Security as standard – ISO 27001

Hailey HR is ISO 27001 certified. The certification is an international standard for information security that requires structured processes, clear policies and proactive risk management.

The platform's security is already top class. For customers, ISO 27001 provides additional assurance: that security is taken just as seriously in the internal processes as it is in the product. For Hailey HR, it means secure practices that stand the test of time.

Sandra Eriksson, Compliance Officer at Hailey HR, talks about the journey and what it means for the organisation.

Security across the organisation

"At Hailey HR, security has been part of our work from day one. But for it to work in practice, the clarity in our internal guidelines and communication needs to be just as strong as our technical solutions," says Sandra, who coordinated the certification process.

From the start, Hailey has used ISO 27001 as a framework for its security work, but the formal certification process only began when the company reached 100 employees. The timing was deliberate. Implementing an information security management system is extensive and demands a lot from everyone in the organisation. What it looks like in practice with 10 employees versus 150 is vastly different.

"If we'd gone through certification early on, the structure wouldn't have been as sustainable once we'd grown to our current size. We've built up both the organisation and the expertise ahead of the audit. We realised early on that specialist legal expertise in-house would be essential, and today we have two lawyers who've been able to drive this forward in relatively short order," says Henrik Jakobson, CEO at Hailey HR.

Security and simplicity for customers

Certification means that information security work is continuously improved and maintained, with regular reviews by an independent third party. Customers can be confident that a standard developed by subject matter experts is being followed, without having to invest costly resources in their own audits.

"We want to be proactive and ensure our users feel secure. An important part of that is demonstrating we're worthy of the trust they place in us," says Sandra.

It's partly about security, but also about simplifying the procurement process for companies choosing Hailey as their supplier. Rather than spending resources on their own audit, they can reference the international security standard ISO 27001.

The certification process in practice

There's no prescriptive approach to what an ISO-certified organisation should look like – only that the certification requirements must be met. How you get there is up to each organisation. At Hailey HR, the work began by establishing focus groups with representatives from each department.

"It's an organisational task that can't be carried out by one or two people. The standard itself makes clear that the work needs to be embedded throughout the organisation," Sandra explains.

For her, the focus groups were crucial for quickly understanding how different departments operate and identifying problem areas without disrupting day-to-day work. But ISO certification isn't a one-off project. It's an ongoing part of operations, where the focus groups continue to play an active role.

"When representatives from all departments are involved, people feel invested in the process, which supports compliance," Sandra explains.

Structure for sustainability

With new routines and clearer frameworks comes some adjustment. But the fundamental principle has always been that work should be sustainable and rewarding.

"Efficiency, security and quality are interconnected. Implementing clear routines and role definitions can feel restrictive initially, but it creates a more sustainable working environment in the long run," says Sandra. "The result of this work should be security that drives quality and continuity."

Certification is also about securing the future and succession planning. Without documented roles and areas of responsibility, quality and security can be compromised when tasks and accountability rest on informal agreements with individual employees.

"Much of the certification involves documenting and establishing clear frameworks, with formally defined roles and areas of responsibility," Sandra explains. "It's a quality assurance measure that makes us less vulnerable to organisational change."

The most challenging aspect has been what's probably challenging in any organisation going through change: new requirements that need to be rolled out and new routines that aren't always met with immediate enthusiasm. It becomes a question of priorities – one that's worth addressing.