Back in December 2023, we earned our ISO 27001 certification. End of last year we had our first surveillance audit. And now, we've successfully passed our second surveillance audit with an independent third-party auditor.
Two years in, certification maintained.
How ISO 27001 Audits Work
If you're not familiar with the cycle: after initial certification, you don't just coast for three years. Independent auditors return annually for surveillance audits—verifying that your Information Security Management System (ISMS) is still functioning, still improving, and still meeting the standard's requirements.
These aren't rubber stamps. Auditors review documentation, interview team members, examine evidence, and verify that what we say we do matches what we actually do. They look at how we've addressed any findings from previous audits and whether our security practices have evolved with new risks.
Two Years of Continuous Improvement
Passing the audit wasn't about proving we're the same company we were in 2023. It was about demonstrating we've kept improving.
Over the past year, we've continued refining our risk assessment methodology, strengthened monitoring across our infrastructure, and improved how we document and respond to security events. Our Compliance Board has also matured—making it easier for you to prove your own backup compliance during audits.
These aren't changes we made for the audit. They're changes we made because running a backup service means people trust us with their critical data, and that responsibility doesn't take breaks.
What's Next
Next year brings our full recertification audit, a comprehensive review of our entire ISMS before the three-year cycle resets. We'll be ready.
In the meantime, if you're going through your own ISO 27001 journey: we've been there. Reach out if you want to chat—we've built up real expertise and we're happy to share what we've learned.