A helpful ISO 27001 quick-reference guide for busy SaaS founders
Table of contents
Are you a founder or executive of a growing SaaS company? Do you need a simple explanation of ISO 27001 and what it means for your business? If so, you've come to the right place. We have prepared this short guide especially for you.
Let's get started.
What is ISO 27001?
ISO 27001 is an information security certification for companies that hold and process important data. It prescribes a set of best practices that relate to the security of your company's own information systems and your customer's data. It standardises how you approach the management of your information security risks, and sets out what good looks like.
Why do I need it?
It will help you keep valuable data safe, whether it is your own or data you hold and process on behalf of customers. A breach of customer data is a significant breach of trust and, depending upon the severity of the incident, can lead to a wind up of your business.
A security breach of customer data can lead to a wind up of your business.
Having said that, the more typical motivation for adopting ISO is that it will help your company grow. Buyers of SaaS solutions are now insisting on it to reduce their risk. And your competitors already have it. So, if you want to compete at the same level as your peers and give your potential customers the assurance that they need then you must get it.
How do I get it?
You implement the requirements of the standard within your company. This means putting in place a more formal structure around how you handle and process data throughout your organisation. It means introducing new security focused policies and procedures that describe what you do and how you do it. It also means collecting records to evidence that you are in fact doing what you say you are doing.
Once you have implemented the requirements of the standard in your company, you can then proceed to certification. This involves an audit of your systems by an outside firm and, if you pass, you will get your certificate.
Does it end there?
Not quite! Following your initial certification audit you will get your ISO 27001 certificate. This is a great achievement and you will be very proud of your team when that time comes. But, certification is not a one-time event. You must prove that you are maintaining your information security management system to the level required by ISO on an ongoing basis. This involves shorter surveillance (check-up) audits that take place every six months.
After three years you will undertake a full recertification and the audit cycle starts again. In short, ISO certification is a journey that never ends.
How long does it all take?
The industry benchmark to achieve certification is approximately 12 months. Of course this timeline depends on many factors. These include;
- The size and complexity of your business.
- Internal resources available to you.
- How committed your management team is.
- What external supports you may have.
- How strong are the commercial drivers, etc.
By using Upscaler's solution for ISO compliance you can do it in about half that time.
Why does it take that long?
The implementation of ISO within your organisation requires change. You need to plan and introduce that change the right way. You also need to do it within a business that is already fast moving and changing all the time.
Furthermore, nobody in your company can afford to work on this full-time. At best, it is a part-time endeavour for the project team members. Then, you have the logistics of the audit process itself. Your audit will be conducted in two stages, with a bedding in period required between the two.
Finally, all companies spend the first couple of months trying to find their feet and figure things out. So, on average, unless you are using a solution like Upscaler it takes about a year.
What kind of resources do I need?
This depends upon which road to certification that you take. Let's assume that you are a small SaaS company with up to 50 employees and you are using Upscaler. You need to assign one 'point person' with responsibility for management system implementation.
This person can be an existing team member, with good organisational skills, and with enough time to devote to the project. If they are competent, the time required could be as little as a few hours per week. They don't have to be a software or security expert, but a basic competence level in both is desirable.
To be on the safe side, we recommend that clients budget for up to a third of that key persons time. Most of the time required will be during the management system planning and implementation phase. Once you have achieved your certification, focus shifts to the ongoing operation of the system.
The great thing about using a solution like Upscaler for ISO compliance is that it ensures oversight and helps you pass your ongoing audits. It does this by making sure that you conduct activities when you are supposed to, and that you maintain compliance.
Finally, one crucial point you must remember is that the buck stops with your CEO and executive team. They are ultimately responsible and accountable for the success of the project. They have to be totally committed to the endeavour if you are to be successful.
How much does certification cost?
For smaller SaaS companies the audit timeframe is typically 3 days for the initial certification audit. This is split in two stages a few weeks apart. Thereafter, 1 day surveillance (check-up) audits will take place every six months. With daily audit fees ranging from €1,500 - €2,000 you should budget for approximately €6,000 in year one, and €3,000 - €3,800 in years 2 and 3, at least. In year 4 you need to undergo a complete recertification and the audit cycle starts again.
To be sure of the certification costs for your business you should get a quote from a certification body (CB). These are the firms that are accredited to conduct ISO certification audits. Their fees are determined by the number of days required to conduct the audit and the daily rate that they charge. The number of audit days will depend upon two main factors.
The first is the size and complexity of your organisation. There is a big difference between a 10 person remote team with a simple web app, and a 100 person corporate office with a suite of enterprise services. The second factor is the scope of the management system certification. In other words, how much of your systems will be covered under the ISO certification.
An important point to remember is that certification is a competitive industry and if you are not happy with a quote you can shop around. It's especially competitive nowadays since the audits are mainly performed remotely.
What other costs can I expect?
Again, let's assume that you are a small SaaS company of up to 50 employees and you have partnered with Upscaler. ISO 27001 is an internationally recognised information security standard with some fundamental expectations. Some of which will carry a cost. These can include, for example;
- Regular vulnerability testing of your software.
- Endpoint security installed on your devices.
- Web application firewall protecting your app.
- Security & awareness training programmes for your staff.
- And more.
In our experience, SaaS companies tend to be doing much of this already. If you are not, then you should be doing so irrespective of ISO 27001. Where you identify gaps you may need to buy some third party solutions to close them, but none of these have to be expensive.
Besides the above there is also the time cost. A certain amount of time will be required of your team in the lead up to certification especially, and also to maintain it thereafter. You should budget for up to one third of a key persons time throughout the duration of the implementation phase.
The new processes and procedures associated with ISO will have a marginal impact on peoples time across the board. But this is time well spent and, with a solution like Upscaler, will become normal - like locking the door when you leave your house.
How can I justify this expense?
How do you justify exhibiting at a conference, or hiring an account executive? Let's be clear; ISO 27001 is an investment in sales and marketing.
ISO 27001 is an investment in sales and marketing.
You're implementing ISO because;
- Your customers demand it.
- You're losing ground to competitors that have it.
- If there is a serious security failing it can put you out of business.
We encourage you to look upon the costs associated with ISO certification as a necessary investment in growth. Costs associated with our own ISO certification fall under the S&M line on our P&L, and you should look at it the same way.
What other compliance certifications might I need?
Achieve ISO 27001 certification and you are most of the way there. However, we are seeing a new wave of industry expectations coming down the line. This is based upon our own experience on the front line of SaaS and many other companies that we have surveyed.
One of these expectations is ISO 9001 for quality management. After you have achieved ISO 27001 and are ready to step it up another level, Upscaler offers solutions for other standards too. Combined, these ISO standards will position your company as a game changer within your sector. They will open the door to any type or size of customer that you can handle.
What about SOC 2?
With ISO 27001, you don't need SOC 2. And when making a decision between the two we would always recommend that you go with ISO 27001. There are many reasons for this including the fact that it is more easily integrated with other standards such as ISO 9001 and ISO 22301. It also costs less and is widely accepted internationally. We have written in depth about the differences between ISO 27001 and SOC 2.
How will it change us?
In the early days of your SaaS company you are holding everything together with string. But there comes a point where you must transition as an organisation and become more process driven. This is how ISO certification will change your company, and for the better.
ISO provides you with the tried and tested structure that you need to mature and operate at the level expected in most other established industries. You know you have to grow up at some point, and it is very difficult for SaaS founders to drive that transformation on their own. ISO provides you with the playbook that you need to make it all happen.
What are the benefits?
You'll sleep better at night knowing that you are doing all the right things to keep your customer's data safe. With ISO in place the risk of something serious going wrong is significantly reduced. This is one of those intangible benefits, like your health, that you never fully appreciate unless you lose it.
There are usually strong commercial drivers for implementing ISO too, such as a demand from current and prospective customers. So the other obvious benefit is increased revenue. Often times the impact of this is virtually immediate as you win more deals with certification in hand. You'll also level the playing field with your competition, and open up new markets that may not have been available to you before.
What are the drawbacks?
As you put in place the formal ISO processes you may experience a temporary slow down in agility. The days of one person being able to ship an update to production while bypassing any checks and balances are pretty much over. But this is the kind of positive trade-off that you are making in growing up.
You need to put real business processes in place that reduce risk and meet international best practice. It won't be long before your organisation becomes accustomed to the new ways of working. You will be as agile as you need to be for the customers that you are serving.
One could argue that the cost of ISO is also a drawback, but we see this as an investment in growth with a clear expected return on that investment.
Ok, how do I get started?
The first step is to talk to us here at Upscaler. We'll point you in the right direction, even if we are not the perfect fit for you. We love to talk with SaaS companies and help them on their journey in any way that we can.