“Our journey to ISO 9001 and ISO 27001 certification has been a major milestone. It’s a testament to our dedication to doing things right here at TMT and continuously looking to improve and evolve. As we move forward, we’re just as committed to maintaining these high standards and delivering the best for our customers and partners” – Nigel Coulson, Information Security Manager, TMT ID.
Getting ISO 9001 and ISO 27001 certification has been something of a long held ambition for us here at TMT.
These certifications aren’t just window dressing, they show we’re serious about security and keeping all the data we process, safe and secure.
As a business we rely on large scale data sets both inside and outside of our core network, and for us it is therefore business critical to maintain the highest standards for our data handling and information security.
We are also a business whose client base expect the highest levels of data security and quality of service. We knew we already had robust and effective controls and processes in place, but we needed to be able to challenge this assumption and to demonstrate the effectiveness of these controls.
We started our journey with Cyber Essentials and IASME certifications but knew that ISO 9001 and ISO 27001 certifications were the goal.
The ISO Standards set the bar for quality management and information security, and we wanted to prove we could meet those very high standards. Plus, we wanted to really show our customers and partners that we’re dedicated to doing things right and protecting their data.
The ISO 9001 standard is all about having a solid Quality Management System (QMS). A management system that helps us meet our customer needs and adhere to regulations and best practice whilst always looking to improve. ISO 27001 focused on Information Security Management Systems (ISMS), making sure we keep all the data that we hold or process, safe from any threats.
Our first action was a detailed gap analysis exercise. We needed to see how we measured up against these standards. Armed with this we put together an ‘Information Security Management System’ team from across the business, Security, IT, Operations, HR, Legal and our CTO —to lead the charge.
We set ourselves a set of clear, achievable quality goals that matched our business aims. We mapped out all our key processes, looking for ways to streamline and cut out any inefficiencies and making sure that processes joined up effectively across departments’ documentation. We put together detailed policies, procedures, and work instructions to ensure everything was done consistently and reliably. We ensured our customer satisfaction and customer feedback measures were effective and that where lessons learned were needed we tracked and implemented.
We also took a good hard look at all the possible risks to our information, figuring out how likely and how severe they were, implementing corrective or mitigation measures to tackle these risks, including things like improved access control, improved data encryption, integrity checks on backups, and incident management exercises.
We then created clear policies for how to handle information security, from data protection to dealing with incidents, educating our people about best practices in information security, and making sure everyone knew how to keep our data safe. We set in place regular exercises to test the effectiveness of our training.
With these policies, processes and systems now in place, we had to keep checking and improving them. We achieved this through regular internal audits, supported by our Security Operations Centre partner who themselves are ISO-certified auditors, together we audited our systems to find any issues and figure out ways to improve. Throughout we held management reviews to keep those who lead our business informed and their inputs helped us stay on track and keep improving. Whenever we found problems, and I am pleased to report we didn’t find many, we fixed them quickly and made sure they wouldn’t happen again.
After all of this, the final hurdle was the certification audits, conducted by an external body. We had taken the decision to put all our activities in scope for ISO and consequently, our audits took place over a number of weeks and with multiple auditors. They went through our systems with a fine-tooth comb, checking everything against the ISO standards. We are delighted to have completed our final Stage 2 audit with zero non-compliance findings. Passing this audit was a huge and important moment for us, the culmination of a lot of hard work and effort from the entire team here at TMT. All our hard work had paid off!
Getting the ISO 9001 and ISO 27001 certifications is a big deal for TMT. It shows we’re committed to delivering top-quality services and keeping our data secure. We firmly believe that these certifications will help build confidence with customers and partners alike, with the knowledge that the controls and processes we have in place to manage their data have been scrutinised by a team of professional auditors and found to be good and effective. Fully aligning our processes to ISO will help us run more efficiently, manage any risks better, and foster a culture of continuous improvement for our quality and security.
Our journey to ISO 9001 and ISO 27001 certification has been a major milestone. It’s a testament to our dedication to doing things right here at TMT and continuously looking to improve and evolve. As we move forward, we’re just as committed to maintaining these high standards and delivering the best for our customers and partners.
Last updated on September 18, 2024
We provide the most comprehensive device, network and mobile numbering data available
Contact us > Chat to an expert >