Frontier Software reaps the rewards of ISO 9001 and ISO 27001 with the help of SGS United Kingdom Ltd
Frontier Software has been reaping the benefits of a single quality system encompassing both ISO 9001 and ISO 27001 standards.
Founded in Australia in 1983, Frontier Software develops, supports and supplies an integrated HR and payroll software solution along with associated services. Payroll outsourcing, hosted either at a client’s office or using their computer centre, is a growing aspect of the business.
The company supplies its range of products to customers in over 20 countries and has offices in the UK, New Zealand, India, Singapore, Malaysia and the Philippines with over 400 staff worldwide.
ISO 9001 Quality Management certification demonstrates an organisation’s commitment to meeting the highest standards of quality and customer satisfaction, and provides support for continual improvement of quality management systems.
The ISO 27001 Information Security Management Systems standard helps organisations keep information safe over the long term. It enhances credibility, demonstrates the integrity of data and systems and proves commitment to information security.
Why Frontier Software chose ISO 27001 certification
Frontier Software added 27001 to their 9001 certification for external validation and internal benefits. The two certifications work collaboratively to harmonise the business baselines and demonstrate the company’s commitment to best practice.
Potential customers looking for a provider of payroll systems, outsourcing and hosting services, will ask about the company’s security systems, to ensure their data security. Being certified to ISO 27001 provides the reassurance that Frontier Software is committed to security management.
The standard has been easy to implement.
“The standards follow the same Plan, Do, Check, Act procedure. They address similar areas, so adding a procedure to our top level documentation emphasising what we were doing in relation to information security was a straightforward extension.”
Why Frontier Software chose SGS United Kingdom Ltd to help
The company chose SGS primarily for its international presence.
The SGS auditor’s background in IT has proved helpful in applying the standard and exceeded expectations by providing advice to support the business moving forward.
“Our SGS auditor has experience of software programming, so when he visits us he can suggest improvements for our development manager to consider. This way we make the best use of his advice.”
Certification to ISO 27001 offers a business benefit in the way the company presents itself to potential customers.
“We have achieved a standard, demonstrating our commitment to quality and information security, which reduces the need for a customer to assess us themselves.
We still find some of our bigger customers want to perform their own audits of our processes. But we have a consistent approach, backed by our certifications we can show them. Reducing the number of third party auditors asking similar questions in different ways leads to further efficiencies.”
The standard helps Frontier Software compete for new business in the public sector.
“We do a lot of work with the public sector, and they always ask questions about security during tendering. Having the certification makes it easier to get onto people’s shortlists.”
The standard provides a framework to consolidate the company’s procedures for improving the management and control of the business.
“You don’t have to rely on someone remembering how we did it last time. It’s all documented. It allows us to continually improve our processes,” adds Steve Pritchet.
“We recently decided to adopt the same processes between Australia and the UK, which has generated efficiencies in both countries. The ISO model works well for this.”
Frontier Software also applies the standard in its software development process.
“Our development and QA processes fit in well with the ISO standard. In sales, where processes are more flexible, we have procedures to ensure the customer’s requirements and the terms we have agreed are properly documented.”
Advice to other organisations considering taking the ISO27001 journey
“Begin with Annex A and the Statement of Applicability (SoA),” says Steve Pritchet.
Like the Quality Manual in ISO 9001, the SoA is the central document defining how an organisation must implement a large part of its information security. It provides the key to a successful ISO 27001.
Its purpose is to define which of the suggested 133 controls (security measures) to apply, and how to implement them.
Steve Pritchet recommends looking at the business first and using the standard to support the business.
“Work out how existing processes address the controls. Where there are gaps in how they apply to your business identify how they can be addressed. But don’t focus on the standard and neglect what you are trying to achieve in the business.
Our SGS auditor has been very supportive. He sees that our approach of a single quality system encompassing both standards works well for us, whilst complying with the certification requirements,” says Steve Pritchet.