We really care about putting out high quality products, because our customers deserve nothing less.
No regrets: Why we earned two new ISO standards the hard way
On the 10th March 2020, champagne bottles popped, and cheers resounded here at 51Degrees HQ. And with good reason. This was the day that we became the first commercial open source company in the device detection game to achieve a duo of ISO standards for quality and information security management.
Now that the dust has settled and the influence of said beverages has safely subsided, we quizzed Liz Hartney, Product Manager, ISO project lead, and general legend here at 51Degrees, to give you the inside story.
For the uninitiated, what actually is this “ISO” thing?
“ISO stands for the International Organization of Standardization. It creates internationally-recognized, independently-assessed standards adopted by all sorts of organizations – from corporates, to charities, to government bodies – all around the world.”
“We’ve now achieved certification for two specific standards – the ISO 9001 standard for quality management and the ISO/IEC 27001 standard for information security management – recognizing that we meet industry best practice in these areas.”
Why did these ISO standards make sense for 51Degrees?
“We really care about putting out high quality products, because our customers deserve nothing less. We won’t take shortcuts or release something our customers can’t rely on 100%. In the past, this has meant taking as much time as we needed to perfect the product prior to officially launching – including that of our revolutionary new Pipeline API platform – while we continued tweaking to make them the best they could be.”
“Honestly, it’s a habit we wanted to break. We knew that, with the right processes, we could consistently hit our aspirations for quality within whatever timeline we’ve committed to. ISO 9001 was the perfect way to embed rigorous quality management in every stage of our product development as well as in all other aspects of our operations.”
“Given that data is our business, the ISO/IEC 27001 also made a lot of sense. It’s formalized our best practices around information security management – everything from financial data and intellectual property, to employee details and third-party information.”
“From blue chip brands to ad tech players, more and more of the customers we serve are adopting ISO standards themselves. They want peace of mind that they’re partnering with suppliers who share the same high standards. When it comes to real-time data service providers, we’re now uniquely positioned to offer them this. At the end of the day, these ISO standards show our customers, suppliers, and staff that they are in safe hands and can always rely on us.”
So how did we do it?
“We didn’t do it for the badge. We could have taken the easiest route to certification (as many do) – doing the minimum work required, using off-the-shelf policies and procedures. But, true to form, we weren’t content with that approach! Instead, we put in the hard work, going above and beyond to make the exercise as relevant as possible to us – because we recognized the long-term benefits this could bring.”
“One of the early decisions we made was to bring the two standards together under an Integrated Management System (IMS). Given the significant overlap between the two standards, this provided a coherent framework that would allow us to work towards our various objectives holistically.”
“Achieving just one ISO standard is no small undertaking, let alone tackling two of them together with an IMS! Thankfully, we partnered with a specialist ISO consultancy that guided us through each stage. The first was a gap analysis to identify where we were already compliant and where work was needed. Again, we could have plugged the gaps with generic documents but, instead, we got to work, creating more than 30 new policies and procedures, bringing existing ones into line where needed, and even investing in new systems and software.”
“Take our firewall upgrades, for example. The gap analysis showed a very low, outside risk to data at our data center. We didn’t need to address it for ISO/IEC 27001, but we chose to anyway, investing in a new, best-in-class firewall so that we and our customers can have total confidence in our information security.”
“We made our office computers more secure by disabling downloads and data transfers. We overhauled our supplier review process to reduce any risks from weak links in our supply chain. We standardized our customer feedback process to support our staff team and reassure customers that feedback will always be listened to and acted upon. And these examples are just the tip of the iceberg!”
“Following four months of hard work, we had our updates in place and were ready to put them to the test. This involved a detailed external assessment of risks and mitigations, a business continuity test, and a practice audit to fine-tune our policies and procedures in readiness for the real thing. I’m delighted to say that on the 10th March 2020, we passed the official audit and are now certified for ISO 9001 and ISO/IEC 27001.”
“I’d say the biggest factor in our ISO success was the amazing commitment and support from our executive and management team at every stage. They made it clear that our IMS is not just a check box but a central pillar of the company, alongside our new business and brand strategy. Although we were busy launching a new product platform, the leadership team dedicated the substantial time and resources needed to do this well. Personally, I focused on little else for six months! But it was worth doing the hard way – as this process has given us a depth of knowledge and confidence in our quality and information security management, we could not have gained any other way.”
Our staff are dedicated in upholding these ISO standards. Through the lengthy process, we were able to instill in them a quality approach at every step of the way. Resulting in the finest quality we can offer and unlocking our team's greatest potential.
What happens next?
“The whole thing came at a great time, as our newly-launched platform for real-time data services, Pipeline API, was able to benefit from the extra rigorous reviewing and testing that came with these ISO standards.”
“And we’re not stopping now! We’re living and breathing it. For us, ISO isn’t a ‘one-and-done’ thing but a commitment to continual improvement. Central to the IMS is our Continual Service Improvement Plan, which is updated continually and reviewed every six months. This allows us to take a systematic and strategic approach to logging, prioritizing, planning, and implementing improvements, to make sure our business is always going from strength to strength for the benefit of our customers.”