Yes, initially getting certified is quite a process and each year there's an audit but does it help companies see you as more secure? Will it get you more customers? If you're working with health or financial organisations then it'll help you pass their security requirements faster, so yes it does but.... you can prove you're secure in other ways by running your own checks and documenting them.
Summary of ISO certification process.
Step 1: An auditor from an independent certification company turns up and works with us for 3 days. They ask questions about physical and software security. It can be faster but it depends on the auditor you end up with. They submit an initial report and we have a number of changes to make to our security setup.
Step 2: Later that year another auditor turns up for one day and makes sure we have met the initial requirements. He helps us set up the paperwork for the first internal audit which will take place the following year.
Step 3: Through the year, until that next audit, you need to do the following:
- We do a 6 monthly or minimally annual management review of key security requirements the ISO certification requires. There's a 1 page template for this.
- We maintain an asset register.
- We maintain an internal audit log.
- We maintain a change management log.
- If you do have lots of incoming and outgoing staff then you also need to update the staff logs on whether they've been trained on security and a leavers checklist for when they leave, so you remove them from all systems cleanly.
How much time does this all take up?
Sounds like a lot? Not really.
It can take a few hours depending on your setup.
We have a 24 hour guarded secure building, a locked office, password managers, we store minimal customer data, have minimal staff turnover and in short are probably one of the easiest audits to run.
If you are a larger fast growing SaaS company then there will be more work required but if you prepped and organised the paperwork properly and remember to update the logs, it's simple enough.
Why is it useful?
If you're working with health companies then the ISO certification helps cover parts of their HIPAA requirements for compliance.
If you're working with financial companies, they'll sometimes send you an 8 page or even 60 page security form to fill out or ask for your security set up and you can send them a summarised version of your existing ISO docs. It certainly makes filling out the security docs much simpler.
Does this help us get more sales? Yes.
We've just closed a minimal 100k annual deal and we would not have passed their 200 question security doc (yeah, seriously) without having security processes in place and we know the company passed up on a competitor as they did not take the security form seriously.
Health and financial companies are not just ticking the box, they have legal requirements to keep customer data secure and given a choice between 2 companies, as someone who is managing a department and could get fired for a bad choice, you'd go for the safe option. That said, the other company may not be certified but can still prove it cares about security.
Alternatives to certification? You can show you are serious about security without certification.
If you've ever received one of those 8 page security questionnaires from a prospective customer you'll know roughly what they're concerned about.
You can also see plenty of the ISO checklists online. They'll cover physical security requirements (lock the damn office door, close your laptops, don't leave important papers on the desk), password managers, staff checks and more. Do them, document them, publish them.
Upscope has a security page linked to its home page and many people read it and are often directed to it when they ask security related questions. Some companies want a lot more information and in one case we've also had to send over a stripped down copy of our asset register and other docs.
Overall, ISO audits still feel like they're built for older larger corporations and not modern small SaaS companies where everything is in the cloud. That said, the staff checks, leavers checklist, using a password manager and a few other items do apply. We do these naturally as we're all sitting next to each other but as we grow we can see how these will become more important.
Should you get SOC2?
We're hearing that SOC2 is very useful if you're working with finance companies in the USA and it's a more in-depth security process for modern cloud companies.
We're going to get SOC2 certified as well.
There's a ycombinator graduate company https://vanta.com that is running a SOC2 certification process and seems built for SaaS companies. They appear to have the systems in place to make the process simple.