The 3 key problems of getting an ISO 27001 certification
Conny is the CEO of a startup who has just raised their Series A round and are just about to close their first big enterprise client. Conny gets into the call with full excitement and the goal of closing the deal but the first question she is asked is: We’d like to work with you but how can we trust that your company is secure? Do you already have an ISO 27001 certification in place? We will need this as part of our due diligence.
Conny looks astonished and remembers she read something about ISO 27001 before but doesn’t really know how to comply with it.
After the call, Conny immediately gets into a call with Steve, her CTO, to discuss how to get the ISO certification fast. After talking to several people they realize that this process is not as easy as she thought….
ISO 27001 is an excellent starting point for organizations that want to implement the technical and organizational measures needed to reduce the risk of a data breach. However, it can be a complex, time-consuming and manual process.
At lunch break, Conny and Steve had the following conversation:
Conny: Can you imagine that we have to monitor everything to get and remain that ISO 27001 thing?
Steve: No, what the heck. We don't have the capacity to do that.
Conny: Yeah, but if we don’t do this we will lose this big client. We need to do something, Steve...
Steve: Yeah, I know. I’ve been talking to some friends but they told me it took them a year to get the certification.
Conny: What? A whole year? We need to close the deal with the client asap. We don’t have that much time. (Conny eats her pasta uncomfortably)
But what to actually do.... And how do I get started...? Where do I find all this information? Who do I ask or contact? I don't have a damn clue and my tummy is hurting from this pasta. - Poor Conny!
But why is Conny so afraid and worried?
Here are the 3 key challenges of getting ISO 27001 compliant:
1. Many Companies are clueless on how to start or where to look first.
Small companies such as startups and SMEs have no guideline or specific checklist that can tell them how to get certified for ISO 27001. Thus, the only solution is to either do it themselves or opt to hire an expensive IT Consulting Company to advise them and guide them through the certification process. This can cost a company with e.g. 100 employees at least 100.000 EUR per year. A smaller company with +30 employees would pay between 25.000 EUR and 50.000 EUR.
2. A high effort of documentation is involved.
The process is manual, time-consuming, and error-prone. Companies need to write hundreds of documents from scratch about the company’s security posture and also implement the documented processes within the organization. This could cost a small company or startup at least 8-15 hours of work per week.
3. Difficult to remain compliant.
After companies are done with the audit they think it’s over but no…
It is a continuous process that needs to get done every year.
These are the phases to become and remain ISO 27001 compliant:
Companies need to keep all documents up to date and the organization needs to build and live their security culture. The main problem is that many companies, especially startups, are growing every year and changing their processes constantly. So, imagine how difficult it is to keep everything up to date if you’re hiring 20-30 employees per month.
Even though Conny is afraid of possibly getting a stomach ulcer, an iso 27001 certification is the optimal solution to close their new enterprise customer and enforce security in their organization. Ignoring or not fully complying with ISO 27001can be costly for your business.
So, how can you deal with these 3 main pain points of an ISO 27001 implementation?
Get ISO 27001 compliant with Secfix in weeks rather than months.
Our mission is to automate security and compliance for small and medium-sized businesses: We help SMEs to build their own ISMS and automate security standards such as ISO 27001 and SOC 2.
Additionally, we have a pool of trusted and verified auditors and ethical hacking companies from Europe that offer pentests. We guarantee security and top-notch penetration testers only.
Get in touch with us and you will not have a stomach ache!