On February 28, Rwanda Revenue Authority (RRA) attained the ISO 27001: 2013 certification, a globally recognised international standard for managing risks related to the security of information held by organizations. To achieve the feat, the revenue body successfully passed an intensive audit to ascertain its level of protection of privacy of taxpayer’s information, as well as how it safeguards confidentiality, integrity and information availability. The implication is that RRA follows a robust and globally recognised approach that is focussed on continually improving internal processes, mitigating business risks to meet the needs and expectations of taxpayers and strategic partners. This particular standard takes into account the safety of people, processes, policies and technology infrastructure against any unauthorized access. According to RRA, the attainment of this ISO certification marks a significant milestone in the institution’s digital transformation journey to drive and enhance overall information security systems and risk management framework. In addition to this, RRA holds the ISO 9001, a standard for Quality Management Systems (QMS), which it initially acquired in 2008 and has maintained to date. In an interview with The New Times, Jean-Louis Kaliningondo, the Deputy Commissioner General of RRA reflected on the significance of the two certifications in terms of global recognition, assurance to RRA’s clients and partners, as well as setting a challenge for the institution to maintain the efforts. “It sends a message to customers and partners that you are actually following international standards of best practices for that field in which you have been certified. So, on one hand, it is a message that we are giving to the rest of the world, but on the other, it is a control that we are giving to ourselves to improve our performance and operations as RRA,” he said. He noted that RRA strives to ensure the security of the information entrusted to them by the taxpayers and partners, as he zeroed in on the implication of the recently acquired ISO 27001 certification. “By attaining the ISO 27001 certification, we are sending a message that we are not going to use this information lightly. It is going to be secured to the best of our effort, with the best processes, policies and technological products. We are going to do everything possible to ensure that information is kept safe, delivered only to the people who have authorization to access it, and we will strive to make it available when it must be available,” he stressed. He explained that information security is a pervasive concept that goes beyond digital systems and takes into account many other factors including: safety of the physical premises of an institution, recruitment policies, operational processes, among other things. “The principle of voluntary compliance under which we function requires us to try as much as possible to protect the reputation of our clients - who are the citizens of this country. We put effort in protecting their reputation by not divulging their tax information,” he said. Asked what RRA will be doing going forward, he said they will be putting effort in maintaining the achievements. “The real work starts now, keeping what we have acquired,” he said, “This will require a lot of awareness. We want the content of these standards to become part of the culture of our staff. We should ensure that our staff are sensitized constantly about what the standards require of us, so that they are always compliant. The staff are the most important resource of every organisation,” he said. Every year, SO-endorsed auditors carry out documentary checks on RRA and after every three years, they do an extensive audit to know if the institution still deserves to hold the certificates it attained. “This is interesting because it keeps you on the tip of your toes as an organisation to strive in your daily routine to keep compliant with the requirements of the standards,” Kaliningondo said.
