Volume Ten - May 2026
Subject – ISO Certifications
Hi everyone and welcome to Volume 10 of Source Code Conversations.
This episode we’re delighted to welcome our HR Lead, Tanya Burnham and our CTO, Matt Reardon to chat about ISO and how it impacts technology and people.
Thanks for giving us your time, let’s get into the conversation.
Guest Introduction
Zoe Hawkins: Welcome back to the podcast. Today, we’re talking about something that sounds very formal but actually affects everyone in the business more than they might think: ISO certification. In this episode, we’ll focus on what ISO really means in practice, why it’s not just a box‑ticking exercise, and how it impacts both technology and people. To explore that, I’m joined by Matt, our CTO, and Tanya, our HR lead. Thanks both for being here.
Matt Reardon: Thank you for the invite.
Tanya Burnham: Thank you.
What Is ISO?
Zoe: Let’s start simple. ISO can feel like one of those acronyms people hear but don’t fully understand. Matt, how would you explain ISO, particularly ISO 27001, in plain English?
Matt: Yeah, absolutely. ISO 27001 is essentially a globally recognised standard for keeping information secure. Think of it like a rulebook that helps organisations prove they take data security seriously.
It’s not specifically about software or tools, it’s about having an Information Security Management System, or ISMS. That includes policies, processes, and controls that help identify and manage security risks.
Zoe: That’s really helpful, thank you. And building on that, what drives organisations to go after ISO certification? What problem is it solving in the real world?
Matt: There are a few key drivers. First is credibility and trust because it’s internationally recognised, it acts as a third‑party seal of approval. That can help win business and differentiate you from competitors. Many organisations also require their suppliers to hold ISO 27001 certification.
Then there’s risk management. The standard forces organisations to identify, assess, and treat security risks, which reduces the likelihood of breaches and data loss.
There’s also regulatory alignment. While it’s not a legal requirement, it overlaps with frameworks like UK GDPR, so it helps demonstrate compliance and reduces scrutiny.
Finally, it helps organisations be prepared for security incidents, so there’s a clear structure in place rather than a chaotic response.
Human Resources Perspective
Zoe: That leads nicely to you, Tanya. ISO often gets labelled as “an IT or security project”. From an HR point of view, why isn’t that true?
Tanya: Because ISO directly involves people and behaviours. ISO 27001 is just as much about people as it is about systems. You can have the best technology in the world, but if employees don’t understand data handling or their responsibilities, the framework falls apart. That’s where HR plays a key role ensuring there are clear policies, proper training, and real accountability, and that security becomes part of how people work every day.
Zoe: That makes a lot of sense. So, as it’s ISO Awareness Week at Source Code Control, this feels like a good moment to zoom out, how does HR turn ISO from a set of policies into everyday behaviours that actually stick?
Tanya: It really comes down to communication and repetition. We focus on engaging people from the start, especially during onboarding and making sure they know where policies are and how to follow them. ISO Awareness Week was all about making the language and controls accessible. It’s less about compliance and more about building good habits.
Zoe: Yeah, it’s about keeping everyone up to date and engaged with it.
Working Together: Technology & People
Zoe: What’s really interesting here is how these two worlds technology and people come together. Matt, where do you rely most on HR during an ISO journey?
Matt: A lot of it sits within what’s called Annex A6, people controls, which are owned by HR. This includes onboarding and offboarding staff, often called the Joiner, Mover, Leaver process as well as role changes, disciplinary procedures, and security training. From an IT perspective, that links directly to managing user accounts and access rights. So HR doesn’t just support ISO, they’re actually a control owner.
Zoe: That’s really interesting. And Tanya, from your side, where does technology help HR support ISO?
Tanya: It’s about having clear processes and strong audit trails. Technology gives us confidence that we can demonstrate compliance when auditors come in, and it makes everything more structured and reliable.
Challenges & Myths
Zoe: This question is for the both of you, what’s the hardest part of ISO that people underestimate?
Matt: I’d say ongoing maintenance, what ISO calls continual improvement.
Certification lasts three years, but you have to continuously demonstrate that you’re following the standard through audits. Gaps in evidence are the biggest risk.
It also needs strong leadership commitment, it’s a business standard, not just a technical one.
Zoe: And what about you, Tanya?
Tanya: For me, it’s engagement. People can switch off when they hear about policies or mandatory training.
The challenge is making ISO part of everyday behaviour, simple things like locking screens or not writing passwords down. It’s about embedding those habits.
Zoe: Yeah, those small actions really make a difference.
Zoe: While we’re on the topic, are there any myths about ISO you’d like to clear up? Matt, let’s start with you.
Matt: One big myth is that it’s only for large organisations, it isn’t. It’s scalable for businesses of any size.
Another is that it’s just an IT standard, it’s not, it covers people, processes, and technology.
And finally, certification doesn’t mean you’re completely secure. It shows you have a structured approach to managing risk, but it’s an ongoing process, not a guarantee.
Zoe: That’s a really important point. Tanya?
Tanya: A common misconception is that ISO means mistrusting employees or removing flexibility. In reality, it’s about clarity. It gives people clear expectations and removes ambiguity, especially when it comes to security.
Advice for Other Businesses
Zoe: If someone’s listening to this and they’re right at the start of their ISO journey, or maybe just thinking about it, what’s one piece of advice you’d give them?
Matt: I’d split this into 5 pieces of advice:
- Obtain a copy of the standard and familarise yourself with it.
- Obtain leadership buy in, as you’re going to need that top level support to get this correct
- Define the scope. To conduct a gap analysis to find out what’s already in place and what’s needed to fill the gaps and perform a risk assessment and build a plan
- Implement those controls, as there’s up to 93 controls in the standard, with us being up to 90 of those
- Train people. Communication is key to this journey. Clause 7.4 talks about communication and conveying the changes to the standard, new parts of polices and processes
Tanya: I’d echo that, involve people early and communicate often. Help them understand what’s happening and why it matters.
Zoe: Absolutely, it’s all about engagement.
Closing
Zoe: To wrap things up, if there’s one key takeaway from today, it’s that ISO isn’t just about compliance, it’s about building trust, creating resilience, and improving how we work as a business.
Thank you to Matt and Tanya for joining me, and thank you for listening. If you found this useful, feel free to share it and check out our previous episodes.
This ties in nicely to one of our Conversations with Gourav Tandon about why Source Code Control became ISO Certified, if you haven’t already have a listen.
If you enjoyed this episode, don’t forget to share it with your colleagues and follow us on LinkedIn at ‘Cloud Services by Source Code Control’ to know when the next Volume drops. Thanks for listening, and we’ll see you next time on Source Code Conversations.
Matt Reardon
Interviewee
Tanya Burnham
Interviewee
Zoe Hawkins
Interviewer & Editor