Achieving ISO accreditation is a long, complicated process that taxes any size of company. So how did our start-up team navigate such a challenge and end up becoming more aware, informed and secure as a result?
It was late-2020 when the email from our CEO landed in my inbox. “We’ll be pursuing ISO accreditation in 2021”. So I did what any self-respecting CTO would do and googled, “Benefits of ISO certification”. I wanted to hear from people who had gone through the process and there was no shortage of opinions…
“…don’t do it until you have customer deals contingent on them…”
“27001 is more common with gigantic companies than with start-ups…”
“…a real risk with rushing certification is that it can warp your security engineering and business processes.”
“It’s a racket essentially, they make up a certification and sell it to people buying software.”
“Half of the companies I’ve worked for required an ISO 2700x audit in order to do business with larger b2b customers.”
“You’re going to need to show a lengthy paper trail of policies and documented compliance”
“…be warned, this does place an ongoing admin burden on your company that you wouldn’t otherwise have. Documenting and evidencing actions that wouldn’t necessarily need it before, as well as conducting your own internal audits to ensure you’re still doing the things you said you’d do. So I would not recommend getting it until you’re forced to by a client.”
Getting ISO certification is supposed to prove, through a rigorous and independent audit, that your services and processes are world-class in quality, security and efficiency, however, it appeared that many companies needed ISO certification simply to satisfy prospective customers. This seemed backwards. Surely the goal is to build a world-class company with winning new business being the by-product of this?
I asked Jamie, our CEO, what his motivations were and he was clear.
“If we’re accrediting others in ESG, then we need to hold ourselves to the highest standards and ensure our own processes and procedures are suitable and have been independently validated.”
So, this would not be a box ticking exercise for Digbee. This would be an opportunity to strengthen our foundations and design all functions of the business to support and enhance our quality, security, team, customers and long term growth. We needed to approach this with the right attitude.
Fast forward 18 months and we’re now fully certified to two ISO standards – ISO 9001 (Quality management) and ISO 27001 (Information security management). Our auditor was tough. He was meticulous like a forensic detective and impossible to read. It therefore felt deserved when he told us that he’d be recommending us for certification. Two things he said really stuck with me. First, we’d attained one of the highest ratings that he’d ever awarded and secondly, he commended us for our transparency and for doing the audit ourselves – we were unaware that it’s quite common for external ISO consultants to represent and speak on behalf of the company during audits. By personally representing our company in the audit, we benefited from becoming intimately familiar with every aspect of the ISO standards as well as discovering our strengths and weaknesses first hand.
I want to pull back the curtain just a bit and offer a glimpse of how we prepared for ISO certification and a few of our inner workings that were developed or enhanced as a result of the ISO certification process.
Step 1. We assembled the project team
We wanted to be able to make decisions quickly, so we assembled a light, 3-person team comprising Jason (Head of Operations), Jamie (CEO) and myself (CTO) with Jason leading the project. With help from an external ISO consultancy, Jason was able to quickly understand what ISO standards entailed, why these ‘controls’ existed and then imparted that knowledge to the rest of the team.
Step 2. We established ground rules
Before running headlong into the process and changing the way we worked, we needed some ground rules:
- We had always been a fast and nimble team. Any new processes or documentation requirements could not be an unnecessary burden and, as far as reasonably possible, had to feel effortless.
- We had to interrogate each ISO control, fully understand it and decide whether there was a net benefit in implementing it (spoiler alert – turns out they have been well considered and there is a benefit in all of them).
- We had always been a remote team, so we had to ensure that any new tools were warranted and would continue to support our remote structure.
- We had to bring the team along – ensuring there was buy-in, feedback and any new processes would be “owned”.
Step 3. We implemented the right tools
We knew documentation was going to play a big role in the ISO process. We would need to be documenting, logging, storing and reviewing things like policies, processes, risks, incidents, assets, access controls, meetings, training, onboarding, offboarding, QA, requirements, technical specifications and more. Fortunately, we were ahead of the curve here – as a remote team, good documentation was already embedded into the fabric of Digbee and we had established a solid suite of tools that made communicating, collaborating and documenting simple.
Step 4. We developed effective processes
This is where ISO really forced us to up our game. We had countless conversations with our ISO consultants along the lines of…
Consultant: Do you generate and keep server logs?
Us: Yes, of course
Consultant: Are you backing up those logs?
Us: Yes, of course
Consultant: Is it write-only logging to a 3rd party logging provider?
Us: Nope, it’s writing to an internal server that the dev team can access
Consultant: So what happens if, hypothetically, a bad internal actor, hides their activity by removing those logs?
Us: Good point – we’ll address that
Consultant: Do you review the logs?
Us: Yes, usually when we need to debug something or we’ve been alerted to something
Consultant: You need to be proactively monitoring your logs and know what sorts of things you’re looking for
Us: Agreed, we’ll implement a process for this
This is just one example among hundreds of things we looked at in granular detail over 12 months. We were tasked with imagining all kinds of risks and worst case scenarios across the business. We had to plan and document exactly what we’d do in each of those scenarios so that business continuity would not be impacted. Prior to ISO, we would likely have reacted to whatever situation arose and tried to figure out the best course of action on-the-fly. Now we feel a lot more confident in our ability to respond to problems and knowing that risk has been significantly mitigated. Not only this, but thanks to ISO, we have to regularly simulate these scenarios to see whether our processes hold up. These simulations have proven invaluable as they’ve uncovered flaws in a strategy that looked strong on paper. This allows us to continually adjust and improve – which brings us to one of ISO’s main tenets…
Step 5. Continuous improvement
Funnily enough, ‘continuous improvement’ was one of our founding principles. We can always do better, we can always improve, we’re open about our mistakes and weaknesses, and we learn from them. With ISO, we have now formalised this process and systematically log, assess and act on any issues, risks or areas of weakness. Everyone at Digbee is able to log and view incidents. We log incidents at all levels of severity – from a minor formatting issue in a report through to a more severe server crash. Each incident is investigated, root cause identified, remedial actions documented and internal processes reviewed to minimise chances of recurrence.
I believe we were successful in ISO because we approached it with the right mindset. That is, we genuinely wanted to improve Digbee – we didn’t see ISO as a means to win clients, we saw the net benefits of ISO’s documentation requirements and our team were fully engaged with the process. Credit for this has to go to the way our Head of Operations executed, the tools we chose and the way we implemented the various ISO controls – that I suppose is the secret sauce. After an intense 12 month process, we’ve emerged a more aware, informed, secure, confident and proactive company.
I was able to see many parallels between ISO and our own Digbee ESG certification. Just as ISO can help companies win new clients, a focus on ESG can open the doors to investment opportunities for mining companies. My hope is that mining companies approach Digbee ESG with the mindset of real improvement. Afterall, Digbee ESG is an incredibly valuable blueprint for miners to get their ESG in order and, as with ISO, continually improve over time. It follows that, just as a world class company should attract customers, doors to capital should naturally open where good ESG practices are adopted and embraced, not to mention the myriad of other consequential benefits.