:
“We will be required to comply with upcoming EU regulation, and much of the content will be equivalent to ISO 27001. Thereby, we will have a head start.”
The EU directive NIS2 (the second directive on Net and Information Security) will aim to disseminate high standards for data security management to a wide range of organizations across Europe. By October 2025, organizations subject to the directive’s focus are requested to register with their national authorities, and by early 2026 some will be chosen for audits.
“We all remember the process around the GDPR directive some years ago. Despite extensive attention leading up to the implementation, it seemed that everybody was quite unprepared when it finally came. We are determined not to be caught by surprise this time!”
The ISO 27001 certification is valid for three years. A yearly self-evaluation and an external evaluation are required.
“Information security is an ongoing process. There is no end goal, we will need to find improvements constantly,” the CTO emphasizes.
ISO 27001
The ISO 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
Conformity with ISO 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
ISO 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management,cyber-resilienceandoperational excellence.
Source: International Organization for Standardization (ISO).