Aikido Security achieves ISO 27001:2022 compliance
4 min read
We’re proud to announce that Aikido Security recently attained ISO 27001:2022 certification. This is a big milestone for us and demonstrates our commitment to information security.
What is ISO 27001:2022?
ISO 27001 is a globally recognized standard for the establishment and certification of an Information Security Management System (ISMS). The 2022 version of this certification ensures that Aikido Security is aligned with current best practices in information security management. We specifically chose the 2022 version (over the 2013 & 2017 versions), as this new version focuses more on secure coding, threat detection, etc. These are items that we consider important and relevant to a software company.
Achieving ISO 27001:2022 compliance is a significant accomplishment for Aikido Security. It underscores our dedication to providing secure and reliable solutions to our clients. Willem Delbare, CEO of Aikido Security
What motivated Aikido to pursue ISO 27001 certification?
We're a challenger in the security space and one of the first things we ask from new customers, is that they give us read access to their codebase. That's a big deal. And we understand - and agree - that's a big deal.
For customers to comfortably trust us with their codebase, they need to trust us as a company and trust our product. Becoming ISO27001 compliant is a huge leap forward in building and proving that trust.
What we learned on the path to ISO 27001 compliance
In a future blog post I’ll lay out my key learnings, but I want take this opportunity to share some brief insights about our journey.
Our ISO 27001:2022 journey
We got through the whole process in about six months. We had previously implemented SOC 2, so we already had many policies, documents and best practices in place. This allowed us to re-use and apply a lot of that to our ISO.
Because we firmly believe in using the right tool for the job, we took the opportunity to take a modern approach and used Vanta, which automates a lot of the work required to obtain ISO 27001.
Achieving ISO 27001:2022 demands patience and commitment. It's essential to surround yourself with reliable partners and gather knowledge beforehand. Roeland Delrue, COO & CRO of Aikido Security
The high-level process
1. Internal audit (pre-audit)
You can think of the internal audit as a 'general rehearsal' or 'mock audit', to make sure you're ready to do the 'real' audits. The internal audit makes sure you didn't miss any obvious things that you wouldn't be able to remediate in the later stages.
Quick tip: Use a good internal or external pre-auditor. This really helps you get set up correctly. Unless you have relevant and proven experience in ISO, it’s probably best to hire an external pre-auditor. Leveraging their experience will prove really valuable.
2. Stage 1 audit
Stage 1 is largely a “tabletop audit” or documentation review This audit consists of an extensive documentation review. An external ISO 27001 auditor reviews policies and procedures to ensure they meet the requirements of the ISO standard and the organization’s own Information Security Management System (ISMS).
3. Stage 2 audit
Stage 2 is a full-on system audit with lots of control testing The auditor performs tests to check that the Information Security Management System (ISMS) was properly designed and implemented and is functioning correctly. The auditor will also evaluate the fairness and suitability of the organization’s controls to determine whether the controls have been implemented and are operating effectively to meet the ISO 27001 standard requirements.
After you’ve remediated or come up with an action plan for your non-conformities, you’re ready for validation. ISO 27001 non-conformities are categorized as minor, major, or opportunities for improvement (OFIs). It’s of course critical to show you’ve remediated or you can clearly show you’re on a path to remediate all major non-conformities.
And then... it’s time to get your certificate 🎉🥳
How long does it take to become ISO 27001 compliant?
You can’t do it in less than two months. And that assumes that you have everything ready to go, including a pentest and auditor.
Even then, you might need a few months to make sure you encounter enough information security events, as some processes can only take place when a certain event happens (e.g. onboarding or offboarding an employee).
You also have to show that you can remediate non-conformities and demonstrate that you’re able to collect evidence. This process involves identifying the event, logging and classifying it, and thoroughly documenting the information security event.
How much does becoming ISO 27001 compliant cost?
Depending on how in-depth the pre-audit and pentest go, the whole process will typically cost you USD 20,000-50,000. You’ll need to pay for the following:
Pentest (you can leverage this from other compliancy tracks, e.g. if you’re already doing one for SOC 2)
Compliance platform license (we definitely recommend using this)
The cost depends greatly on multiple factors, key ones being:
The size of your company (If you have lots of employees, processes, offices, developers,... audit costs dramatically increase)
Cost of the pentest (USD 3-30k, depending on what type of pentest you do and who performs it)
Depth of the audits
Compliance platform (e.g. Vanta)
ISO 27001:2022 technical vulnerability management
On your own path to ISO27001:2022 certification? Aikido Security fulfills all technical vulnerability management needs for ISO 27001:2022 applications. We also sync with Compliance Monitoring Platforms (like Vanta) to ensure that your vulnerability information is always up to date. This means that you can rely on accurate risk assessment and efficient remediation.