November 20, 2020

ISO 9001 and 27001: 6 Lessons Learned

In the last month, the Team at Ember have successfully achieved both ISO27001 and ISO9001 certification through working with external auditors QMS UK. Our intentions to undertake the certification were set earlier this year when we went through a stringent assessment process as part of the Digital First Standard in Scotland during the delivery of our SaaS platform for the Global Scot network. After successfully completing this assessment we felt that everything was in place to move onto gaining the certifications quickly. 

Certification has been a massive achievement for the whole team and we just wanted to share some of the experiences and lessons we learned along the way for anyone contemplating going through the same process.  

However, it is worth saying that we had a good starting position in terms of our processes and policies so the audit process for other companies will be very different based on where you are right now but hopefully you will find some of our lessons learned valuable in helping you to make some decisions prior to certification, which should hopefully save you some time and money.

Our starting point

Over the last four years we have grown our internal processes and quality systems in line with our company's steady organic growth. The challenge through the early period was to build a culture of quality and security awareness within the organisation while maintaining delivery and operational commitments by our clients.  It hasn’t been without it’s pain and pressures, especially at certain delivery crunch points, but we are pretty proud to have put in place a well-oiled Security and Quality Management System that has allowed us to engage with some amazing, large clients and tackle some of the toughest societal problems out there. 

We found that as the level of complexity and size of our projects have grown, so has the level of due diligence over both our Quality systems and our Internal Security policies and measures.  This comes with an instant overhead and justification every time we undertake new work with a client or participating in a large and detailed procurement process, spending large amounts of time responding to specific security or quality questions.

Recently while working with Scottish Enterprise we were required to deliver a Digital First Standard compliant system for the Global Scot network.  Although we had the internal processes and systems in place, we found that the level of documentation and explanation needed was much more extensive than we had previously been subject to. By going through this rigorous process it forced us to surface our existing internal operational processes and plans into a set of documents and policies. This became more of a communication exercise because we had already built the culture and processes to comply with the standard; it was simply a task of documenting what we already had in place.

ISO Lesson 1: Build your security and quality culture first. It’s more difficult to layer it on top
Because we had an existing internal culture based around security and quality, we didn't have to change much from our day to day operation, all we needed were clarification documents to present to the external assessors.  Anyone thinking of embarking on this process should start building this culture now!

‍Why ISO27001 and ISO9001?

As we reached the end of spring and the start of summer 2020, the global pandemic was really tightening its grip on the economy however, our business was continuing to grow and we felt it was the right time to invest in our own certification to help develop our business. After undertaking the majority of the Digital First Assessment in the Spring and early Summer it was a natural step for us to take in order to achieve the ISO certifications and we felt the level of internal investment to achieve this would be minimal. By obtaining the certifications we knew it would mature us as a company and rubber stamp our internal processes and policies to any new or potential clients.

Finding the right partner that could help us through the whole certification process and undertake the audit itself proved extremely daunting, the audit market is highly competitive and there are a lot of providers out there.  After careful consideration we chose to work with QMS UK for both of our certifications. We couldn’t recommend them more, they were fantastic! Communication was clear, the audit itself was excellent and the people we dealt with were all really good and knowledgeable and put us at complete ease through the whole process.

ISO27001 Audit

Our ISO27001 audit was a two-stage process involving an initial 3 day audit, which in normal circumstances would have been done on site but due to the pandemic was conducted remotely. A second 1 day audit to review any of the initial audit failures was scheduled one month after the initial session to see what measures we had put in place to address the failures and hopefully provide us with our certification. From the initial meeting it became apparent that because we had implemented a robust and wide covering Security and Information Governance Policy document with the staff, then our ISO27001 journey would be pretty straight forward.

ISO Lesson 2: Put in place a well thought out Security and Information Governance Policy as quickly as a you can

Although we were a small company, we had put in place a Security and Information Governance policy after the first year of trading. We felt that building this culture and enforcing it would help us deal with larger Enterprise clients. 

Putting this Security and Information Governance Policy in place in our first year of formation provided us with a good foundation to start from but we did have to adapt it over time to reflect both changes in regulations but also to accommodate some new client requirements which came up through procurement processes. It was important to us to make sure this policy was easy to follow but also had sufficient detail to ensure we were compliant. We therefore took our time and created the policy from first principles. It was a real balancing act to get this correct!

ISO Lesson 3: Make sure the Security and Information Governance Policy works for your company and still goes into the detail
Our policy is 58 pages long and covers everything from access controls all the way through to data deletion procedures. It has grown over time and is reviewed and updated frequently but is easy for our staff to consume. 

We would suggest avoiding very simplistic online templates; they are too simple and generic and I would suggest in most cases they do not fit straight into a company culture. With a bit of time and effort you can cover this off yourself. Most of this is common sense and it can be validated during the ISO audit process.

Because we had performed on-going self-assessment through Cyber Essentials in the previous 3 years prior to our ISO audit, we were already taking steps to make sure that all our staff and suppliers understood our Security policies and systems on a regular basis.  Although it wasn't a requirement for Cyber Essentials to capture acceptance and feedback of the policy, we had put this in place as a matter of process and good practice. Because this policy document became the cornerstone of the audit, it became easy to evidence conformity through the audit process because we were regularly reviewing it and sharing it with the staff for their input.

ISO Lesson 4: Keep your staff and suppliers up to date with changes to your Security and Information Governance Policy
This constant pulse check with the staff over the last four years enabled us to build and maintain a culture that was conformant in general to ISO27001. A little effort over the last four years saved us a mountain of effort in the audit in evidencing this compliance. 
Don’t just blast your Security Policy to your staff, engage them with the policy decisions and get them to contribute.

For us the entire ISO27001 process was straightforward and the amount of internal investment needed to complete the process was justified easily by the time we would save in future due diligence and tender processes. 

ISO9001 Audit

The certification for ISO9001 was similar to the ISO27001 in that it was performed through two audits a month apart. The first audit was a single day of time and was pretty straightforward, mainly because many of us had worked for businesses previously who were ISO9001 certified so when we started Ember we ensured that these quality management processes were put in place from the start.

To deliver some of the more complex projects, which are often deep in Technical Risk and User Adoption Risk, we put in place a bespoke project delivery process which is layered in Design and User Research for the discovery phase and then combines methodologies from both Waterfall and Agile for the technical delivery part.  The process has always been used to deliver a Commercially Viable Product (as opposed to 'MVP') within a known approximate price scenario where the right features are prioritised by harnessing the power of real User Research and Co-Design. You can read more about our Co-Design process in action here

We have always taken the quality of our processes and products seriously and have layered a Stage Gate review process over the existing project lifecycle. This means everything we do goes through a series of checks and inspections at various points with relevant stakeholder sign-off. Using this Stage Gate process has provided us with a way of having an ongoing input and sign-off at each stage, ensuring anything that we publish into the public domain has had stringent and serious inspection at every stage prior to going live. Ownership is also an important aspect of the process and within each single stage a single individual is responsible for the quality and obtaining the correct sign-off in order to transition to the next stage.

ISO Lesson 5: Ensure roles and sign-off are explicit to certain individuals/roles 
Ensure that quality ownership is known and publicised so that everyone in the lifecycle can understand who is responsible and at what stage in the process it is at. We had documents which we could evidence on this process. 
Keep records of all decisions made in the sign off process so that these can be audited. 

As a digital business we use an online project management system and for a long time our Change Control and Quality Management systems sat external to the project delivery system within a separate process.  There were historical reasons for this being an external process but it did feel disjointed and we continually wrestled with our quality and change processes which often felt forced.  We recently integrated these into the same systems and the process is now much easier where the reporting and real time information is easier to distribute. This has allowed our staff to see where things are and to have a clearer position on the quality of our services and products at any single point. 

ISO Lesson 6: Keep processes and Quality system used to monitor these aligned
If possible, keep the quality system aligned with the processes to ensure that information is easy to obtain and share.   

Because we had a good foundation, the second audit on ISO9001 was a breeze and we passed with flying colours.  Our hard work and diligence over the years put us in good stead here. 

Going Forward 

It is also worth mentioning that although we are now through the certification process you could say the hard work has only just begun. We have set up internal committees for both Quality and Security that are responsible for reviewing and auditing the company going forward.

As a small company we all know things can accelerate at great rates and operationally there are always disruptive events happening. Instilling a culture of Quality and Security we have ensured that staff take these committees seriously and see them as a key component of the company going forward … this helps enormously!

Final Thoughts 

Any company that is looking to work with large organisations and the public sector should look to obtain both ISO27001 and ISO9001. Both standards are often required as a prerequisite for any supplier.

If you are interested in speaking to a compliant developer or need to speak to someone about a project, then please do get in touch. 

Work with us
Want to chat to someone from our team about a project?
Get in touch