At Purple we view ISO 27001 as a license to operate. Our customers depend on us for business-critical communication services, software and platforms. That trust only exists if information security is governed, measurable, and continuously challenged. For us it is a requirement, a license to operate.
“Security is not something you solve once. It is something you practice every day, in every decision you make. That only works when information security is owned at leadership level. ISO 27001 helps us make security a shared responsibility, not an IT afterthought.”
- Robert Jeninga, COO
What matters most to us is not the certificate itself, but the discipline and vision behind it. ISO 27001 forces clarity for any organization. It requires us to define ownership, identify risks honestly, and make conscious choices about how those risks are treated and managed. It prevents security from being assumed, caught in good intentions or remain implicit all together.
In practice, this shows up in our day-to-day work. Projects start with risk awareness rather than retroactive fixes. Access is granted based on role and necessity. Changes are assessed, documented, and reviewed. Suppliers and partners are evaluated not only on capability and cost, but also on security posture. Technical measures are implemented, monitored and managed proactively.
Our Information Security Management System is actively used and continuously improved. Risks are reviewed, controls are tested, incidents are evaluated, and lessons learned are translated into concrete improvements. Security awareness is not limited to audits or training moments, but part of how people work at Purple. Making our people security aware is quite possibly most challenging. How do we avoid that people become too relaxed when it comes to the application of information security in our organization? Making this part of their DNA, their way of working.
“ISO 27001 helps us turn security from intention into execution. It creates structure, accountability, and transparency across the organization.”
— Mark Jonkman, Security Officer, Purple
Let's be honest, we need to be realistic about risks. No organization can eliminate it entirely and they are constantly changing. ISO 27001 does not aim for perfection, and neither do we. What it provides is a structured way to prepare for uncertain times. Practicing your incident response, ready your continuity planning, understanding supplier dependencies, and built recovery scenarios which are beste addressed upfront, so decisions are not made under pressure when it matters most.
For our customers, this approach provides confidence and predictability. Information security is governed at management level, risks are actively managed, and controls are applied consistently across people, processes, and technology.
Ultimately, ISO 27001 reflects how we view our role as a technology partner. Security should enable progress, not slow it down. When embedded properly, it creates trust, resilience, and clarity. That is why we invest in it. And that is why we continue to hold ourselves accountable to it.
Let's Go Purple.