/ News / ISO 27001 introduction for startups and scaleups

ISO 27001 introduction for startups and scaleups

ISO 27001 is an international standard for information security. Due to the emergence of ransomware threats and due to the GDPR introduction, many large companies have adopted the standard ISO 27001 and are asking/forcing their suppliers to become certified against this standard. This puts B2B startups in a difficult position: should they spend money on certification, or risk losing larger customers? In this article we discuss whether it is possible and valuable for startups and scaleups to implement ISO 27001.

ISO 27001 and other standards

ISO 27001 is a standard for an information security management system (ISMS): An ISMS protects your organisation’s information assets against accidents, attacks and vulnerabilities. An ISMS is not a tool, but a set of documents and processes within your organisation. The standard applies to organisations not products. It is typically required for SaaS companies that have access to their customers’ data. For a company only producing physical products, it is less relevant.

Unlike GDPR, ISO 27001 is not a required standard. All companies handling personal data must implement GDPR, and that means that they must implement some information security measures. Companies can however choose how to implement these measures available options are:

There are several standards derived from ISO 27001. The Dutch NEN7510 is an extension of ISO 27001 and this document is available for free. The Dutch BIO (Baseline Informatievoorziening Overheid) contains all the ISO 27001 control measures.

Which option is best for a startup, depends on the phase that you are in. If you are still pivoting, it is probably to early even to set up an ISMS since your processes will change. If you have 1-2 pilot customers, you should probably set up a basic ISMS and postpone certification. If you want to scale up to dozens of customers, getting certified can be very helpful: it will help you during the sales process and will save your customers time in their due diligence.

What is in ISO 27001

ISO 27001 has a main stucture based on continuous improvement, typically done by plan-do-check-act. The following elements are required:

The standard was written to take company size into account, and it is therefore feasible for small companies to meet all the requirements. However, not all startups are good at writing things down and collecting evidence. Without this, it wil be hard to demonstrate your compliance to an auditor.

Next to the requiredd elements, you need to consider implementing many recommended control measures. Some of these are:

Free ISO 27001 introduction training

With our company ICT Institute, we help large companies with information security and also review and help startups and scaleups. We decided to offer a free ISO 27001 training course specifically for startups and scaleups, Our goals are to make the world of ISO 27001 more accessible, and to support entrepreneurs that want to try to implement the standard themselves. The training is a a 2 hour introduction to ISO 27001. The training is given by Sieuwert van Otterloand me and will be in English. It is aimed at startups active in The Netherlands, since different regions have different legal situations.

The training will be held on the 4th of June 2021. SUBSCRIBE HERE: https://free-iso27001-introduction.eventbrite.nl/ Depending on the interest from the Dutch startup community, we will organize new addtions.

Since this a free initiative, we are also interested in help from other experts that want to help develop this initiative, for instance with additional training dates, templates, material or with other ideas. We already have a page for free GDPR templates and also a series of articles on setting up an ISMS. We would like to expand this further with the help of other volunteers.

Photo by James Peacock on Unsplash

Jelle Hoekstra

Leave a Reply

Your email address will not be published.

Read on