It’s coming up to 6 months (in August) since we achieved ISO27001 certification so I thought it would be a good time to share my thoughts about how it has changed our business.
When we embarked on the path to certification over 18 months ago, the initial excitement was soon replaced with a fear at just how much work we (and by that I mean me) had to do to bring our company into line with the standard. Having attended the internal auditor’s course early on in the process it was clear that, whilst we were a very process driven organisation, we would need to make some fairly drastic changes in order to stand a chance of obtaining the certification.
It was at this time that our new MD (Jamie Thomson) joined Red Tie and although many people say you should never work with family or friends the timing couldn’t have been better as Jamie brought with him a raft of process focused changes. Working through all the aspects of our business using the ISO27001 standard as a template was both extremely challenging and exciting. Keeping it in the family did have its merits as broader changes were quickly put into action. This exemplifies one of the key strengths of Red Tie, we are very quick to adapt.
Fast forward 18 months and literally hundreds of pages of documented procedures and processes and we achieved the goal we had set ourselves – we achieved ISO27001 certification. I don’t envy the management board as all these new changes had to be signed off at board level which meant many hours of additional discussions before presenting the details to all RedTie employees. You can see that even though I was the driver for this, it encapsulated all employees across the organisation.
I imagine the biggest question most people will have is the same one I had when we investigated what it would involve to become certified – why do it? There are a multitude of reasons why a Web to Print company would aim for certification to an ISO standard, which include:
For Red Tie, the reasoning behind our decision to go for the certification may have began with a financial incentive (in our arena of cloud based software or Software as a Service information security is a key question in the sales process) but by the time we had completed the journey you could pick any of the reasons listed above.
So what has changed at RedTie? If you asked any of our older customers who have grown with us, I would think they will definitely agree with our operation being much “tighter”. We have a firm grip on all of our information across the entire business, from e-mails to our CRM and from reporting of bugs across to the release of new features. Some of the changes are small (we already tracked all issues reported to us via our support system), but some changes have been much bigger, for example a customer asking for a new feature will now receive a detailed, signed, specification document.
Taken at face value some things may look over bureaucratic – for example, when asked for details on our hardware environment we can only share top level information. Anything over and above this has not been authorised by our processes or management review board and therefore is usually responded to with a polite note explaining that this is the case. I personally welcome this and would be much more concerned about a company that freely shares critical information over one that doesn’t... wouldn’t you?
The journey isn’t finished of course, no organisation should be content with simply achieving the certification. In fact, the standard itself is all about continual improvement and learning from the results that are recorded. What is good for me however is that it is now more manageable in terms of my time... I can get back to doing my day job!
There are plenty of other standards available in the ISO world, and we may consider others in the future. A decision here will only be made if it benefits all of our customers, something I feel the ISO27001 certification definitely does.
As a final note, it is important to recognise that we did things the right way. Is there a wrong way? Maybe not wrong, but definitely not as good. You can work with companies who can get you “certified” in a matter of weeks. These are not accredited by UKAS (United Kingdom Accreditation Service) which is the only national accreditation service recognised by the British government. There are plenty of stories on the Internet about certification bodies being accredited with their own companies based in faraway places such as Dubai. I know which one I would prefer if I was choosing a supplier, so much so that in fact we did exactly that and used BSi as our choice of certification bodies.
If you have any questions regarding the ISO standard or how it will affect you, feel free to drop me an e-mail (email@example.com) – I have become a bit of an expert on all things ISO27001!