Any reactions, thoughts or advice would be greatly appreciated. (To be honest, simply writing this has been therapeutic!!) I am the sole software developer in an organisation that offers a cloud-based service. Our service consists of off-the-shelf products combined with software which is developed in-house. Our customers interact with (and rely on) all these pieces of software. Before I joined, development of the in-house software was outsourced to a company in India. No controls were in place and there was no reference to the software or it’s development in the BMS. The BMS only referenced the off-the-shelf products that form only part of our service. I joined the company to take over the development of the in-house software. I identified that the software and its development should be covered in the BMS. I also suggested that some processes and controls should have been in-place when the software development was out-sourced. It didn’t take long for me to realise that no-one in the company really buys into (or understands) the idea of quality management. They just see it as a box ticking exercise. Top management believes that it was not their fault that software development was in no way included in the BMS. In fact, suing the quality management consultancy / accreditors was mentioned. They believe that accreditation was simply something that they paid for and that ISO 9001 is generally meaningless. When I attempted to explain issues relating to software quality management it was clear that management did not want any overhead. It was implied numerous times that I was over-complicating things. It was even suggested that we could get around the issue by setting up another company, which was not ISO 9001 accredited, and out-sourcing development to it. Nearly 12 months later and no real progress has been made to determine/produce appropriate processes and controls for software development. Anything/everything else has taken precedence. During this time, we have had our first surveillance audit. During this audit it was clear to me that everyone intentionally avoided the subject of our own software and its development. There were no real problems raised during the audit. Aside from the software development dimension, I was very surprised that the audit went well. The processes and controls defined in the BMS are poor, out-of-date and not used. Records are created just before the audit. I consider that we were very lucky. I should mention that our BMS also covers our ISO 27001 accreditation.