Yesterday, we had our stage 2 audit for ISO 27001 and are pleased to report that we had no "non-conformities". This means that following the report of the auditor being completed we expect to receive our accreditation in 2-3 weeks. It's been a lot of effort over the last year and as well as engaging consultants from the highly respected Ascentor, we actually did most of the work ourselves.
This approach probably meant more to do overall but we feel it has made our systems stronger and that we've properly investigated what we do on all levels and developed stronger policies around improved processes rather than just take someone else's policies and try to adapt to them.
The auditor told us that she was impressed with our systems which were of course adaptations of our Drupal/CiviCRM based intranet. This has made it easy for us to record our security team meetings, incidents, staff training and a whole range of other stuff in a consistent way with easy lookup for the relevant members of our team. The ease of development and improvement on the system we already had in place made this part of the process easy for us.
Our whole team has been involved in the discussions at some points of the process and I'd like to congratulate everyone. However special mention goes to Thom who has been our leader in this undertaking and who has gone the extra mile to ensure we've not only passed the audits but become a more secure and stronger business.