In line with our constant strive to continually improve, we're on the path to ISO 9001 and 27001 certification.
As a lean, agile, and bureaucracy free outfit we had been quite content in self-managing our methods and processes and not being held back with the weight of outdated and bloated standards; we left all that back in the 1990s surely? Then, for a large government body we were working with to migrate away from a traditional dedicated datacentre type setup to a container based bleeding edge type setup, an audit was commissioned to satisfy their own internal security department due to the lack of certification to prove our competence in this area.
What came out of that two day invasive poke around every dark corner of our work by two very serious chaps, was a pat on the back and a thumbs up that we were in fact pretty much ISO compliant with one or two gaps, and some documentation. Gold Stars were awarded for business continuity in the event of a disaster; it's true our office could we wiped from the face of the planet and we could still provide 100% of our service 100% of the time, and also for control and governance around access to our clients systems; thanks to our slightly paranoid yet very clever infrastructure team.
Out of this initial audit came some actions and we were able to make some quick changes during the lifespan of the migration project, but to become certified we realised we needed help. Through recommendation we hired James Parson, Director and Senior Consultant at Profile Consulting:
"Profile Consulting was invited to do a Gap Analysis of current system arrangements at Ixis against the requirements of the international management standards ISO 9001: 2015 and ISO 27001: 2013. At this stage Ixis have good internal systems but these were not defined and they also have clever people doing clever things around Drupal but in a way that lacked an externally obvious structure. ISO 9001 and 27001 provide this management framework within which Ixis can show the good things it is doing, so that they will be more visible to the outside commercial world and auditable against consistent good management practices. The Action Plan within the Gap Analysis provides a plan to train all Company staff, define in process flows the core procedures, record activities in a Policy Manual, implement these new arrangements and audit the revised processes to confirm they are working appropriately. Ixis has shown a willingness to embrace these different methods of working while retaining what it does best. The Company is on target to comfortably achieve external UKAS accredited certification in the autumn of 2016."
There is quite a bit of questioning and documenting everything we do; which is a useful exercise for any organisation, and we're already streamlining and adding governance as we go. Not quite the headache we first thought, this ISO certification.