We've achieved ISO 27001:2022. Here's what it actually means for you

We're now certified to ISO 27001:2022, the international standard for information security management. The scope covers everything we do: our e-commerce and software development work, end to end.

We'll be straight with you, though. This one's been a few years coming, and not because the paperwork was slow. We've worked to this standard for a long time already. How we handle your data, who can touch which systems, the way we build and test code, what happens when something looks off - it's all been baked into how we run TSD for years. The certificate doesn't change any of that. What it does is let an independent auditor confirm it, so you don't have to take our word for it.

What ISO 27001 actually is

Strip away the jargon and it's simple. ISO 27001 is a recognised standard for managing information security. It isn't a one-off test you pass and forget. It's a working system: documented controls, regular reviews, and an external auditor checking that you actually do what you say you do.

We've spent years renovating a heritage home, so this analogy sits right with us. You can tell a buyer the building's sound until you're blue in the face. It carries a lot more weight when an independent surveyor has been through the structure, checked the foundations, and put their name to it. ISO 27001 is the survey for the way we look after your information.

What our certification covers

This is the part worth being clear on. The certification covers all aspects of our e-commerce and software development work, not a narrow corner of it.

So that's how we build and host software, how we handle and store data, who can access what and why, and how we respond if something goes wrong. The same standards apply across the board, whether we're shipping a new Umbraco Commerce build, working on our own Igloo products, or supporting a site that's been live for years.

It helps to see what that looks like day to day, rather than as a line on a certificate. A few examples:

• Nothing ships without a second pair of eyes. Every code change is peer-reviewed before it goes near production. That review isn't a nod-through. The reviewer is checking for the things that actually bite you: injection flaws, insecure handling of personal data, weak authentication, gaps in logging.
• We test for security, not just "does it work". Alongside the usual functional and regression testing, security testing is part of how we sign work off, up to and including penetration testing where it's warranted.
• We keep the receipts. Reviews, test results, and sign-offs are documented and retained, so there's a clear trail behind the work rather than a vague assurance that it was done properly.

What it means for you

For most of our clients, the benefit comes down to four things.

Your data is properly protected. The controls around confidentiality, integrity and availability have been independently checked. That covers the practical stuff: encryption, access controls, monitoring, and a clear process for handling incidents.

Your own due diligence gets easier. If you work in a regulated sector, or you're fielding security questionnaires from your own customers, our certification does some of that heavy lifting for you. It lines up with the frameworks you're already being asked about, GDPR included.

There's less risk to carry. ISO 27001 is built around heading risk off before it becomes a problem, rather than reacting after the fact. Fewer surprises for us means fewer surprises for you.

It's trust you can point to. You can show your own board, partners or auditors that your digital delivery partner holds a recognised security certification. That's a handy thing to have in your back pocket.

Our honest take

We're not going to pretend ISO 27001 is light work. Anyone who's been through it knows it's graft, and it doesn't happen without someone willing to own it from the first day to the last. Ours did, and the team backed them on it. We're quietly proud of that.

We're not stopping here either. The same standards already point us towards SOC 2, which is the next step we're working on for the clients who ask for it.

But the bit that matters to you isn't the certificate on the wall. It's that the way we protect your data has been checked and verified by someone other than us. That's the reassurance we always wanted to be able to give you, and now we can.

Want to talk it through?

If you've got a project where security and trust really matter, or you just want to understand what our certification means for your business, we're happy to talk it through. Give us a shout.