ISO 27001 is an international standard for information security. Due to the emergence of ransomware threats and due to the GDPR introduction, many large companies have adopted the standard ISO 27001 and are asking/forcing their suppliers to become certified against this standard. This puts B2B startups in a difficult position: should they spend money on certification, or risk losing larger customers? In this article we discuss whether it is possible and valuable for startups and scaleups to implement ISO 27001.
ISO 27001 and other standards
ISO 27001 is a standard for an information security management system (ISMS): An ISMS protects your organisation’s information assets against accidents, attacks and vulnerabilities. An ISMS is not a tool, but a set of documents and processes within your organisation. The standard applies to organisations not products. It is typically required for SaaS companies that have access to their customers’ data. For a company only producing physical products, it is less relevant.
Unlike GDPR, ISO 27001 is not a required standard. All companies handling personal data must implement GDPR, and that means that they must implement some information security measures. Companies can however choose how to implement these measures available options are:
- Make a policy based on / inspired by ISO 27001, but not getting it certified. This is perfectly fine as long as you do not claim it is certified.
- Getting ISO 27001 certified. This is feasible for small organisations, but there are some external cost: typically at least 5.000 euros for certification, and 5000 – 15000 for training and support
- Using a different standard for your information security policy, such as PCI-DSS, SANS CIS controls or security verified.
- You can just do privacy based on AVG / GDPR and implement some security measures without an overall policy. This is not recommended in the long run, but is acceptable in the short run.
There are several standards derived from ISO 27001. The Dutch NEN7510 is an extension of ISO 27001 and this document is available for free. The Dutch BIO (Baseline Informatievoorziening Overheid) contains all the ISO 27001 control measures.
Which option is best for a startup, depends on the phase that you are in. If you are still pivoting, it is probably to early even to set up an ISMS since your processes will change. If you have 1-2 pilot customers, you should probably set up a basic ISMS and postpone certification. If you want to scale up to dozens of customers, getting certified can be very helpful: it will help you during the sales process and will save your customers time in their due diligence.
What is in ISO 27001
ISO 27001 has a main stucture based on continuous improvement, typically done by plan-do-check-act. The following elements are required:
- Stakeholder analysis
- Leadership involvement. This is typcially easy for startups.
- Risks analysis
- Risk treatment, based on a longlist of standard measures and custom measures for your company
- Defining roles and responsinbility and raising awareness
- Measuring results
- Internal audit program and management review
The standard was written to take company size into account, and it is therefore feasible for small companies to meet all the requirements. However, not all startups are good at writing things down and collecting evidence. Without this, it wil be hard to demonstrate your compliance to an auditor.
Next to the requiredd elements, you need to consider implementing many recommended control measures. Some of these are:
- Access management
- Secure software development
- Vendor management
- Business continuity planning
- PEN tests
Free ISO 27001 introduction training
With our company ICT Institute, we help large companies with information security and also review and help startups and scaleups. We decided to offer a free ISO 27001 training course specifically for startups and scaleups, Our goals are to make the world of ISO 27001 more accessible, and to support entrepreneurs that want to try to implement the standard themselves. The training is a a 2 hour introduction to ISO 27001. The training is given by Sieuwert van Otterloand me and will be in English. It is aimed at startups active in The Netherlands, since different regions have different legal situations.
The training will be held on the 4th of June 2021. SUBSCRIBE HERE: https://free-iso27001-introduction.eventbrite.nl/ Depending on the interest from the Dutch startup community, we will organize new addtions.
Since this a free initiative, we are also interested in help from other experts that want to help develop this initiative, for instance with additional training dates, templates, material or with other ideas. We already have a page for free GDPR templates and also a series of articles on setting up an ISMS. We would like to expand this further with the help of other volunteers.
Photo by James Peacock on Unsplash