"ISO is like a little bible for us"

Huge volumes of data pass through the PostNord Strålfors system every day. Åke Andersson holds ultimate responsibility for information security.
“Customers make demands and we deliver. It’s actually as simple as that,” he comments.


ISO is a set of international standards that can be used as the basis for a management system, for example, or for tackling environmental or safety issues at an organization.

Åke Andersson is head of information security at PostNord Strålfors. This means he holds responsibility for information security in the IT environment, and that he determines who has access to what in the systems, what needs to be encrypted, and how data are stored. 

“I come in at a later stage, once our sales organization has done its job and it’s time for us to work with the customer’s solutions,” he says.

PostNord Strålfors has a number of “out of the box” solutions – Mobile Invoice, Dynamisk Communication and We Mail, to name but a few.

“Here, all processes are ready in each solution so if a customer purchases one we know how to handle the security,” confirms Åke Andersson.

If they are required to work with a more complex customer solution, PostNord Strålfors and the customer sit down to define the assignment together. 

Better after GDPR

“ISO is like a little bible for us in our work. It helps us in all areas,” says Åke Andersson.

All data are sent via a secure file transfer program (SFTP for short) today.

“This is one of many improvements for which we can thank GDPR, the new data protection regulation. All processes have now been thoroughly reviewed, and all weak links have been dealt with. 

One example is that we now require all data transfers between us and the customer to be run though a secure file transfer program (STFP for short). This wasn’t a requirement previously,” explains Åke Andersson.

Åke has also seen major improvements in the area of agreements following the introduction of GDPR.

“The fact that everyone has been obliged to check through their NDA (Non Disclosure Agreements) and DPA (Data Protection Agreements) has resulted in a lot of things falling into place,” he says, and continues, 

If something unforeseen occurs

“Of course, much of our work is already regulated by our ISO 27001 and 27002 requirements, which we naturally comply with in full. What’s new with GDPR is that we sign a separate DPA with each and every customer.” Under the terms of GDPR, customers are entitled to require PostNord Strålfors – as the Processor – to have a Data Processor Agreement, as they own the information. 

Åke Andersson describes his job as spending a great deal of time behind a desk and in meetings. Nevertheless, no two days are alike.

“I have a lot of dialog with the business. There are all kinds of things that have to be assured.

Our agreements with the customers feature regulated audits. This entails meeting regularly to check that everything is running as it should.  

Audits can focus on anything: physical security, how the infrastructure and information security system is built up, or how securely our network is constructed.

“It depends entirely on what the customer wants to know,” says Åke Andersson.

PostNord Strålfors has plans in place to handle both large and small disruptions.

“We’ve built up our infrastructure in the same way everywhere, which means that we can easily transfer production from one physical site to another,” says Åke Andersson.

“But our BCP (Business Continuity Plan) is so firmly established and finalized that it’s not even certain that I’ll be involved if it happens.” 

In contrast, Åke Andersson is informed of most IT-related incidents. And in the unlikely event of a bigger problem arising, the PostNord Strålfors DRP (Disaster Recovery Plan) is activated.

“In that case, we focus unswervingly on securing and moving data so that we can quickly have our business up and running again.”

GDPR has made a big difference

Lars Lundström at PostNord Strålfors describes GDPR as a wake-up call.

“Today, everyone is thinking carefully about what they need. This wasn’t always the case previously,” he says.

As the person responsible for PostNord Strålfors’ digital services, Lars Lundström handles a great many questions from customers about how they should work with data and archiving. As an example, he cites customer service departments at customers who, before GDPR, could have archives containing mountains of historical data – information that nobody needed. 

“Nothing was deleted. But GDPR features standardization as its foundation, so the discussion is now about non-conformances instead. This results in healthier archiving practice and improved data processing,” he says, adding,

“As everyone must have complete control, processes and regulations have now been put in place. No exceptions.”

IT and security issues affect everyone in their everyday working lives. 

“Fundamentally, we’ve been obliged to change our way of working following the introduction of GDPR,” says Lars Lundström.