Trust is built with consistency.
Leaseweb has rapidly expanded its business across the globe in the past years. As a result, there were many separate and standalone certifications for different services and products within our organization, several of which overlapped. A restructuring of the compliance portfolio was needed. Last year, we started with a clean sheet to completely rebuild our global portfolio. In addition, we initiated the search for new audit partners who could support this mission together with our procurement department.
Today, I would like to provide you some insight into how we handled the restructuring.
These are the steps we took:
- We started with risk workshops throughout the company in order to establish a risk landscape. More than 60 colleagues, from receptionists to developers to shareholders, participated in eight sessions;
- We discussed with our management which risks they deemed acceptable (risk appetite);
We identified requirements from interested parties: clients, regulators, partners, employees, society, etc.; - We identified different legislation requirements in all countries where we operate;
- We listed all the contractual requirements that clients have (especially the deviations);
- We identified the applicable certifications and standards we wanted (or were required) to be compliant with.
Based on the risk landscape, our risk tolerance, input from interested parties, government legislation and the required certifications/standards, we created one integrated IT assurance and compliance approach in-house, known as the Leaseweb Trust model. The goal was to balance effective control with business efficiency between processes, systems, risks and interested parties. We also eliminated all overlap and unnecessary controls and streamlined the remaining ones. In the end, we reduced the amount of controls by more than 80% from 954 standalone and local controls to less than 100 global key controls.
Our custom-built compliance framework now covers all standards (ISO 27001:2013 for information security, PCI DSS v3 for credit card safety and SOC1 for assurance reporting) and all independent Leaseweb entities and products (except CDN). We will also use the framework to incorporate future introductions of new frameworks (such as HIPAA, and the NEN 7510). The modular structure makes the framework flexible and robust for the future, which is especially useful because of the continuously changing threat landscape.
We selected independent auditors for PCI DSS (ComSec Consulting), ISO (CertifyPoint), and SOC assurance reporting (EY – formerly known as Ernst & Young). EY was the lead audit partner and Project Management Office (PMO) who supported us in the process of reviewing and verifying the Leaseweb Trust model. The auditors played a key role in the whole process of creating a new compliance approach, since the Leaseweb Trust model is the foundation for this. It also enabled our audit partners to work closely with each other and to benefit from each other’s field testing. So we maximized efficiency by not only cutting the overlap between standards but also between the testing activities of the three different audit firms. The restructuring resulted in clear efficiency improvements. Now, for example, when we test one physical security control in our framework, we indirectly cover nine separate controls in the various different standards. The new framework will no doubt save a lot of people’s time, prevent unnecessary controls and will provide more added value as it is completely tailored to our business and risk landscape.
All in all, it took several months of hard work to realize this. Was it worth it? Absolutely. This new framework is now integrated worldwide. It means that you as a customer are able to benefit from the same certifications all around the world. We deliver highly advanced and innovative technical solutions which our customers, partners and regulators can rely on. But before you rely on something, you need to be able to trust it and before you are able trust something you need to verify it. And that’s what external independent auditors and certifications are for.
Want to know more? Visit our certification page for details and relevant documents.