Five takeaways from our certification experience for ISO9001 Quality Management and ISO27001 Information Security Management
As a specialist IT consultancy, we were recently certified in not just one but two ISO standards – ISO 9001 Quality Management and ISO 27001 Information Security Management. To say we’re proud of the result is an understatement, but that’s not the reason for this post. There are plenty of posts that talk about the importance and value of having ISO certification. What we learnt by going through the process ourselves is more interesting and something we wanted to share as it had some unexpected consequences.
When we first considered this journey, the immediate reaction of the team was fairly predictable - “It’ll slow us down, make us too bureaucratic, turn us into process robots, etc, etc”. There’s no denying it – we were nervous about it, but also determined.
We had set high standards for ourselves to meet throughout our careers and we wanted the same thing for our business and the people who had chosen to work with us. However, we wanted to do something more than just pay lip service to this idea of quality and standards. It shouldn’t just be a line on a web site or a brochure, we had to live it day to day and find a way to measure it. To actually prove to ourselves and our customers that it was something we take seriously. As a result, there was really only one path we could follow - the gold standard of ISO.
Looking back on the process now with the benefit of hindsight, it was one of the best companywide initiatives we’ve ever undertaken – from both a business and cultural perspective and it’s the impact on the culture of Basis Networks that we probably under-estimated at the start.
So, with that in mind, here are the five main takeaways we discovered on the journey.
#1 You don’t need to be big to benefit from ISO certification
Even though we’re not an enterprise organisation, undertaking ISO gave us the opportunity to validate our existing approaches against international standards. By extracting and documenting the processes and methodologies that we were already using through the ISO process, we realised how good our starting position was compared to much larger organisations. We then built in ways to continuously improve these processes which has had a huge impact in onboarding new team members. Not only can they can quickly see and understand the Basis Networks’ way, they have a framework for easily adding their own ideas and experience to what we already have, keeping the continuous improvement cycle going and ensuring they feel like an integral part of the team as early as possible.
#2 It felt more natural than we expected.
We are fundamentally a tech company so working out what processes we used, how we control our data, and identifying ways to improve on them, really aligned to our sense of troubleshooting and fixing. We also realised that while it might seem counter intuitive, good processes actually make you more agile and responsive.
#3 The impact on the team was immediate and positive
We were surprised at how quickly the results were felt across the team. We initially expected it to take at least a year before we saw a positive impact but documenting and automating the processes and controls really made everyone’s jobs easier within months. Having these new insights across the entire business really empowers everyone to be successful in their roles, and the continuous improvement system ensures that every suggestion gets reviewed and actioned. It inspires everyone to really care about how things are done and speak up as they can see how their ideas make a difference.
#4 Even the most critical voices are now ardent supporters
This is related to point #3 above, but the speed and nature of the results we achieved brought everyone together – even the original naysayers. While everyone understood the concept of ISO, seeing how it would be implemented and benefit us was hard to understand at first and sounded a bit onerous. This isn’t to say that working through the process was easy – it was definitely hard and tested us many times - but once we committed, we did have some small early wins. This in turn made it easier to understand the overall impact and see where the benefits would come; keeping morale up and inspiring us to keep working through the process. Doubters became believers!
#5 ISO isn’t a vanity project
I think the most important takeaway is to understand why you are doing it. Understanding the “why” is important in so many areas of business and ISO is no exception. If you’re only doing it because you think it’ll impress your customers, it’s just not sustainable - you’ll run out of steam and you’ll lose the certification quickly.
As we said at the start, we absolutely believed in information security, quality and high standards so going down the ISO path tapped into this fundamental purpose for us. If you can ingrain it in everyone’s roles and align it with your purpose, you will be successful.
So ultimately, while ISO compliance has become a proof point around our dedication to quality and information security, it has also had a very measurable and positive impact on the entire business. From the culture of our team, through to the maturity of our business operations, it is something we value very highly and it has been absolutely worth the investment.