How we successfully passed ISO 27001 audit
“Why on earth would you choose to go through that?” which is more than likely what springs to mind for many of you. Well, a growing company continuously needs to improve its structure and focus; you always need to ensure that your organisation understands and follows healthy common practice. For us, a certification was one way to drive structural improvements based on an established framework.
In a world with increasing penalties for GDPR violations, we also have to comply ever more closely with business, legal, contractual and regulatory requirements. By going through certification, we further reduce the possibility of losses associated with data breaches. Having addressed such issues in a structured manner may ultimately even help protect and enhance our reputation.
Sharpening our processes may also improve our competitive edge. By establishing stable, documented structures in a known framework related to IT-Security, we have established (for others to see) that, as an organisation, we can work strategically with improvements. Hopefully, this translates to more exciting projects, better skills and improved job-security for all of us.
Our journey to taking ISO seriously
Early 2019 we decided that we needed to revisit our IT Security framework. The motivation was simple; we wanted to strengthen further the way we develop solutions for Dynamics 365. In a changing world, we wanted to ensure our international customers that we continue to follow the strictest IT-Security guidelines and provide robust frameworks around GDPR.
In hindsight, our timing could not have been better. By the time the COVID-19 virus hit a year later and lockdowns where enforced, our infrastructure had been revamped and top-tuned. Our policies and procedures were rewritten (in some cases written) – and we were starting to prepare for our internal ISO audit.
We would have preferred different circumstances, but having systems challenged, checked and validated by everybody having to work from home one day to the next is a pretty severe test – our systems and organisation passed with flying colours. Last week we took it up a notch by becoming ISO 27001 certified.
But actually, how much work is it?
It is a lot of work – that much is clear. We may have made things easier for ourselves by establishing this as a strategic initiative from day one, with highly structured people internally and externally dedicated to the task at hand. Sure, modifying structure, routines and policies seemed like a lot of extra work to deliver the same result we always do – and, to be fair, some team members initially felt precisely that way. But, as we moved on, the benefits became more evident as we soldiered on.
“There was never really any doubt that we were doing it, only how we were going to proceed, which meant that everybody in the organisation became involved – the acceptance of many and the effort of a few combined with a clear purpose.“
– Nicolai Krarup, COO at Global Mediator
We avoided a lot of discussions. There was never really any doubt that we were doing it, only how we were going to proceed, which meant that everybody in the organisation became involved – the acceptance of many and the effort of a few combined with a clear purpose. We could do it with great results because the organisation did it together.
All in all, it took less than 16 months from the start to successfully pass our IS0 27001 audit and receiving our certification. This is an outstanding achievement for a growing organisation our size as this is close to what is theoretically possible.
A process of continuous improvement
Many of our customers are considerably larger than us, and we believe that the best way to attract their business is to be outstanding at what we do. We also acknowledge that staying good at what we do is a moving target and that setting high goals for ourselves carries its own rewards.
It is essential to realise that certification is only the start of a process – next year, and the year after, certain areas will be audited again. Three years from now we will have to recertify. What may be a bigger surprise is that we have already identified more than 20 improvements we can make over the next year alone.
We are in the middle of a significant transformation as we grow. While implementing IT security, we have also strengthened QA, HR, marketing and finance. Even more challenging, we are launching our own first three software products under the Meta UI brand, this added new knowledge and revenue to what was a pure service engineering organisation a year ago.
“It is strange, that by pushing for severe changes and improvements during a period of high uncertainty like a pandemic we have built a better, scalable, stable and secure organisation.“
– Nicolai Krarup, COO at Global Mediator
Having incredible customers helps. Nothing was possible without them. But it is strange, that by pushing for severe changes and improvements during a period of high uncertainty like a pandemic we have built a better, scalable, stable and secure organisation. What a year this is turning out to be.