When I joined Cloudar five years ago, I was employee number eight. Things were already pretty well-organized with some rules in place, but for the rest the possibilities were wide open. I like to describe it as a “rock ‘n’ roll culture.”
Security is job zero
Our projects, customer base, headcount and specialties were growing like bamboo. Growth is a good thing, but it comes with some challenges. It was important for us to stay organized and efficient for many reasons, but above all to retain the highest level of information security. Because we’re big believers in, as AWS puts it: “Security is job zero.”
At the time, some customer projects were starting to require Cloudar to get ISO 27001 certified. This international standard for information security involves yearly audits, with a full audit every three years. Obtaining this certificate would also allow us to further expand our business.
It was around the same time that the General Data Protection Regulation (GDPR) came into force, replacing the 90’s Data Protection Directive. And while we were at it, we also wanted to achieve the AWS Managed Services Partner competency to further promote our business.
So we rolled up our sleeves and started working on getting AWS MSP, GDPR and ISO 27001, all at the same time. The goal: comply with all three, ASAP. And we did it! GDPR was done well before the deadline and by the end of 2018, we proudly announced that we had both certifications in the bag.
How we went about it
Before we started, we looked at the three different goals and identified the overlaps and dependencies:
For MSP, we structured the work into Jira tasks and created a Kanban overview to track progress. Each requirement referred to a page in Confluence where the content was written for the auditor to review.
For GDPR and ISO 27001, we engaged with InfoSentry, a Cronos company specialized in information security. Their experience and input proved to be very helpful for us to set up a usable Information Security Management System and Privacy Management System.
The following months were packed with writing policies and implementing improvements and procedures. It struck me that in many cases, the things we did and the way we did them were already in line with industry security and compliancy requirements. The whole exercise just confirmed that our way of working is quite secure. At the same time we gained new insight and structure that enable us to build on our strengths.
Leveraging our experience
Since we got multi certified, we’ve been leveraging our experience to help some of our customers on their information security journey. Whether you’re seeking insight into your current security status or looking to get ISO 27001 certified, we can help. Today, our company counts over 40 people. We just passed our recertification for ISO 27001. There were no non-conformities, just a single improvement opportunity. This kickass result is in line with our audit results from previous years. Our MSP recertification will follow soon, with even more achievements to come. I think that proves we can keep things organized, secure and fun at the same time. And we still rock!