• “In the age of digitalisation, information is increasingly volatile, it is generated in greater volume and we are far more dependent on it. Therefore, protection is vital to guarantee the integrity and availability of data”. This is how Xavier Ferretjans introduced the last ‘Knowing for Growing’ meeting of Turistec, dedicated to the implementation of ISO 27001 in the tourism sector. Dingus was presented as a success story in the establishment of the standard.

The expert, who is responsible for new technologies at BinauraMonlex, pointed out that this standard provides a series of tools “for organisations, companies and governments to use and maintain their information security management systems. It is a systematic approach to securing information considered ‘sensitive’ to the entity’s policy, which can be basically any type of information: financial data, employee data, intellectual property, third party information, etc.”. Ferretjans remarked that this ISO is not limited to the technological part, and that the tourism sector “needs to increase its security, as it deals with increasingly sensitive data that now also includes health and/or sanitary information. If we add credit cards, we have a very complex technological framework and, therefore, susceptible to cyber-attacks”.

Dingus: implementation case study

For Jaume Monserrat, CEO and co-founder of Dingus (Hitt Group), the ISO 27001 obtained in 2015 (when only six other companies in the Balearic Islands had it) and recently renewed, has given the company “firstly, the value of credibility. Because of our service position in the market, we have to respond to a continuous flow of information that comes and goes through the actors involved in buying and selling, in this case the hotel product. We are talking about billions of transactions that take place continuously with a wide variety of information”. According to his testimony “the first thing that Dingus considered was to make sure that both our work processes and the implementation of security regulations were adequate, and also what requirements we should have as stakeholders, in order to ensure that we had the capacity to respond to any incident related to information security”.

It has also been important for our brand positioning as a supplier of technology for tourism, because “getting this label opened many doors for us. Without this ‘card’ we simply could not compete on certain international highways”. And as for the return on investing in the implementation of ISO 27001, Monserrat believes that “it is an approach that must be taken in the medium and long term. These are measures that have to be fully aligned with the company’s strategy and measured in terms of capacity for growth and improvement. In this sense, the performance has been brutal and facilitates the interaction with partners, whether technological or business”. Monserrat was convinced that these standards are here to stay and, moreover, will be a quality filter, assuring that “right now at Dingus, with ISO 27001, can’t hire just any cloud provider. And I believe that all this is going to spread because in our sector it is essential to generate security”.

Asked what the implementation process was like and where the company is now, the Dingus CEO acknowledged that “the standard is not simple. It may not be as comprehensive as other better known standards, such as ISO 9001, but it is not a simple approach. You have to start in bits and pieces, even if the strategic vision has to be global: if you think of it as just another appendix to get the stamp, the title, that’s no good at all. In our case it might have seemed simpler because we were a digital native company, but the implementation meant that many of our original strategies had to be adapted, even changed, because the standard itself made us rethink many aspects. After a few years (six in our case) is when start to evaluate what the standard has brought beyond the short-term results”. Jaume Monserrat also pointed out that, in addition, “it is a standard that not everyone understands. But this is changing and I believe that it will become a requirement, at least in sectors such as ours, a very complex industry that handles a lot of information and faces the serious challenges of cybercrime”.