Evalian supported Ross Robotics in gaining their ISO 27001 and ISO 9001 certification in just nine months.
What challenges were you and your team experiencing prior to working with us – what prompted you to seek a solution? It was a mixture of things, it was partly about winning business, partly about internal efficiency, being able to manage things faster and easier with repeatable processes, and partly about ensuring business continuity. We see an increasing expectation across the board that large customers want to see their suppliers have a formal security standard.
We also needed that security around onboarding suppliers. In broad terms, we work with two different types of suppliers; Cloud Service Providers for many of our internal IT systems – and those that we use are well versed in Information Security and Quality Management, and then the many diverse component and fabrication suppliers, where some of them have a less rigorous approach.
My experience in previous businesses where there’s been no formal information security management system in place when dealing with large customers was having to deal with large Excel questionnaires, sometimes with more than 150 questions. And it was different questions every time, so each time it took several people many days to respond – and we never knew if we had it ‘right’. In Ross Robotics, I knew that if we had the formal systems and processes, backed by accredited ISO 27001 and ISO 9001 certificates, it would be a case of saying “Yes, we have that covered, we’re doing it correctly, would you like to see our policy on that?”. It streamlines everything, makes it so much less onerous; and above all our customers know we’re handling security and quality management correctly.
Please describe the reasons you decided to work with us. Joe (business development manager at Evalian) caught me at the right time. I noticed that he was local to me – and in a world of remote business, the locality felt reassuring from the get-go. ISO certifications were on the radar for us for a number of reasons and the consultative sales approach with no pressure was what helped make our decision. Of course, budget played into it too, but it really was that initial “local service” that got my attention.
I’d like to commend both Joe and Danny on how they worked with us. Once the initial engagement was complete, Joe gracefully stepped aside and left me in Danny’s capable hands, but it didn’t feel like the sales team had just “done their bit and walked away”, it was a very good handover.
We had one consultant working with us the whole way through the process, we haven’t had to repeat anything to bring others up to speed, and Danny has been very responsive throughout the engagement.
Did you have any expectations going into the process? I’ve gone through PCI DSS many years ago and it was a difficult process. And I’ve been in a business that was trying to implement ISO 27001, but not as the one leading it. It always felt like everyone was ‘the victim’ of the process. So as the person initiating it this time, I wanted to make sure my team didn’t become “victims” of the process. I wanted to ensure that everyone understood why we were doing it, that it was essential for the business, important that we have that assurance of security and quality management, and that having clear policies and repeatable processes was going to help us be better and more efficient. So that became the common theme all the way through – and Evalian really supported us well in doing that.
> Read more on the Business Benefits of ISO 27001.
Were there any challenges you found along the way and how did Evalian consultant support you through that? I was determined we’d gain certification in 6 months, but the advice from our Evalian consultant Danny was that it was “ambitious”. Of course the actual “business of doing business” got in the way and we ended up parking it for about three months mid-way through. However, when we picked it up again, whilst we’d lost some momentum, Evalian helped us get it back. Ultimately we did it in 9 months.
We’re heavy users of modern collaborative tech tools – Google Workplace for the ‘Office suite’, Confluence for knowledge management and Jira for project management. In our ISO journey, I didn’t want to base our Quality Management System and Information Security Management System on folders full of Word documents and Excel spreadsheets that would go unused for months until a mad dash just before audit time. I wanted to embrace these new tools and make our IMS a central part of how we worked.
So, for example, most of our docs are in Confluence, linked in tightly with reviews, audits, improvement plans and such that are managed in Jira. It’s a beautiful joined-up system, where running the system also maintains the system. Evalian was able to help us translate what they knew about Quality Management System and Information Security Management systems into our favoured tools and systems.
What has been the most significant impact for your business facilitated by using our services? The immediate impact is having that formal accredited ISO stamp of quality for anyone looking to work with us in the future, and for existing customers right now – we’re able to give them the assurance that we know how to deliver repeatable quality and handle their’s and our own data responsibly.
In terms of the efficiency benefits, I’m already finding many of those, and the full benefit will become even more apparent over time.
Would I use Evalian again? Yes, for sure. I’ve already recommended them to other CTOs and COOs I know, and we’re set to reengage with Evalian on a further project early next year.