ISO 27001 certification
by JordiAs a tiny bootstrapped company, it was a long road from reading up all we could find about ISO 27001, to drawing out all the documentation and processes required, to finally getting certified. It's been almost two years, but even as a small company, you can do it!
Here is how we did it and how I would recommend doing it:
- Read all we could find about it on the internet. There are many good articles to help you understand which are the steps and how much work it's actually involved. Spoiler alert: a lot!
- Read the ISO 27001 and ISO 27002 standard documents all the way, to make sure this is actually what you want to do.
- Purchase a set of template documents that will help you get started writing. - Documentation is a big part of the process, and getting some scaffolding was a great way to avoid writer's block and make sure we didn't miss anything important.
- Lay out a plan and execute it. This is actually part of the ISO 27001 implementation itself: make a list of all the things you need to do and cross them, one at a time. The list might seem very long, but do not shy away. It took us a bit longer than one year, but we got it all done.
- Hire an external auditor to get your certificate.
- Rinse and repeat: keep running the processes, and improve them over time, in order to keep the certification.
Some benefits we experienced by implementing ISO 27001 in Bugfender:
- Increased uptime: in the last two years, we have only experienced a major outage of 5 hours, with no data loss.
- Better team coordination: better processes means everyone knows what to do and when. This is an immediate benefit every day, but is especially important during a crisis.
- Increased trust from clients: especially, some corporate clients will only purchase from certified ISO 27001 or SOC 2 vendors.
-
2
Congratulations on the certification.
I wonder, could you break down the external costs for the whole process, like for example the cost of the external auditor, any other fees to pay to some regulations bodies or any other costs apart from the hours that you and your co-founder had to put in?
-
2
The cost of the external audit depends on the activities your company does and the number of employees. There is an ISO norm also on how to calculate this, and the auditor will use it to give you a quote (I think ISO 19011, not sure). For a small company, you can count something in the range of ~5-20k€ every 3 years.
You will also need an "internal auditor", which will cost you around ~2-5k€ more, per year. In theory, the internal auditor can be someone from your own company, but they can not be involved in the processes being audited, to avoid conflict of interest, which in a small company is usually not possible.
Most of the cost comes in form of time: you will need to sit down with the people involved and figure out how you're going to implement the required processes, then implement them. That's a lot of person-hours in meetings, writing documentation, setting up tools, etc. In our case, we estimate it was around 500 hours.
In this process you might also find that you need some tool. We're using some paid tools, but we got away mostly with open source software, implementing our own tools for certain simple things, or doing things manually.
There's also a cost associated with keeping the system in place: for example, you need to continuously train the team, review logs, maintain performance metrics for key suppliers, etc. That varies a lot depending on the processes you set up in place and how automated they are.
-
2
Thanks for the thorough answer, it was very valuable to me.
-
-
-
1
What resources did you use for this checklist? I'd be interested in following suit.
-
1
Much respect @Jordi!
I worked with a venture-backed startup a few years ago to help them tick off the last few checkboxes on their way to SOC 2 certification, and it was a ton of work. I can only imagine doing it on a shoestring budget as a bootstrapper. Well done!
Have you seen any uptick in business? Have there been customers that you know for a fact you wouldn't have gotten without the certification?
-
1
We just got the certification, so it's not easy to tell yet how much it's going to impact business.
We know for a fact that medium-large companies ask for it, so I'd advise looking into certification if your target customers are in this segment. Some will not buy unless you're certified, whilst some others can do if you fill in their vendor security assessment questionnaire.
The reality, though, is that you're likely going to have a hard time filling in these questionnaires if you didn't do all the compliance legwork first (things like "please explain your disaster recovery process" or "do you perform screening on your employees before hiring?").
For a while we were ISO 27001 compliant but not certified, and that worked well enough. The certification is just a tiny part, the culmination of that work in a document you can show that says you did all that.
-
The exact prompt that creates a clear, convincing sales deck
Post-launch lesson: traffic came, activation didn’t
I Stopped Browsing Reddit Randomly. Here's the Keyword Monitoring System That Actually Gets Me Customers.
For indie hackers: Outsource marketing or do it yourself?