At Storm ID, quality, security, and privacy are at the forefront of everything we do. We take this very seriously, and over a number of years, we’ve been building on our credentials and reputation as a trusted supplier of innovative, robust and secure products and services.
How our journey started
In 2017, with GDPR on the horizon and our need to meet many other regulatory requirements to be able to do the kind of work we wanted to do, and continue to grow the business, we committed to identifying and achieving certification in a number of UK and internationally recognised standards. Our compliance journey had started.
We wanted to protect ourselves and our customers whilst continuing to deliver great work. We went back to basics and looked at the fundamentals of security, privacy and quality, working out the systems and controls we needed to ensure we can continue to meet the needs of our customers.
These are the standards that we settled on achieving, that we knew would give us the best foundations to build on for the future.
Cyber Essentials and Cyber Essentials Plus
The Cyber Essentials scheme was launched in June 2014, and since October the same year, Cyber Essentials certification has been a requirement for any suppliers wishing to work with the UK and Scottish public sector.
Cyber Essentials is a UK Government backed scheme that helps organisations to protect themselves against a whole range of the most common cyber-attacks. It is a self-assessment against a range of required technical controls to prevent the most common cyber-attacks. This is then reviewed by an external accreditation body, before you are awarded certification.
In March 2018 Storm ID became Cyber Essentials certified, and in June 2019 we went a step further, and became Cyber Essentials Plus certified.
In addition to the self-assessment for Cyber Essentials, Cyber Essentials Plus requires hands-on technical verification and vulnerability scans conducted by the external accreditation body. This takes a day to complete and involves a deeper dive into your systems and processes.
We wanted to do this to demonstrate to all our customers, including those in government, that we’re willing to go above and beyond and exceed expectations when it comes to meeting their security requirements.
We have maintained and held both certifications ever since.
ISO 13485:2016 Medical devices — Quality management systems
Quality management systems bring together business processes to form a system that focusses on quality and consistency, with the goal of meeting customer requirements and increasing their satisfaction.
ISO 13485 sets out the requirements for a quality management system (QMS) specific to the medical devices industry.
Storm ID works with healthcare organisations to design and build healthcare apps and services, known as software as a medical device (SaMD). Regulatory requirements are increasingly stringent throughout every step of a medical device’s lifecycle, including service and delivery. Increasingly, we are expected to demonstrate our quality management processes and ensure best practice in everything we do. Successfully operating an ISO 13485 certified QMS does just that.
Storm ID became ISO 13485 certified in August 2020, and we continue to maintain this standard.
ISO 9001:2015 Quality management systems
Not satisfied with operating a QMS only for our healthcare apps and services work, we wanted to extend the QMS to embrace everything that Storm ID does. Storm ID is known for the quality of our work, and we wanted to ensure that how we achieve that is captured in a system, so that we can repeat our successes time and again and ensure customer satisfaction.
In November 2022 we became ISO 9001 certified.
ISO 9001 specifies the requirements for a quality management system. Being certified in this standard means that we can demonstrate our ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements across everything we do.
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems
ISO 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. This is a big step up from Cyber Essentials, and an important standard for Storm ID to achieve, as it demonstrates to customers and partners that we take security and privacy extremely seriously, and that we have robust systems and processes in place to protect the information that we control and process.
In February 2023 we became ISO 27001 certified.
We designed and built our ISMS to be ISO 27701 compliant as well, by integrating a privacy management system (PIM) into our systems and processes. ISO 27701 is an extension to ISO 27001 that sets out the requirements organisations should follow to enshrine privacy systems into their operations.
It took us a while to get our systems just right. Finding the right ways to implement security and privacy, whilst enabling people to work effectively and without obstacles was key. We worked in consultation with various stakeholders across the company, as it was vital to get input and buy in from everyone affected. Security should be an enabler, not a barrier, to doing great work.
Tim Threlfall, Operations Director at Storm ID, said:
By embarking on this journey, we’ve been able to develop and mature Storm ID’s approach to quality and security to align with internationally recognised standards, meeting customer expectations, and in a way that still enables us to deliver innovative products and services, quickly and effectively.
Continuing our journey
When we first started on this journey and began ‘getting into the weeds’, surprisingly, we already had a lot of the required best practice and good processes in place, but the standards were a fantastic guide, and helped us focus on what was important and where we needed to improve or fine tune.
It’s hard graft, and you have to do the miles, but it’s worth it. Once we got our first accreditation, we found we wanted more (We’re now looking at ISO 22301:2019 Security and resilience — Business continuity management systems to help us improve in that area as well).
Our main compliance goal now is to maintain the standards we have to help us to continue to meet our statutory and regulatory obligations. It’s all very well achieving a recognised standard, and it would be easy to sit back and bask in the glory, but the reality is that these standards are designed to make sure you continue to use and maintain the best practice systems and processes you’ve created.
We’ve already been through a number of audits and surveillance visits. During these, it’s guaranteed that you’ll get given at least one or two opportunities for improvement (OFIs) by the auditor. You don’t have to action OFIs, but at Storm ID, we treat these like minor non-conformities (NCs) which you do have to action.
We’re always looking to improve in everything we do, and by treating the OFIs as NCs, we’re able to iterate on what we have, and continue to be known as a trusted supplier of innovative, robust and secure products and services.