How TomTom achieved ISO certification in months rather than years

ISO Certificates set standards for everything from bicycle helmets to the security of information systems like computer networks. The process to obtain ISO certification usually takes years, but for TomTom, it managed to obtain certifications in a matter of months. Here is the story of how the location technology company got its ISO/IEC 27001:2013 certificate.

Before we dive in, let us look at the specific ISO standard that TomTom is now certified for: ISO/IEC 270001:2013. Unless you are familiar with what these letters and numbers mean, it looks confusing, but in short, this certificate covers: TomTom's commitment to proactively manage information security, ensuring it is compliant with regulatory and customer requirements.

This is a major achievement for TomTom to have its ISMS certified. The certification covers several of the company's key operations and services that support the creation and delivery of Maps APIs (Applications and Programming Interfaces), a product that is used by several big-name tech companies to provide in-app and on-platform mapping.

Jukka Silomaa, Head of Governance, Risk and Compliance, who led the certification process told me, “This has been the largest security transformation in TomTom history. Governance structures, security capabilities and management systems are enormously powerful to drive transformations. For us, the main purpose of going through this security transformation is to protect the company's information and related assets. But it also created opportunities to learn, experience and understand the way we and our ecosystem is approaching security.”

Certification in a matter of months

With that in mind, TomTom started its journey to ISO27001 certification by building a core team out of members of its Safety and Security and Service Platform organization units.

Other business units such as Legal & Compliance, Human Resources and Facilities together with its Top Management and Senior Leadership provided additional support and direction.

This process began in April 2021, when the core team, broke the project into manageable pieces, assigned responsibilities and had first information calls with the people and units relevant to the scope of the task. At that time people realized the urgency, Silomaa says, and they put their best foot forward toward the goal of ISO certification.

Collaborating across the teams, TomTom was able to execute a management system that covered the organization. This allowed Silomaa and his colleagues to understand how the company controls and manages information security risks, according to globally recognized best practices. And of course, they managed it in just 8 months, and with it the company obtained its certification. The current scope of certification covers the largest sites in Amsterdam, Netherlands, Berlin, Germany and Lodz, Poland.

TomTom’s Chief Security Officer, Jarkko Rautula, is keen to emphasize just how important and valuable cross-company collaboration was to implement the management system that would eventually earn the company its ISO certification.

“It shows what we can do when we all work together across teams, units and functions. Every person's commitment, creativity and passion enabled us to prove ourselves to customers and helped us sharpen our competitive edge,” Rautula said.

Silomaa agrees, adding, “One of the main reasons we were successful at obtaining ISO27k certification was our teams’ collaboration – everyone was playing the same game and targeting the same milestone. We were lucky to have the right type of people taking part in the security project. It was not only about the technical skills of these individuals, but most importantly it was about their attitude.” In a tech company, security does not come as a given, it must be designed and implemented throughout the whole organization. Having a certified information security management system is important to secure the assets, and trust, of current and future business. “Customers trust us in taking continuous improvement seriously” Silomaa says.

It’s about more than technology, it’s about teamwork

The fact that TomTom managed to pull off a process that normally takes years in a matter of months cannot be downplayed. Also, it should not come across as a rushed job either. TomTom was able to gain certification in such swift time thanks to collaboration, well organized teams and lots of expertise. According to Silomaa, this process is not over either. “It is one of our priorities to continuously improve our information and cyber security to address business risks and to ensure that our customers can trust our security practices,” he says.

Silomaa is also happy to say that he thinks TomTom has the best engineers and technologies, which allows them to work more productively, creatively and deliver the best products and services for the business.

“At TomTom we are fully committed to ensuring that our Information Security Management System is applied in the most proper and effective way as we deliver value and grow our business,” Silomaa adds. He says it’s incredibly important to the company to continuously improve its information security, safety and privacy and excel within business.

Silomaa highlights that the right attitude, cross-team collaboration and fast learning is what made it possible to receive the ISO certificate in such a brief timeframe. Indeed, within TomTom, and even the wider information security community, Silomaa, Rautula and their colleagues deserve a round of applause for making impactful change and not letting the magnitude of the challenge stand in their way.