Yes, initially getting certified is quite a process and each year there's an
audit but does it help companies see you as more secure? Will it get you more
customers? If you're working with health or financial organisations then it'll
help you pass their security requirements faster, so yes it does but.... you
can prove you're secure in other ways by running your own checks and
documenting them.
Related: Why SaaS Companies Create White Papers for Enterprise
Sales
Summary of ISO certification process.
Step 1: An auditor from an independent certification company turns up and
works with us for 3 days. They ask questions about physical and software
security. It can be faster but it depends on the auditor you end up with. They
submit an initial report and we have a number of changes to make to our
security setup.
Step 2: Later that year another auditor turns up for one day and makes
sure we have met the initial requirements. He helps us set up the paperwork
for the first internal audit which will take place the following year.
Step 3: Through the year, until that next audit, you need to do the
following:
-
We do a 6 monthly or minimally annual management review of key security
requirements the ISO certification requires. There's a 1 page template for
this. -
We maintain an asset register.
-
We maintain an internal audit log.
-
We maintain a change management log.
-
If you do have lots of incoming and outgoing staff then you also need to
update the staff logs on whether they've been trained on security and a
leavers checklist for when they leave, so you remove them from all systems
cleanly.
How much time does this all take up?
Sounds like a lot? Not really.
It can take a few hours depending on your setup.
We have a 24 hour guarded secure building, a locked office, password managers,
we store minimal customer data, have minimal staff turnover and in short are
probably one of the easiest audits to run.
If you are a larger fast growing SaaS company then there will be more work
required but if you prepped and organised the paperwork properly and remember
to update the logs, it's simple enough.
Why is it useful?
If you're working with health companies then the ISO certification helps cover
parts of their HIPAA requirements for compliance.
If you're working with financial companies, they'll sometimes send you an 8
page or even 60 page security form to fill out or ask for your security set up
and you can send them a summarised version of your existing ISO docs. It
certainly makes filling out the security docs much simpler.
Does this help us get more sales? Yes.
We've just closed a minimal 100k annual deal and we would not have passed
their 200 question security doc (yeah, seriously) without having security
processes in place and we know the company passed up on a competitor as they
did not take the security form seriously.
Health and financial companies are not just ticking the box, they have legal
requirements to keep customer data secure and given a choice between 2
companies, as someone who is managing a department and could get fired for a
bad choice, you'd go for the safe option. That said, the other company may not
be certified but can still prove it cares about security.
Alternatives to certification? You can show you are serious about security
without certification.
If you've ever received one of those 8 page security questionnaires from a
prospective customer you'll know roughly what they're concerned about.
You can also see plenty of the ISO checklists online. They'll cover physical
security requirements (lock the damn office door, close your laptops, don't
leave important papers on the desk), password managers, staff checks and more.
Do them, document them, publish them.
Upscope has a security page linked to its home
page and many people read it and are often
directed to it when they ask security related questions. Some companies want a
lot more information and in one case we've also had to send over a stripped
down copy of our asset register and other docs.
Overall, ISO audits still feel like they're built for older larger
corporations and not modern small SaaS companies where everything is in the
cloud. That said, the staff checks, leavers checklist, using a password
manager and a few other items do apply. We do these naturally as we're all
sitting next to each other but as we grow we can see how these will become
more important.
Should you get SOC2 certified?
We're hearing that SOC2 is very useful if you're working with finance
companies in the USA and it's a more in-depth security process for modern
cloud companies so we're undergoing SOC2 certification as well.
The great thing about SOC2, which we had not known before, is that a number of
companies supply software for SOC2 audits that makes the whole process easier.
In fact, we wish we had this from the start. Companies like Drata, Vanta and
VGS supply software that generates policies, helps you edit and maintain them
and can export reports which you can send to clients to prove your security
credentials.
Note: These companies are also expanding into providing support for ISO so
it's worth checking them out first e.g. https://drata.com and
https://vanta.com
