In our murky, fake news, smoke and mirrors kind of world, rigorous professional standards feel more welcome than ever. But achieving – and keeping – them can feel like hacking through a jungle of bureaucracy.
Isotoma’s Service Delivery Manager Sarah Weller and Project Director Richard Newton know the territory. As they’ve just clocked up a whopping 75 positive observations in our latest International Organization for Standardization (ISO) 27001 audit, we asked them to share their top tips on how to navigate your way to success.
More about the standards
The International Organisation for Standardisation (ISO) needs very little introduction. One of the oldest non-governmental, international organisations, ISO has been benchmarking quality since 1946.
At Isotoma, we hold ISO 27001 and ISO 9001, and if you’re not familiar with what they cover, here’s a summary:
ISO 27001 is all about information security, cybersecurity and privacy protection for information security management systems. With new cyber-crime threats emerging constantly, this standard helps organisations to proactively identify and address weaknesses.
ISO 9001 deals with managing quality, specifically establishing, implementing, maintaining and continually improving a quality management system. It enables customers to be confident that your organisation has robust quality control processes in place, helps businesses to streamline operations and offers guidelines for resolving customer complaints.
Why bother?
The ISO standards are important to us, as Richard explains.
“Very broadly, it's about you being a responsible custodian of your own and other people's data, and meeting a high quality industry standard. It's an indication that you're good people to work with because you meet these external standards.”
Both these standards support our processes, and ISO 27001 indicates competence towards some of our other accreditations, such as UK government-backed cyber security certification Cyber Essentials Plus, and the NHS Data Security and Protection Toolkit, which is essential for all organisations that have access to NHS patient data and systems.
“You're demonstrating that you're an organisation that takes these things seriously and, of course, there are certain pieces of work that you can't even bid for if you don't meet those standards,” adds Richard.
“But it’s more than that. We've all seen the horror stories in the media about what happens when handling other people's data goes wrong. It's valuable business insurance to make sure that you're continually operating to a high standard.”
How does it work?
The first time you apply for the standards, expect to spend a lot of time refining and mapping processes and evidence against the detail outlined.
But even then, it’s not a ‘one and done’ achievement. You’ll be audited annually, to check you continue to uphold the standards, and to measure your performance against updated criteria.
So how do Sarah and Richard make sure that annual audit goes as smoothly as possible? Here are their top five tips.
1. Live the standards
“You need to genuinely embed the standards in your day-to-day working, so that everything you do contributes towards providing evidence,” explains Sarah. “Then all you've got to do is collate the good evidence that's already there.”
As Richard adds, working to – and even exceeding – the standards should come naturally: “It matters to our customers and it matters to us to deliver quality work and look after people's data well.”
2. Invest in an internal auditor
At Isotoma, we hire a consultant internal auditor to work with us throughout the year. This practice is particularly helpful when you’re working towards the standard for the first time, gathering evidence and developing your understanding of what’s expected – but even now, we wouldn’t be without her.
“Our internal auditor is invaluable,” says Sarah. “She has detailed knowledge of the audit process, plus any changes that are coming up, as well as how to embed those changes.
“It’s incredibly helpful to have someone to track that you're covering the correct clauses and that you've got everything covered off by the time you reach that audit.”
3. Chunk it down
The chunking down process comes hand in hand with the internal auditor, as Sarah explains: “Every month, she asks for evidence for certain controls for both 27001 and 9001. That way, she tracks to make sure that when we arrive at the audit, we've already got everything prepared for each of the relevant areas.”
As well as the monthly evidence, she sits down every quarter with Sarah, Richard and Isotoma founder and CTO Doug Winter.
“We go through the agenda and discuss management across both the ISO accreditations,” Sarah says. “The monthly evidence and the quarterly minutes from those meetings are central to our audit process.
“It stops the audit from becoming a big horrible thing every year because you're chipping away as you go, making sure you get through the work.”
4. Be on the front foot
No accreditation is static and ISO standards are no exception. For example, 27001 was updated this year, adding a section of new controls. So, how did the team cope with the change?
“We documented what we did for those new controls and then we paid for a consultancy session before our audit,” explains Sarah. “A consultant from the auditor organisation came in and reviewed our evidence. This meant we could be sure we'd done what we needed – and if not, we had time to put it right.
“We were confident but when it’s something you’ve never been audited on before, you want that reassurance that you’ve correctly interpreted what the wording means in practice.”
5. Make the auditor’s job easier for them
Without question, there’s a lot of preparation for an audit, even with our monthly and quarterly processes.
Although audits used to be carried out in person, they’re now usually done via Teams; a legacy of the Covid-19 pandemic.
“You can either prepare the evidence and send it to the auditor in advance, or go through it on the call,” says Richard. “We prefer to prepare ours in advance because it means they can review it ahead of time. Then they simply check in with additional questions, and it’s easy for us to refer to our notes and answer them.
“Really, sending it in advance makes their job easier for them. You're demonstrating how well you're doing things and how confident you are that you're doing a good job. We aim to gather three pieces of evidence for each relevant section.”
Our focus on thinking like an auditor has certainly paid off.
“This year the auditor was very positive from the beginning,” says Sarah, “The person who'd checked our new documentation in the consultancy session had reported that he was really impressed with what we'd put together. And that was a great start.”
What happens in the meeting?
By submitting paperwork in advance, audit day becomes an opportunity for auditors to review, ask questions, request additional evidence and delve into any technical or contextual issues.
“It means we don’t have to sit on a full-day Teams call, going through everything,” explains Sarah. “Instead there are check-in calls throughout the day, where we might be asked for extra evidence.”
Scoring a great report
The report usually arrives just a few days after the audit itself, and auditors can note points of varying severity, including major non conformances, minor non conformances, observations, and opportunities for improvement – with different timescales to fix any negatives. Although the process is designed to unearth failures to meet the standards, the auditor is also looking for areas for improvement, to ensure the best possible service for customers.
“Clearly our goal, whenever we are audited, is to have zero non-conformances – and that's generally what we achieve,” says Richard. “On the flip side of that, the auditors can add positive comments. And the thing that was rather flabbergasting about this particular auditor, this year, is that in our 27001 report he added 75 positive observations.
“He told us he’d never noted as many positives before. By comparison, in our 9001 report, we got eight positive observations, which is more where you'd expect it to be.”
Modesty aside, Sarah, Richard and the whole Isotoma team were very proud to have achieved such outstanding results and it’s proof that the ISO audit process is more than just an annual check-up. By committing to quality, security, and continuous improvement, and by integrating the standards into everything we do, we know we’ll have plenty of evidence for audit.
And by gathering that evidence through our monthly and quarterly processes, we’re able to view audits less as a burden and more as a reflection of our dedication to excellence.
If you’d like us to apply these high standards to your own project, get in touch.