From checklist to guiding principle – 5 years of ISO at Apps with love

In 2022, we achieved our initial certification for ISO 9001 (Quality Management System) and ISO 14001 (Environmental Management System). At the time, many things were still unclear. We had just completed six months of external consultancy and were trying to align our existing structures – from our organisational chart, roles and responsibilities to processes and documentation – with ISO terminology and regulations. Our mission statement, strategic concepts and corporate objectives also had to be translated into the language of ISO standards.

But that’s only one side of the story. The bigger question was: Why do we even need this in the first place?

Why ISO certifications are important to us

On one hand, customers have increasingly been demanding ISO certification: that is the external reality. But interestingly, the push also came from within. An employee survey from a few years ago revealed something that challenged our long-standing narrative. For years, we had lived by the credo: "We don't need many processes; everyone knows them anyway."

If you’d asked me back then how our structures were designed, I probably wouldn’t have been able to give a clear answer. How did we analyse and assess risks? Each team likely would have given a different answer. Will we achieve our strategic goals? We could hardly have estimated it ahead of time. Which rules applied, and where could templates and checklists be found? It would have been difficult to say clearly what was currently valid, even though a lot of material existed and was documented.

This is exactly what the employee survey highlighted: many team members wanted somewhat the opposite of our previous practice. They wanted more clarity, structure, and documented processes. They wanted to know how things worked. Where do I find answers? Which rules apply? Where and how are decisions made?

This gave the ISO certifications a new significance. They were not merely an external compliance requirement imposed by our clients, but an opportunity to address many internal questions that our staff had long been asking.

Today, five years on and having passed the recertification audit in 2026, we can say one thing with certainty: having a common thread running through the entire company not only makes external audits easier, but, more importantly, it makes our day-to-day work clearer and more transparent. In this blog post is I would like to highlight how external requirements have helped us establish structures and processes that we can use to guide our business. ISO certification has helped us establish a targeted framework and set of rules that enable us to manage our business in a stable, efficient, sustainable and secure manner – always with our corporate goal in mind: to create secure and attractive jobs for the long term.

Our ISO journey from 2022 to today

2022: The structural phase

For many companies, the typical ISO audit cycle involves little happening throughout the year. Then, two to three weeks before the external audit, panic breaks out among the staff. All documentation must be updated and processes hastily documented. From the outset, our aim was to avoid falling into this trap. We wanted to integrate the ISO requirements into our day-to-day work in such a way that we could establish routines through structured processes. The work required for the annual audit is carried out continuously throughout the year.

The initial certification was primarily a matter of terminology for us. In particular, ISO language is completely different from the language and terminology we use in our daily work. We had to translate our "Apps with love" language into ISO language, which was no easy task. Here are a few examples of how we bridged that gap:

• Quality Policy means our Strategy and Mission Statement: Our vision, mission, and strategy are not documents created for the audit but a daily compass guiding our shared journey with our employees.

• The Executive Board corresponds to our Management Board: we practise flat hierarchies within clearly defined roles and responsibilities. The Management Board takes on the tasks of a traditional executive board

• Information management means traceability: all project documentation, such as quotations, contracts and acceptance reports, must be legible, retrievable and filed in a documented manner.

• Quality Objectives are our Strategic Goals: We track these transparently in our management dashboard.

• Results of Monitoring and Measurement are our Operational KPIs: costs and hourly rates, pricing structures, expenditure, capacity utilization – in short, everything we continuously measure and control.

• Conformity of Products and Services is a term for the degree to which we meet our customers’ requirements. 

A quality management system is assessed by its maturity level. The great thing about this is that not every single aspect of the ISO standard has to be fully met right from the start. This means we don't have to make everything perfect all at once. Instead, we can mature step-by-step and continuously improve along the way.

2023/24: ISO 27001 – Rules and real consequences

With ISO 27001, the meaning of certification fundamentally changed for us. It forced us to ask an uncomfortable question: How do we define rules with real consequences? This was a massive challenge, especially in a culture built on harmony and mutual respect. Suddenly, we had to put into writing: What are the consequences if someone fails to comply with IT security measures? Ranging from a formal warning to the termination of an employment contract.

Freedom vs. Security

In a company that relies on harmony and flat hierarchies, the idea of explicit rules with consequences initially felt like an infringement on personal freedom in how we design our work. Many employees asked: Do we really need this? Won’t it become too restrictive?

It took a lot of persuasion, but we learnt that clarity also creates freedom. When you know where the boundaries lie, you actually act with greater confidence. Explicit rules should not be seen as paternalism, but in this case, as mutual protection.

Up to that point, IT security had been based on common sense and plenty of experience. With ISO 27001 and the Statement of Applicability (SoA) control points, we had to document exactly how we work. This led to new processes, structures, roles, and guidelines:

• Policies and strategies: We defined and implemented data protection policies, backup strategies, and IT security guidelines.

• Handling of data and personal data: Clear guidelines on data retention and data deletion, as well as the ongoing enhancement of technical and organisational measures.

• Specific risk analysis: We carry out systematic assessments of BSI (Federal Office for Information Security) risks and integrate them directly into our overall risk portfolio.

• Monitoring and learning: We regularly review the SoA control points and perform root cause analyses in the event of incidents.

• CERT Team and Crisis Management Team: Thanks to a dedicated emergency response team and a revised emergency response plan, we are capable of acting effectively in an emergency.

A nervous system for the company

When we started our ISO journey five years ago, obtaining the certificates was our primary focus. However, we quickly realized that the system enabled improvements we hadn't anticipated:

• Greater visibility into continous improvements: On our Kanban board for the Continuous Improvement Process (CIP), we gather and coordinate a wide variety of optimization measures, ranging from process improvements and role definitions to team goals. This gives us an overview of who is working on what and provides transparency to see what is currently happening across the company outside of day-to-day project business. When we make a decision, such as investing in an AI task force, everyone knows why: because the risk analysis shows that this represents a major opportunity for us as a company.

• Improvements in daily business: Year after year, our standardized customer satisfaction surveys show us what we are doing well and where there is room for improvement. Internal audits are comparable and not just snapshots in time. We see where we are improving and where we need to be careful.

• More clarity instead of assumptions: For example, we know where data protection policies are documented, where AI guidelines are located and where IT security rules can be found. New employees know the rules straight away and teams have a compass.

• Greater protection instead surprises: Compliance has become part of our daily routine. Our risk portfolio gives us early warnings whenever something becomes critical. Vendor evaluations are objective, and data privacy requirements are integrated directly into our core processes.

The challenges along the way

That probably all sounds rather good, and likely easier than it actually was. On the road to our initial certification, we thought we’d have to reinvent the wheel. In reality, however, we primarily had to organise and document a lot of what we were already doing.

The continous effort does not come for free. The CIP, the monthly reviews, role alignment conversations, process documentation and training sessions require resources. Yet, it consumes fewer resources than our previous state because the rules are much clearer than they were a few years ago. The external audit serves as a necessary deadline, helping us to prioritise the changes we want to implement anyway. Without this external pressure, we likely would have kept putting off certain improvements.

The common thread: strategic annual planning

Today, the centerpiece of our continuous improvement is our strategic annual planning. It covers our corporate, regulatory, and organizational obligations, and broadly includes the following:

Strategic Direction

Every year, we analyze our business environment and derive our strategic focus, supported by frameworks such as SWOT and PESTLE. Based on this, we set strategic and operational goals, which in turn shape our team goals.

Governance

A continuous risk analysis ensures that we identify threats and opportunities early on. Customer satisfaction surveys, vendor evaluations, and employee performance reviews regularly provide insights that feed directly into our planning. Reviewing our annual financial statements and audits, as well as monitoring regulatory changes, are also permanent fixtures of this process.

Organizational Development

Our annual planning includes evaluating our KPIs, internal and external audits, and the CIP. Reviewing and further developing our ISO manuals, process maps, and internal wikis is also firmly scheduled.

A worthwhile investment – and an ongoing challenge

We estimate that we invest roughly 5% of our employees’ available working hours in this continuous improvement. It is an investment in a system that ultimately saves resources because roles, processes, templates, and rules are clear(er) to everyone, allowing us to steadily improve.

The ongoing challenge remains finding the right balance. Despite process documentation and audits, it is an ongoing task to provide clarity and structure while at the same time fostering the freedom and creativity that define us as an agency.

Conclusion: Certified processes as part of the Apps with love operating system

For us, certifications are not a necessary evil, but an integral part of the Apps with love operating system. The external audit is simply validation that our processes are running smoothly and stably. 

Furthermore, these certifications do more than just verify compliance with external demands. They also help us answer vital internal questions: How do we actually operate, and who carries which responsibilities? We have learnt that certifications serve as a testament to our quality and our commitment to high standards.

Want to know more about our experience with ISO certification?

We would be happy to tell you more about our ISO journey, what it means to us, and how it all played out behind the scenes.