ISO 27001 is not the final frontier - learn what enterprise buyers want next

September 10, 2022

5 min

ISO 27001 is not the final frontier - learn what enterprise buyers want next

A licence to do business

Every established industry must meet a fundamental or core compliance need. We can think of this as a 'license to do business'. In many industries the fundamental compliance need is health and safety. Examples include the manufacturing, construction and transportation industries. If you're a construction company and you don't follow health and safety regulations then it won't be long before you're out of business.

In the financial services industry it is financial conduct. In the crop production, textile and precious metals industry it is sustainability. In energy production such as the oil and gas industry it is the environment. Within the SaaS industry it is, with little surprise, information security.

Information security compliance in SaaS is your license to do business.

‍

SaaS is interesting though, because it is such a new industry. It has been around for a very short period of time, relative to others. Apart from personally identifiable information (PII), the core compliance needs within the SaaS industry are commercially driven, not regulatory. There is no law as such that states that you must have a certified information security management system in place to protect your customers CRM data, for example.

So, we put these systems in place, and achieve ISO certification, because our customers expect us to do so. In effect it is the market that issues us with our license to do business, not governments.

Separating the cream from the crop

Once the fundamental compliance need, or license to do business, has been met the question then arises - what next? What must we now do to up our game and gain a competitive advantage over our peers?

To answer this, we only need to look at what has happened in all other established industries. Once the fundamental compliance needs have been met, the next level up is the application of quality principles and quality management. Specifically, we mean ISO 9001 for quality management and its many sector specific variations.

Since legislation and regulations drive core compliance needs within industries, it is the market that drives the need for quality management. Our customers raise the bar and those that have what it takes to reach that bar are those that excel.

Current state of play in SaaS

These changes are already happening within the SaaS industry, although there is still some way to go. A sizeable percentage of SaaS companies still have yet to come to terms with the importance of implementing an information security management system (ISMS), let alone a quality management system (QMS). Then, there is the lack of legislation or regulation, other than PII data and credit card data, enforcing those fundamental information security requirements.

But changes are afoot on that front, at least in some highly specific cases. For example, in 2020 the United States Department of Defence (DoD) mandated that its circa 250,000 vendors within the Defence Industrial Base (DIB) become certified to the new CMMC cybersecurity standard. The CMMC is the DoD’s next step to ensure and enhance national security following the Defence Federal Acquisition Regulation Supplement, issued in 2016. As an aside; they subsequently confirmed that they would accept ISO 27001 in reciprocity for CMMC.

We expect such regulations will only increase in the future and will directly and indirectly impact SaaS companies, accelerating the need to meet those core compliance requirements within the sector.

Evidence of change

Coming back to quality management, there are some other indicators we can look to, to get an appreciation for where things are heading. The need to have a quality management system (QMS) is becoming increasingly prevalent within SaaS purchasing RFP's. Go ahead and take a look at the last three RFP's that you received from an enterprise prospect.

We expect that at least one of them will have specifically requested a formalised QMS to be in place as part of their purchasing criteria. It will be a while before we see the lack of having a QMS become an outright disqualifying factor, as is the case with an ISMS. But when your response is weighed up against the response of those competitors that are already certified to ISO 9001 then, with all other things being equal, it doesn't bode well for your prospects of winning the tender.

What you can do now to prepare

So what should a SaaS company do now, to prepare for this next wave of industry expectations coming down the line?

First, you must get your license to do business. This means putting in place an information security management system (ISMS) and getting certified to ISO 27001. Compliance with information security in SaaS is akin to compliance with safety regulations in aviation. It's only a matter of time before you'll be disqualified early in the procurement process for not having it.

Once you have achieved this, taking the next step to achieve ISO 9001 for quality management is not as arduous as it may seem. ISO 9001 closely integrates with ISO 27001 because they are based on the same underlying framework. So you'll already have in place a lot of the structure that you need for your QMS.

The good news is that Upscaler provides a complete management system out of the box for both standards. You can adopt them at the same time as an 'integrated management system'. Or, as we would recommend, start with ISO 27001 and then add ISO 9001 later when you're ready.

Either way, you'll end up with a highly efficient and streamlined management system. One that will greatly impress your customers, keep you leagues ahead of your competition and help you win more deals.

‍

If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.