Posted26 January 2023
bySasha Hayden

Protecting Your Data by Becoming ISO Certified

Posted26 January 2023
bySasha Hayden

At DeltaXML we’ve always tried to be a pioneer in XML change technologies and understanding. The key to this is providing customers with reliable, safe software that shouldn’t need second-guessing. Our new evaluation customer experience allows you to register and download software in an instant, but how do you know your account is secure and the download safe? DeltaXML’s enterprise solutions support organisations across the globe working in highly regulated industries where they must show they operate to the highest standards. These standards are often internationally recognised, such as those set out by the International Standards Organisation (ISO). There are many standards, some specific to industries, however, there are two which are important to DeltaXML and our customers; ISO/IEC 27001 Information security management, and ISO 9001 Quality management.

We sat down with those closest to our operations procedures to truly understand what it means to maintain our ISO certifications.

Fun fact: ISO is actually a customer of DeltaXML and our comparison software is used to show people what has changed when a standard is updated.

Interview of DeltaXML team members: Pete Anderson, Senior Systems Administrator, Tristan Mitchell, Product Director and Mark Thomas, Managing Director on the ISO Certification Procedure (20/01/23)

Q. Hi all, let’s start with one of the easiest questions to answer. Why did we [DeltaXML] decide to get ISO certified?

Pete: When you apply for a job, a potential employer will usually look for evidence of appropriate academia, or training. Normally, this is referenced in a CV. If a potential customer is looking to do business with another, a similar validation process happens. So, we publish our corporate CV, showing we have ISO certifications – this is why we get certified – put simply, it gives customers confidence in us as a business.

Tristan: We have started to release SaaS products and wanted to show that we take security seriously, so it made sense to implement ISO 27001. At the same time, we looked at ISO 9001 because we wanted to build a process of continuous improvement into the business with the aim of providing the best quality products and customer support that we can. Both of these standards fitted with where we wanted to take the business at the time.

Q. What ISO certifications did we apply for and what do these certifications prove?

Tristan: ISO 9001 and ISO 27001. [With] ISO 9001, the aim here is to focus on quality both internally in the way that we build our products and look after our teams and externally in the way that we provide support to our customers.

ISO 27001. This standard focuses on information security and is important to us for a number of reasons. Firstly, we wanted to show that we take [the] security of customer data seriously. Secondly, as information is so important, implementing this standard improves the robustness of our business continuity plan, ensuring that we always have access to the data that we need.

Pete: [We’re certified for] ISO 9001:2015 [Quality management systems] and ISO 27001:2013 – Information Security. It’s almost impossible and would be irresponsible nowadays to avoid the responsibilities surrounding Information Security. Based around a set of ‘Controls’, the objective of the ISO27001 certification is to show that we at DeltaXML are taking all areas of security seriously – from who has the keys to the office and gets to open up on the cold frosty mornings, to the continuity and integrity of computer systems.

Q. How long does it take to get ISO certified?

Pete: The assessment itself takes a day, the certification process itself is never-ending. There’s always room to improve a process, or tighten up on security somehow.

Tristan: After an initial assessment found that we were in pretty good shape already, we were left with a number of recommendations to implement. It took us a few months to get from there to our first certificate, but that doesn’t mean the work is done! As continuous improvement is baked into the standard, there is always more to be done, monitoring our processes and tweaking them where necessary. We’re always on the lookout to make changes to the way we do things so that we are working to our best abilities.

Q. What was involved in getting these ISO certifications?

Tristan: Lots of documentation! The biggest task was in getting everything organised into a ‘management system’. That’s one of the benefits of implementing 9001 in particular – it’s now much easier to find what you’re looking for because all of our processes are documented in one place.

There’s also a need to keep reviewing how things are going, which is actually really useful. It’s key to the improvement aspect of everything that we do.

Pete: Processes and controls! Behind each certification is a raft of documentation in the form of processes and controls. Many (almost all!) aspects of how DeltaXML functions can be found amongst this documentation somewhere. It’s a living document store, so is constantly under review and being added to. The certifications are most certainly not a fit-and-forget item.

Q. What takeaways did we learn when preparing for our [DeltaXML’s] certifications?

Pete: Someone has already coined a phrase for this one…”Failing to prepare is preparing to fail.” Without routine checks on processes, it’s easy to lose control. We, at DeltaXML, have learned that regular check-ups make everything run a lot smoother, both for re-certification and the internal running of the business.

Tristan: It was actually really good to realise that we were already in pretty good shape. But that doesn’t mean we should rest on our laurels. There’s always room to make things even better.

Q. Do these certifications expire? And if so, what do we need to do to keep them active / maintained?

Mark: Certifications are renewed annually after a thorough audit by an independent credited third party authorised by ISO to review and approve the current implementation at an organisation. Our auditors ISO Quality Services Ltd carry out a 1 day review twice yearly to ensure we are continually using, monitoring and reporting on the systems we have designed for our business to ensure compliance with the appropriate standards. If we continue to meet the stringent criteria across the organisation, we are accredited by the auditor for another year.

Pete: Certifications are renewed annually. We have monthly meetings to keep up to date with the beats we need to hit to ensure that the assessments are relatively painless.

Tristan: What they said!

Q. Do we have a dedicated team to make sure these ISO conditions are met?

Pete: From a process/control compliance perspective, yes, we do. However, it is encouraged that anyone in the business can suggest, create, or modify processes. Many hands make light work!

Tristan: Quality and Security are everyone’s responsibility and it’s important to get buy-in across the board. But there is also a small team who meet regularly to review the status of both systems and make sure we’re continuing to meet the expectations of the standards.

Mark: ISO is at the core of DeltaXML and we discuss any non-conformists or security incidents at the weekly senior management team meeting to ensure we capture and address any issues across the whole business. Further, a subcommittee of the senior management team oversees the ISO implementation throughout the business and, at regular monthly meetings audit existing processes, review non-conformities or security issues and also discuss areas of improvement.

Q. How have we improved our processes since getting certified?

Mark: DeltaXML has, over its 20 year history, had a culture of continual development, innovation and improvement, so formalising our working practice to meet the ISO standards was an interesting and useful experience. In undertaking the initial accreditation, and the subsequent continuous use of ISO, we have found the process a useful tool to focus our attention on how we can improve the business.

Pete: Since getting certified, we have fine-tuned our internal auditing processes to make them easier to perform, and easier to report. In-turn, these internal audits can lead to improvements of processes – this entire process is a direct result of the requirements set by the ISO certifications.

Q. Any last thoughts on getting ISO certified?

Tristan: If you’re thinking about going for certification, I would definitely recommend it. One worry I had beforehand was that there would be a lot of irrelevant paperwork, but in reality, everything has its place and is useful for improving our business. We may not have put some of the processes in place had we not been certified, but it has certainly been beneficial to do so.

Pete: You wouldn’t expect to get a job you weren’t certified for, so how can you expect to do business without showing ‘credentials’?

DeltaXML is a better organisation for being ISO accredited and our customers can take assurance from our continued certification. We would encourage any organisation to look at ISO and what improvements and benefits that can bring to your organisation and your customers. And as always, if you’re struggling to find significant differences between XML files, you can register for your MyDelta account securely on our evaluation system and safely download our software for your free 14-day trial. Change matters, and so does your security.

Keep Reading

Simplifying Your JSON Management Experience with DeltaJSON

0 Comments

/

13 February 2024

DeltaJSON simplifies JSON data management with the introduction of an NPM package.

Cyber Resilience for SMEs: A Chat with DeltaXML’s Systems Administrator

0 Comments

/

30 January 2024

Peter Anderson, IT System Administrator, relays the importance of cyber resilience for SMEs.

Introducing ConversionQA

27 September 2023

ConversionQA is introduced as a solution to comparing content across different XML formats, addressing scenarios like content conversion and restructuring documents.