ISO 27001 certification - getting there fast without compromises
Table of contents
That's usually the problem, isn't it? Whenever we are faced with wanting to achieve a particular goal we typically have to make the choice between doing it quickly or doing it properly. Sometimes, we can work out something in between that involves making sacrifices, but rarely can we achieve a goal both quickly and without compromise.
When it happens, we certainly feel like we've hit the jackpot! And that's exactly what it felt like when we here at Upscaler received our official ISO 27001 certificate from Certification Europe on the 10th August 2021.
We're certified 🙌
That's right! We are the proud owners of a shiny new ISO 27001 certificate. You can see the badge displayed proudly in the footer of our website and download the certificate from our brand new Trust Center. Perhaps you are thinking that we sound a little too pleased with ourselves since ISO 27001 certification is becoming more common with the shift in cyber security awareness and focus on better security practices. An increasing number of businesses are even demanding it as part of their procurement requirements when engaging with third-parties.
If you're a fellow SaaS company I'm sure you'll be all too familiar with this requirement by now, having been asked by your sales team for the umpteenth time when you're getting certified because yet another potential customer has asked for it.
So why is Upscaler so happy with this achievement? What makes it different?
Previous experience with implementing ISO 27001 aligned information security management systems has taught me one very important thing. It normally always takes longer than expected to attain certification. Nine months is typically quite good going, and probably the shortest timeframe in my personal experience prior to Upscaler. More often than not, it's going to take you closer to a year, and I've seen it take even longer for some.
With Upscaler, we had a specific imperative to become certified quickly. The reason was because certification was not only going to demonstrate our good information security practices to potential customers, it was also a proof of concept. Because, guess what? We're selling a management system to help our own customers achieve ISO 27001 certification quickly and efficiently! So we had to walk the walk, or as we like to say in Upscaler, eat our own dog food.
So here's the full truth and nothing but:
- We deployed the baseline documentation and templates we'd developed into our Upscaler tenancy on the 14th May 2021 and began tailoring our policies and procedures, populating our registers, and creating records.
- On the 31st May 2021 we had our ISO 27001:2013 Stage 1 audit conducted by Certification Europe and passed with only four opportunities for improvement (OFIs).
- We addressed those suggested improvements and continued our programme of internal audits, risk treatment, change control, secure development, security reviews, management review, and supplier due diligence.
- On the 20th and 21st July 2021 we had our two day Stage 2 audit conducted (again by Certification Europe) and were recommended for certification. This time with only three OFIs and again no non-conformities.
- On the 10th August 2021 we received official notice of our certification and our certificate.
That's thirteen weeks from getting stuck into operating our own information security management system to having the certificate in hand. And that's right - less than three months to successful certification! It does sound a little ludicrous, doesn't it?
Let's be honest - we've all heard the stories of organisations that fast track their certification. Even if they don't go as far as purchasing a certificate from a certificate mill, some organisations get things done quicker by not strictly practicing what they preach, or by addressing the biggest issues while neglecting smaller ones.
But approaching the implementation of an ISO 27001 aligned information security management system with that mindset is defeating the entire point of the system - which is to help you identify and manage your information security risks. Quite frankly, if you're not operating your management system as set out in the standard you're going to have unmanaged risks which are just ticking time bombs. When that inevitable breach happens you won't be able to demonstrate that you'd done everything within your power to prevent it.
That's not a position that Upscaler is willing to be in, and certainly not a position we would want any of our clients to be in, either. That means that the implementation of our management system has always been about doing it the right way, without compromises. A testament to that is our Stage 1 and Stage 2 audits with no non-conformities.
As for the opportunities for improvement, well, we really appreciate those as they help us improve not only our own management system, but the solution we provide to our customers. Bring it on!
You knew this was coming, didn't you? Of course there is a catch, but I think you already know what that catch is. It's you. That's right, the catch is that your own business requirements, structure, and workforce are not our business requirements, structure, and workforce. So our specific challenges are not entirely your challenges.
The requirements of the ISO 27001 standard are designed in such a way that it should be possible for any type and size of organisation to implement them. However, depending on the size and complexity of your organisation, it may not be possible for you to achieve certification in the same timeframe that we did.
You will certainly benefit from having the same starting point, though. An ISO 27001 management system complete with comprehensive documentation, registers, and records, not to mention the support that we provide. The same management system we deployed to our own tenancy back in May, along with a growing list of improvements and guidance documentation. And it's a management system that we can now say has been officially audited.
The only thing left for you to do is commit to the implementation and assign suitable resources to it. So what are you waiting for?
I'm going to bring us back around again by reminding you about our successful certification. Did you think I'd let you forget? If you're as proud of your business achievements as we are, then you wouldn't want people to forget about it either.
ISO 27001 certification is rewarding in many ways. It's a clear signal to your customers and business partners that you take information security seriously and that you're listening to their concerns. It's going to truly help your organisation to minimise information security incidents and reduce the potentially costly and damaging consequences of unmanaged risks. And you're also going to help your employees gain knowledge and awareness that will benefit their own professional development.
Now, we know that committing to ISO 27001 certification means embarking on a journey that never really ends as you maintain your management system and certification forever. Makes it sound more like a test of endurance doesn't it? Particularly when it doesn't seem like there's a finish line you cross for that big reward.
Well, that's not true, is it? We just listed a number of rewards you can gain from simply staying on that road and reaching the goals you set along the way - and that's definitely worth celebrating. Here at Upscaler we're looking forward to continuing our journey, and we hope you'll come along for the ride!
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them with their ISO certification in any way that we can.