ISO 27001 certified since January 2017, the Bourse de Tunis stock exchange has rallied its staff around targeted measures to guarantee the reliability and security of its IT systems – with high stakes for this key player in the Tunisian financial market.
How did you hear about ISO 27001 certification?
As part of our quality initiative, we make it a point to stay informed about existing certifications, especially those that are the most suitable for our management systems. In this case, the certifications were ISO 9001:2015 Quality management systems and ISO 27001 Information security management systems.
Why was it important to commit to this process?
The Bourse manages the Tunis securities market. As in many other countries, it is the only one in place. So it has a monopoly on the market. Consequently, we need to both be forward-looking and hold ourselves to exacting standards with respect to our customers. We manage financial data and confidential information on a daily basis. So we have to simultaneously guarantee the integrity of the information, preserve confidentiality, manage IT risks and so on. To respond to these imperatives, we have both human and material resources. But to ensure the quality and performance of our IT systems – interfaces central to data management – we implemented an information security management system based on the voluntary international standard ISO/IEC 27001. It helps us sustain this management method and issues key requirements. The next logical step was to go even farther, and to have a certification mark of recognition, quality and confidence. Our ISO 27001 certification, which we got in January 2017, covers all of our business, and in particular the management of the securities market.
Did you get support in this process?
Yes, we picked a firm with which we launched a call for bids among the certification organizations. AFNOR Certification appealed to us because of its expertise, its reputation and its staff at the local level (AFNOR Tunisia). This let us discuss with third-party auditors based in Tunis. This was a nonnegotiable advantage!
What results have you seen?
One month after getting our certification, staff are already thinking about how to improve certain things! Indeed, internally, employees really did get involved in the certification process. They followed the processes implemented, took an interest in the steps to take, etc. All throughout the process, everyone’s role evolved. The people in charge of the IT systems really took ownership of the ISO/IEC 27001 standard. They haven’t hesitated to ask for new tools for report preparation or information gathering, for instance. They’re developing new reflexes.
Right now, our staff is increasingly in a “process” mind-set, and less focused on their business activity, in the strict sense of the word. As for the results concerning our customers, it’s a bit early to assess. We are also planning on some publicity campaigns to highlight our certification. This is also a good opportunity to increase awareness within our ecosystem about the steps we’re taking to improve the quality and security of our IT systems.
Did you encounter any difficulties?
We were confronted with resistance to change, which is common in such projects. Employees sometimes tend to see the limits before anything else. To get beyond that, we implemented a coaching programme. Its aim was to increase awareness among employees about our certification process and explain the different steps concretely. In the end, this initiative paid off! The employees got on board with the project. Thanks to this common effort, we got our certification by working together. It wasn’t the work of just one person. Everyone was able to get over their apprehensions.
What are your next projects?
We didn’t waste any time before launching into our next challenge ! Since January 2017, we’ve been involved in the process of ISO 9001 certification, 2015 version. We hope to get this invaluable credential sometime this year.
Interview with Bilel Sahnoun, General Manager of Bourse de Tunis, and Hatem Ben Ameur, Head of the Risk and Quality Department.