Aikido has just gone through the process of becoming ISO 27001:2022 and SOC 2 Type 2 compliant. And one of the things we wish we’d had was some practical, no-nonsense advice on how to get started. Best practices, things to watch out for - basically tips from someone who’d already been through the ISO 27001 certification process.
That’s why we’ve written this blog post: to help anyone at a SaaS company looking at becoming ISO:27001 compliant.
8 things we learned during the ISO 27001 certification process
1. Know what you’re getting into
If you’ve never done this before, the first thing to do is ask your friends and business acquaintances. You’ll probably find someone who has gone through the process, so hit them up and get advice.
If you really can’t find anyone, you can make contact with a pre-auditor. Just be aware that they will understandably try to sell you services.
Either way, it really helps to get a good sense of how it all works. This will save you time in the end and help you get your ISO 27001 certificate faster.
2. Communicate that you’re working on implementing ISO 27001
People appreciate it when you mention you’re in the process of implementing ISO 27001. They’ll be eager to know that there will be less for them to worry about in the near future. And that will in turn help your sales and conversions. So mention this on your website, in sales conversations, on LinkedIn, and more. Let your users know that you’re making your product more compliant.
3. Decide which ISO 27001 standard to implement (2013, 2017, or 2022)
2022 has way more controls regarding secure coding and software security. (e.g. detection of malware is a new control). This means it involves more work to implement than an older version. If you go for one of the newer standards, it will require more controls, but you’ll already be prepared for the future. So it’s probably better to go for the 2022 version.
Quick tip: ISO 27001 certification needs a full audit every three years. That means that it’s best not to go for ISO 27001:2013, as it’s only valid for another two years.
Each version of the ISO 27001 standard also frames the risk management process differently. The 2022 version includes updated certification requirements that reflect evolving cybersecurity risks. That makes it important for companies to have a robust risk management process in place to identify, assess, and mitigate these risks.
Note that, if you’re a big, mature company, you might prefer to go for the 2017 version, as it’s more established and might lead to less disruption in your existing processes.
4. Don’t outsource everything
It’s risky to outsource the whole process... Even though it’s possible to outsource the whole process to a consultancy, I would advise against this. Sure, a consultant can definitely help, provide templates, and that kind of thing. But if you outsource everything and you encounter a problem, you need to know how to handle it. My advice is to have at least two, and up to four, people from the company involved.
Quick tip: Remember that the final audit must be carried out by an accredited certification body!
5. Get a pentest that makes sense for your company
If you’re a software company, you should choose a pentester to focus on things that are not covered by automated tooling like OWASP ZAP. Go for pentesters with bug bounty hunter experience, rather than “old-school” pentesters.
6. Leverage compliance standards and accelerate
Already being SOC2 compliant makes it faster to become ISO compliant. And it’s good to know that, if you’re ISO compliant, NIS2 (a new regulation applicable in the EU) will be easier.
Quick tip: Double-check that your auditor has been audited (it’s a requirement). Don’t settle for someone without the right credentials or you might get duped.
7. Realise that nobody’s perfect
The eventual audit will always find non-conformities and it’s OK to be imperfect. But you have to know about those imperfections and make sure you have a formal action plan to resolve the issues. It’s a continual improvement process that will ultimately lead to better security throughout your company. Sure, you might never attain “perfection” but you should do your best to get there!
8. Start early with implementing tools that cover ISO controls
If you’re considering going for ISO compliance, it’s always a good idea to do a trial run of the tooling that will help you cover certain controls (and also produce the evidence you need).
For example, ISO requires you to implement some processes regarding people. for instance, onboarding, offboarding, background checks, assigning and retrieving of company assets. Having these processes implemented in a human resources information system (HRIS) such as Officient, Personio, or Workday, will help you hit the ground running the moment you need to produce your evidence for ISO.
It’s the same thing with Aikido, which already performs checks on 22 controls and generates a comprehensive ISO 27001 report. It’s another great example of getting a head start on preparing for your ISO.
ISO 27001:2022 technical vulnerability management
On your own path to ISO 27001:2022 certification? Our platform, Aikido Security fulfills all technical vulnerability management needs for ISO 27001:2022 applications. We’ve also decided to partner up with Compliance Monitoring Platforms (like Vanta or Drata) to easily sync the data & ensure that your vulnerability information is always up to date. This helps you easily stay on top of your security posture.
I hope this blog post is helpful to you. I certainly wish I knew all of these tips when we started the process. If you’re exploring ISO certification, connect with me on LinkedIn and I’ll be glad to share my insights!