We are proud to announce that in march 2022, Teradisk achieved ISO 9001 and 27001. The process has been challenging, time consuming but fullfilling in terms of Teradisk growing as a company. In this post, I will try to explain our approach to the certification and insights about our processes.
Leveraging the technology to get the job done
ISO certification requires a lot of documentation in terms of processes, policies, manuals and evidences. All this information must be gathered, tracked and secured. We are almost a paperless company, so we decided to stuck with that philosophy and used our every day tools like Confluence or Jira Service Desk.
Assuring the processes
Jira Workflows are very powerful if you know how to deal with them. You can define complex processes with multiple status and transitions. The use of custom fields and customized transition screens give you the ability to ask exactly what is needed in each part of the process. On the other hand, setting Conditions and Validators helps you assure that mandatory information is gathered before allowing the user to continue the process. If you need to implement somekind of approval process, you will find useful to use the combination of Groups and Validators. Lastly, Post-functions can help you to assign the issue to the proper asignee.
As an example of this kind of implementantion, here is our commercial offer process:
As you can see, the first part of the process ensures that offers are technically and commercially validated. After this process, the sales department can share the offer with the customer. Following the customer’s approval, the administration department ensures that all data required for invoicing is available and routes the issue to invoicing or the scrum process (in case that some infrastructure provision and technical setup must be performend before invoicing).
Here is an example of the use of screens in order to require custom information:
Automating the evidence
One important thing about the ISO certification is that you must be able to evidence the actions performed to assure the process. For instance, if you need to perform regular checks of a Disaster Recovery implementation, you can use the Jira automation system to create regular check request. This is an easy way to avoid forgetting tasks because it is already implemented with our ticketing system.
In some cases, you will need “some extra logic” before creating the request. For instance, in order to assure the proper functioning of our Storage Replication between datacenters, we chose to perform a monthly sampling process. This sampling chooses random customers among our client’s database and open an issue with the instructions for the Sysadmin. In that case, using python script deployed as a cron job to our internal Kubernetes did the trick (but you can use Lambda for a serverless solution or simply a cron in some instance as well)
Document control
Confluence has very useful functionality for ISO certification out of the box. Assuring document versioning can be made easily with “Change History” macro. Confluence “Tree Structure” fits quite well in order to arrange the documents in an “ISO Logical way” and the ability to link among documents (with the automatic title substitution instead of the link) is a great feature. One thing that we find lacking in the standard confluence package was the ability to “sign” the documents in a formal way. Finally, we found a pluging named “eSign for Confluence” that provided us the ability to create a review and approval system through PIN (Personal Identification Number) that works flawlessly.
Tasting our own medicine
In 2020, Teradisk made firm steps towards the acquisition of security capabilities. Our R&D guys worked hard to develop a security service portfolio and the ISO Certification was the perfect excuse to apply our own tools and services in ourself. In order to ensure an independent security audit, the vulnerability assessment was performed by the R&D Team without the intervention of our project or support departments.
Why we fight
In Teradisk, we took the ISO Certification very seriously. It is not just a matter of having a new fancy bagde in our site. We took the ocasion to review our processes in depth and, in each step of the certification, we created a large list of deliverables in order to improve. We were glad to see that we already performed quite well though. Overall, I think that we have done a good job and our services will be reinforced. At the end, as a company trying to evolve in our thrilling sector, we must ensure that each step we take strengthen our proposition of value.