How do you feel when you come across the words ‘Information Security,’ ‘ISO 27001,’ or ‘Surveillance Audits’?
Overwhelmed? Cynical? Maybe even intimidated? That was exactly how we felt back in 2019 when our Board emphasised that achieving certification in Information Security (Infosec) wasn’t just a nice-to-have - it was table stakes. As specialists in developing and building Applications and Digital Products alongside our partners, we knew we had to take this seriously and demonstrate that Infosec is a core organisational priority, and just not a checkbox.
But, for a small team of just thirty with no prior experience - the prospect of achieving certification certainly conjured up visions (more like nightmares) of wordy policy documents, endless meetings, technical jargon and the spectre of annual compliance audits becoming a permanent fixture in our lives…
Thankfully, as we’ve discovered, it doesn’t have to be that way. By focusing on what truly mattered and keeping the process practical and simple, we found that implementing a compliant Information Security Management System (ISMS) was far more manageable than we expected.
Reflections on our certification journey
At MadeCurious, we’re now in our third year of certification to ISO 27001 (Information Security Management) and recently completed our second surveillance audit. And you know what, this audit cycle had it all. Since our last audit, we’d changed our operating structure, moved to new physical premises, and had a new internal network set up - all of which needed to be audited. On top of that, it was time for us to transition to the updated ISO27001:2022 standards, which are designed to reflect the evolving nature of Infosec.
These revised standards include an updated set of controls better suited to today’s security landscape. They cover cloud technologies, remote working, and agile development practices - which, if we’re honest, feel much more aligned with how we work than the previous standards ever did. Rather than treating the transition as just another compliance exercise, we framed this as an opportunity to review and reassess how we do things, ensuring that our approach remains compliant, practical, and fit for purpose going forward.
Despite these changes, we’re proud to say we were ready for the audit within the expected timeframe, received only minor non-conformances, and identified a handful of opportunities for improvement. The resilience and maturation we’ve developed over the past three years meant we hardly broke a sweat (well, except when the air conditioning in one of our meeting rooms broke down on a hot spring day). We couldn’t be more pleased at how far we’ve come.
Reflecting on our journey over coffee with a similar-sized business recently, we realised there’s a story of reassurance to be told for smaller businesses pursuing internationally recognised standards like ISO 27001 and the like. And it’s not one of fear, or resistance. If you start smart, and approach the process as a multi-year exercise in change and maturation, you’ll build the muscle to breeze through your audits - no matter what wildcards come your way.
Why we care about ISO27001
As a business that regularly works with central and local government agencies, as well as other Kiwi businesses, building, supporting and maintaining their software applications and products - protecting sensitive data isn’t just a legal or contractual obligation—it’s a core part of how we operate. While we focus on building the right thing, we’re equally committed to treating our customers’ data like it’s our own. We want everyone who works with us or uses the applications we’ve built to be able to trust us - and getting ISO27001 certified is one way we demonstrate our commitment to information security (InfoSec).
Being a globally recognised framework, certification provides our existing (and future) customers with confidence that we’re meeting the highest standards of InfoSec management. More importantly, though, it's genuinely helping us to continually refine how we identify and manage risks and protect data, ensuring that trust isn’t just earned—it’s consistently maintained whatever changes the world throws our way.
What we learnt
With limited resources and capacity within the team, trying to reinvent the wheel or overhaul everything simply wasn’t realistic (or sustainable) - which is why we quickly learned the value of keeping it simple, starting small, and focusing on progress over perfection.
Rather than having a grand, all-out-at-once implementation plan - we started by familiarising ourselves with the standards and setting up our ISMS a full year before our first audits. This gave us time to assess where we were, identify and prioritise what needed to be addressed, and involve the right people at the right time. By growing our collective knowledge and steadily chipping away at reviewing, implementing, and refining our policies and controls, we made tangible progress without overwhelming the team.
By embracing simplicity, we’ve been able to make meaningful progress with each audit - learning from gaps, building on strengths, and implementing changes that matter. Keeping things straightforward has not only reduced stress but also helped us create a foundation that’s both practical and manageable for our team.
That said, simplicity does not mean staying static. It means staying open to feedback and viewing every challenge as an opportunity to improve, which has allowed us to consistently strengthen our approach to information security.
Embracing feedback
Audits, for example, can feel a bit like sitting an exam - it's equal parts reflection, and mild discomfort. It’s also undeniably awkward: your job is to show and tell what you’ve done and convince the auditor that you’ve ‘done it right.’
I can’t deny that every non-conformance, minor or major, stings and feels like a failure, like getting a question wrong! It’s especially triggering for me, having grown up in Singapore, where you’re often judged by the results, rather than improvement. But over time, we (and I) have learned to see them differently, as chances to level up and get better.
Over three annual audits with three different auditors, we’ve come to see every audit as a unique opportunity to gain fresh perspectives. Each auditor brings their own experiences and insights, and we even had the chance to work with one of the editors of the standard! It’s easy to fall into the trap of viewing auditors as the ‘enemy’, but in our experience, they’re always willing to share the contextual knowledge and recommendations based on what they’ve seen work well elsewhere. Building rapport, staying curious, and treating them as partners in learning can completely transform the audit experience.
Let’s chat!
We know firsthand that implementing a framework like ISO 27001 can feel tricky and daunting, and finding a starting point isn’t always easy, especially for smaller organisations (like us!). Whether you’re considering getting certified or preparing for your audits, we’d love to chat over coffee (or virtually) to share what’s worked (and what hasn’t) for us—and to hear your perspective as well.
Regardless, we hope that the next time anything information security related comes up before you, it inspires a little more curiosity and interest rather than resistance or overwhelm!
