[HN Gopher] Ask HN: Is the ISO 27001 certification worth it?
___________________________________________________________________
Ask HN: Is the ISO 27001 certification worth it?
ISO 27001 (https://en.wikipedia.org/wiki/ISO/IEC_27001) certifies
that information security is properly managed at a company or
organisation. But the process of obtaining it is costly and time-
consuming so I wanted to ask people who have experience with it: is
it worth it? If you're a company doing B2B sales, how often do
prospective customers ask about the certificate? Does it ever make
or break a deal? When did you decide that it's time to get it done?
Thanks!
Author : piotrgrudzien
Score : 72 points
Date : 2021-11-03 14:15 UTC (8 hours ago)
| eli wrote:
| We do B2B sales, we don't have an ISO certificate, and to my
| knowledge it has never cost us a deal (though some companies have
| asked).
|
| But I'm sure it also depends what you're selling. We mostly sell
| marketing services and the risk is inherently low (we generally
| don't have access to any sensitive client data or systems).
| lordnacho wrote:
| It's theatre, so it won't help actual security. Having said that,
| even quite small firms I've known have decided they needed it in
| order to get customers.
|
| A fair few large customers require it and won't bother talking to
| you if you don't have it, so if you can otherwise do the sale
| there's a good reason to get it.
|
| Your real problem as a small vendor is deciding when this is
| necessary, because you might be getting customers just fine when
| you're small and dealing with people who care about actual
| security, not paper security. At some point you are gonna have to
| pull a few people out to get all this paperwork done. I spent
| last summer doing a whole pile of "Information Security" policies
| for a friend I was helping. Luckily there are consultants who can
| get you most of the way there.
| a13n wrote:
| > It's theatre, so it won't help actual security.
|
| I disagree with this sentiment. As a small firm who has
| undergone multiple security audits/certifications, I have found
| that the controls we added were generally practical and did
| improve our security.
| leokennis wrote:
| This is also my experience with risk audits in IT: you get
| asked a lot of stupid questions and spend a lot of time
| engaging in extreme hypotheticals, but in the end there are
| always one or two "hmmm I hadn't thought of that" moments
| which lead you to significantly increase your security.
| Freak_NL wrote:
| We are in the 'lucky' position that ISO 27001 is now simply a
| legal requirement because we offer a healthcare SaaS-product in
| the Netherlands (ISO 27001 is required via its Dutch NEN
| 7510/12/13 bastard child that is).
|
| For a small company (less than twenty employees) it really is a
| lot of work. It brings some benefits in that it forces you to
| have your documentation and certain processes in order, but
| man... getting audited drains you. It depends a lot on the
| auditor you get, but from all the stuff I do for my job, this
| yearly event feels like the biggest waste of time. It's just
| that without it we would be out of business.
| robertlagrant wrote:
| Same story here. Health tech in the UK. It's a pretty arduous
| process, but given our engineering team was already hot on
| security (and probably haven't been unlucky with auditors) we
| haven't had problems in practice.
| tgv wrote:
| We're also certified for similar reasons. It did bring
| information security more in the focus of upper management,
| so that's a plus. I for the time for backup encryption,
| getting rid of outdated servers (fuck Arch Linux, really),
| and everyone now has a monitored laptop, and got a info sec
| training.
| breckenedge wrote:
| You will know when you need it. Half of the companies I've worked
| for required an ISO 2700x audit in order to do business with
| larger b2b customers. It was part of the customer's due diligence
| process when selecting vendors.
|
| It can take a long time to complete an audit, especially that
| first one. You're going to need to show a lengthy paper trail of
| policies and documented compliance.
|
| I think it can bring good discipline to an organization when
| embraced, but that is often not how it gets done. And in some
| organizations the discipline is stifling. You'll want to pay
| attention to how it is impacting teams.
|
| A previous company I worked for used Process Street for procedure
| completion and tracking, but I always wondered if all auditors
| would be OK with such a flexible system.
| mritzmann wrote:
| For some companies it is enough to say "The data center is ISO
| certified". Which I always found strange, because almost every
| data center is ISO certified. But you will notice over time how
| relevant that will be for your customers. Simply ask with every
| lost offer what the reason was. Then you can still take care of
| your own certification.
| avianlyric wrote:
| Depends on your industry and what your customers expect. Also
| worth noting that your customers might not be ISO27001 compliant,
| but expect their suppliers to be compliant.
|
| Many customers will send you a huge questionnaire to understand
| your security posture, policies and procedures. You'll quickly
| realise that these questionnaire are pretty much what an ISO27001
| auditor will ask. So if you have ISO27001, then you can just copy
| and paste.
|
| It's much easier to become ISO27001 compliant early, before you
| have much built. It allows you to take cookie cutter policies and
| procedures from companies like Laika and apply them wholesale
| with only minor tweaks, and without the need to make technical
| changes, because there's nothing to change. However the process
| is both expensive and time consuming, so make sure it's something
| your customers will expect.
|
| Finally, pay someone else to walk you through the process. I've
| used the company heylaika.com, it removes so much overhead and
| the need to read the standard in detail. Trying to go it alone
| will just be a huge waste of time and money, you'll end up paying
| for expensive audits that you'll fail. Getting external help in
| makes sure you'll actual pass the audit before you pay an
| auditor.
| a13n wrote:
| Typically this is your B2B infosec audit evolution:
|
| 1. No audits/certifications. Stay here until you're losing deals
| with big-ish companies to the point where it's worth investing
| $10-20k and ~200 hours into solving this.
|
| 2. SOC 2 Type 1. Takes about $10-20k/yr and 200 hours in my
| experience. If you use a platform like Drata it'll be a bit more
| money but less effort. This report satisfies a lot of security
| teams, and you have to get it once per year. The 2nd/3rd time is
| way less time investment than first. Stay here until you're
| losing deals over not having SOC 2 Type 2 / ISO27001.
|
| 3. SOC 2 Type 2. Takes about $15-30k/yr. If you've done SOC 2
| Type 1 it should only take 80 hours or so to get. Again,
| platforms like Drata cost more but make this easier.
|
| 4. ISO27001. If SOC 2 Type 2 isn't enough for your big enterprise
| customers to buy, this is the next step. There's a lot of overlap
| between SOC 2 Type 2 and ISO27001, but ISO27001 definitely
| introduces some new controls. Drata can help with this as well,
| but pricing might go up to something more like $50k/yr for SOC 2
| Type 2 + ISO27001.
|
| If your company's very first sales will be enterprise deals, you
| may need to get SOC 2 Type 1/2 from the beginning. If you're
| starting out with SMB and eventually moving upstream, you could
| probably wait a few years before getting SOC 2 Type 1/2.
|
| If a customer is asking "do you have ISO27001 certification?",
| saying "no" to that isn't (necessarily) damning. It might just
| mean they want you to fill out their security questionnaire.
| These can be time consuming, so you can even get around this by
| filling out a VSA Core once (standardized questionnaire) and
| trying to send them that instead of filling out each customer's
| custom questionnaire.
| seanhunter wrote:
| If you are a b2b company your customers will start to ask you at
| a certain point. Not having it can break a deal for sure although
| having it won't make the deal.
|
| My advice to you is gradually improve your infosec posture and
| policies etc but rather than kicking off the certification, wait
| until a customer asks you for it during vendor due dilligence,
| then say "we're working towards it" and immediately after the
| meeting commission one of the outside firms who do the evaluation
| for you.
|
| The evaluation process takes a while and in my experience
| customers are understanding about that especially given b2b sales
| aren't exactly quick normally.
| xtracto wrote:
| This has been the best answer in my opinion, the cost of
| achieving the certification is only worth it if you have
| prospect customers demanding for it (so that their business
| will "pay" for the cost).
|
| Oftentimes, companies from the USA will prefer SOC2 Type2
| instead of ISO. So in my experience it is best to check with
| the market.
|
| Regarding B2C companies, in my experience you'd like to get an
| ISO certification to reduce pressure from some governing body.
| For example, I was in a company were we did ISO-37001 because
| in our country that is a HUGE risk, and our market was
| attracting a lot of attention from government and regulators.
| Having an ISO gave us a "checkmark" in their eyes.
| Descon wrote:
| I just purchased software for our company and they had both ISO
| 27001 and SOC 2 which made it way easier to deal with our
| security and governance team. They like to see those
| certifications. It would be possible without, but the scrutiny
| would be much higher.
| groundthrower wrote:
| We have been asked by Fortune500s for the ISO27001 along with the
| hundreds of security related questions. We got through without
| the certificate by convincing them in other ways how much we(the
| 2 of us) focus on security.
| mathie25 wrote:
| The objective of most companies is to make money (let us be
| honest), thus the objective of the information security team is
| to make sure that the organization can achieve its objectives.
|
| Thus, a lot of times, to sign customers, you need to be secured,
| as an IT/Security department can easily shut down any SaaS
| project if it is not secure enough. Having a certification like
| ISO 27001 or a report like SOC2 can really be helpful, and is
| sometimes a necessity. So ask yourself "does our company needs a
| SOC2/ISO 27001 to sign customers? Is it a blocker for our
| business?". You never want to achieve compliance "just because",
| you need a business reason to do it.
|
| We started building our security program (ISMS) based on ISO
| 27001 (which is a really good basis in my opinion), but decided
| to get a SOC2 report instead. We started with a SOC2 type I
| report, then a type II. I personally find that a SOC2 is much
| more flexible than an ISO 27001 certification.
|
| We mainly deal with big European customers, and SOC2 and ISO
| 27001 are seen as equal; never had a problem there. Most
| customers don't even read the report to be honest; it's a check
| in a box.
|
| Having a SOC2 report or ISO 27001 certification shows that you
| care about security, and it sets the tone from the start.
| exhibitapp wrote:
| It's better to start early than anything, a lot of these certs
| are easier to get when you have nothing to audit. I've worked for
| 2 successful B2B fintechs, I wouldn't wait until a customer asks,
| I would be proactive if you have the time and money to go through
| it.
| tptacek wrote:
| I think this is basically the opposite of the correct answer.
| If you do certification too early, you'll be pulled into
| pointless engineering projects that will likely have a TCO far
| larger than the certification itself. If you wait to do SOC2
| until after you have a security team, you can avoid a lot of
| this work.
|
| It doesn't help that SOC2 auditors are basically wrong about a
| lot of stuff, so that if you're getting certified before you
| have a sane security practice in place, your security
| engineering will get dragged into weird, unproductive places.
| Aaronstotle wrote:
| As someone who works in Infosec & Compliance, it makes third-
| party risk much easier when a vendor has a SOC2 report.
|
| It depends on what kind of clients you have, if you are working
| with customers in regulated industries, then I believe it's worth
| it.
| nikanj wrote:
| It's useful as a moat: for an established player, maintaining a
| certification isn't a big effort. For a new player, it saps
| resources
| comprev wrote:
| I worked somewhere which had a stack of potential clients waiting
| for the 27001 stamp. Afterwards they all signed within months
| bringing significant revenue to the company. It was night & day
| difference to them.
| jnorthrop wrote:
| I'm in Information Security at a large enterprise. We look for
| this kind certification, but it isn't required. Not having it
| though will lead to further scrutiny (lots more questions to
| answer). I would recommend getting it if you can, particularly if
| you are offering a service that is hosting the customer's data
| and/or is managing some part of their IT operations.
|
| Bolstering the recommendation is the fact that the proliferation
| of supply chain attacks recently is adding pressure for companies
| to perform more thorough diligence on their vendors. The
| certification helps check all the boxes.
| tetha wrote:
| > When did you decide that it's time to get it done?
|
| There is a time management component to this. If you're still in
| a deal without a 27001 certification, the security questions
| don't go away. Instead, you get sent a security question set to
| answer. These question sets can be huge - our record is about 300
| - 400 questions. And once you've answered those, you're not done
| - then you go into discussions with their cybersecurity about
| your answers.
|
| Once you're in the loop with a number of large deals, this
| becomes a huge time sink.
|
| And no, you can't give this to an intern, or just search-and-
| answer most questions, because every company formulates their
| questions and requirements differently and it takes some
| knowledge to figure out what they mean and want.
|
| And at times the discussions afterwards are even worse. I've had
| InfoSec-guys tell me they're concerned because I cannot give them
| the specific details on the physical security of an AWS
| datacenter because these are not available.
|
| As much work as getting and maintaining an ISO27001 certification
| is, there is a point after which it'll save you time and nerves.
| danuker wrote:
| > specific details on the physical security of an AWS
| datacenter
|
| So, you want to certify yourself as secure, yet you store data
| on other people's computers, and you don't know how they are
| protected?
| VLM wrote:
| Yeah, exactly, its always possible to fail someone if
| ANYTHING is outsourced. Keep on digging digging digging. For
| example Amazon is PCIDSS level 1 and more than willing to
| provide docs to prove it, so if you need pcidss 1 or less,
| that "should" be OK. OK fine, keep digging. In more detail
| you can see AWS brags about having linked their HR system to
| their security system so when someone is terminated their
| security access is immediately automatically revokes. OK
| fine, keep digging. I demand to see the python script or
| whatever that they wrote and I'd like to examine the system
| logs on both sides to verify operation of that security
| system. Ah got them now. OK now I demand to read the source
| code for the BIOS of the computer that connects those two
| systems. Can't do it? You're now officially insecure, cancel
| the deal.
|
| You can shut down deals that aren't outsourced by demanding
| more difficult stuff like viewing the manufacturing masks for
| the microcontrollers in the badge scanners. No not a generic
| mask for the CPU family or similar model of slightly
| different capacity, I mean the mask that was specifically
| used to make the specific chips in the individual badge
| scanners. You do audit that, don't you? Why can't I have the
| firmware to the chip in your usb keyboard, are you guys
| hiding something in there like a password grabber? Can you
| provide the source code of your on premises Cisco routers for
| our security review? Does Cisco know you can do that (LOL?)
|
| Security is not a checkmark, its always been a spectrum, and
| if you want to torpedo a deal its always possible to crank up
| the demands until the other side quits. It may not be useful
| or provide a business advantage, but nothing is ever truly
| secure. Probably the AWS stuff is better than average, LOL.
| travgary wrote:
| AWS is ISO and SOC certified so they get audited on physical
| security. I can m trust that they dis it right because they
| passed their audit. I don't have time to go bother AWS about
| their security cameras and key card procedures.
| jkingsman wrote:
| Certification allows you to form a chain of trust via
| providers who have had auditors validate and verify their
| security. When my company gets SOC2 audited, we don't have to
| audit AWS because AWS is also SOC2 compliant, and their
| business critical vendors are likewise or have been
| independently validated, etc. all the way down the chain.
| avianlyric wrote:
| AWS has ISO27001 certification and more. The whole point of
| these certifications is that it proves a competent auditor
| came in and checked all of these things, so your customers
| don't have too.
|
| Part of ISO27001 is proving that you're supply chain is also
| ISO27001 compliant. So picking companies that are already
| certified makes that easy, because then the certification
| naturally recurses down your supply chain.
| kasey_junk wrote:
| Do you actually run a soc or iso certified data center?
| Because 99.9% of companies, even those who don't use cloud
| services, use other people's racks, cages, power, network etc
| for certified systems.
|
| I do t think I know a single serious security professional
| that would raise an eye at using cloud resources. Quite the
| opposite, there is a fairly straightforward & repeatable
| process for securing cloud resources. Unlike on prem.
| arraypad wrote:
| There's a very recently announced
| (https://security.googleblog.com/2021/10/launching-
| collaborat...) initiative by Google, Salesforce, Okta, Slack
| and others to create a minimal security standard -
| https://mvsp.dev/ - which will hopefully reduce this overhead
| and encourage an improvement in security across the industry.
| Mesmoria wrote:
| I note that section 1.6 is "Comply with all industry security
| standards relevant to your business such as PCI DSS, HITRUST,
| ISO27001, and SSAE 18".
|
| That looks larger than all the other requirements.
| ghiculescu wrote:
| Yes, unsurprisingly, this is set up to protect incumbents
| that have collected all these certifications.
| x0x0 wrote:
| It's probably easier to start w/ a SOC2 TypeII though. Once you
| get that down, you're at least 50% done with the 27001.
| tptacek wrote:
| Why a Type 2? The documentation you'll generate for the Type
| 1 covers just as much questionnaire terrain as the Type 2
| does.
| spurgelaurels wrote:
| Type 1 is a point in time, and it expires. Type 2 maintains
| it.
| x0x0 wrote:
| Because most CISOs / security reviews we go through ask for
| it.
| john-tells-all wrote:
| Absolutely this.
|
| Each potential client has a unique generally quite substantial
| list of security/tech questions in several spreadsheets. You
| answer each one as well as possible, and give details. This is
| definitely not an intern gig: at my fintech startup we had the
| CEO or Dir Eng or myself (DevOps) do it. Generally _all_ of us
| took turns. They 're pretty onerous.
|
| Having done the work for the ISO-27001 helped. For that cert
| we'd already had to think about and document a ton of security
| related things. Potential clients were happy to take our
| internal docs (written for ISO) as details to their questions.
| If they actually read our docs or if it was just a checkbox
| requirement, that's a good question :)
| tptacek wrote:
| My experience doing this for several large companies at a time
| is that the questionnaires don't really go away with
| certification. There are probably some shops where audit
| reports will substitute for the Excel spreadsheet Q&A's, but
| there are plenty of others where the Q&A is a dealbreaker part
| of procurements no matter what.
|
| If you're in a line of business where your customers have
| questionnaires, just plan on having someone whose job is to
| fill these things out.
| mathie25 wrote:
| We have a SOC2 report type II, and security
| questionnaires/meetings are still there. Once we had a
| security questionnaire from a potential customer, took a
| glance at it, told the customer "hey you can find all of the
| answers in our SOC2 report and in our CAIQ (CSA)", they told
| us to still fill the questionnaire...
| curmudgeon22 wrote:
| Agreed with this, we still get questionnaires.
| mrclark411 wrote:
| We got a SOC2... and still get questionnaires. It's the
| worst. Companies are just outsourcing their security reviews
| to the vendor. Rather than rely on a 3rd party audited
| document companies want their custom questions answered. BUT
| - they aren't custom questions - it's the same questions for
| every vendor and they are very often poorly worded. Then when
| we turn them in - there's no follow up questions which to me
| implies that no one is reading them. Security theater...
| orwin wrote:
| Caveat: even with ISO27001 you will still have those questions
| with huge actors, especially industrials (service businesses
| are way, way lighter) or private-public sectors with huge
| incentives (energy, construction and medical).
|
| However, having passed the certification process still save
| time.
| pschneidr wrote:
| ISO 27001 and SOC2 are both very valuable ways to communicate
| your security posture to external partners and customers. Like
| others have mentioned this will allow you to close deals quicker
| and prevent a more costly outcome by navigating security reviews
| more quickly. Source of info: friends at https://pentestiq.com
| and https://vanta.com that handle security/compliance for many
| startups.
| tptacek wrote:
| I think for a lot of startups this is mostly not true at all,
| and that you can get a pretty long way without doing SOC2. I
| think for _most_ startups there 's basically no sales value to
| 27001 at all, and I would be wary of anyone giving advice
| suggesting anyone should do a 27001 preemptively, rather than
| to close a 7 figure pilot or something where the deal will pay
| for the cert drama.
| pschneidr wrote:
| You are correct, in many ways even SOC2 is not a desirable
| investment for young companies. You can do 5 figure deals
| with fortune 500 companies without it but the process of
| closing that deal will require a lot more work. Maybe a good
| time to start investing in SOC2 or ISO certification is when
| you have multiple large deals with enterprises in your sales
| pipe. Before that, running a small security program (annual
| pentest, security awareness training) and communicating that
| via security questionnaires will get you first deals.
| motohagiography wrote:
| I would wonder if there is a heuristic where you don't need a
| specialized and mature security governance program until you are
| close to or have established PMF. Security _is_ tech governance,
| so you need something to govern before you drop in a bunch of
| security people.
|
| If you have an enterprise product, either you get the ISO cert,
| or give up some of your sales margin and leverage to be a
| "partner," to another vendor who does. e.g. If you are selling to
| a bank and you don't have it, it's likely the bank may ask a
| consultant from one of the big firms to "recommend," your product
| as part of an engagement, and the compliance risk nominally
| shifts onto them, which is super not-cheap. I'd start discussions
| with VaRs and consulting firms about partnering now in case you
| get a demand for it, just to be hedged.
|
| However, as a security pro, I would almost never suggest it to a
| startup until they are much later stage, like B and C rounds, or
| above say, $20m ARR, and perhaps not even then. The reason for
| this is if you are still establishing PMF, ISO is an expensive
| distraction, same with FedRAMP. Pay for it out of profits only,
| or tack on the expense to a customer contract, as imo, it's a
| waste of precious runway.
|
| Strategically, I think it's worth considering taking the revenue
| hit of partnering with a VaR or a big-N consulting firm early to
| grow your channel first, and who specializes in managing these
| dead weight regulatory burdens while you focus on building a
| product that grows fast enough that you can choose solve ISO
| yourself as an optimization problem later on when you are rolling
| in cash, and not as a strategic barrier. I'd venture that the
| lack of an ISO cert is not going to get in the way of an exit or
| early stage growth. It's an expense that I would punt to whoever
| acquires you. If you are acquiring companies, then maybe you're
| big enough to consider it.
| lmilcin wrote:
| Let me put my perspective on this.
|
| The answer is both yes, and no.
|
| Why no:
|
| Seriously, if you need certification to put your processes in
| order you are in a deep shit anyway. As an organization, you
| should be striving to continuously learn and improve. ISO 27001
| is just a standard, a minimum you should be doing anyway.
|
| Why yes:
|
| I think it makes sense to go over that material. A lot of that
| stuff makes total sense. Why learn the mistakes yourself when you
| can get over a lot of that stuff in one, easy to consume package?
| Security is a tough thing to get right, there is a lot of
| possibility to forget/be blind to some obvious things. While it
| is up to you to figure out what to do (see above) and you will be
| paying the price of missteps, it is always good idea to get some
| external validation. Especially if you are top level manager and
| you don't exactly know if you are getting accurate assessment of
| the situation from your underlings.
| christinac wrote:
| (I work at/cofounded Vanta)
|
| We work with companies doing B2B sales and looking for help with
| compliance certifications like ISO 27001 and SOC 2. Some folks
| come to us early but most come with a deal on the line -- which
| is to say, this is a process you can start "just in time" if you
| must.
|
| From what I've seen, saying "no I won't go through your security
| review process" is an (obvious) dealbreaker, but there's a lot of
| ways to get through that process: ISO cert, SOC 2, the promise to
| get either of those certs by your go-live/implementation date,
| security questionnaire hell, etc.
|
| As mentioned previously, ISO is preferred by European companies;
| SOC 2 is more likely to be mandated by American companies, and
| you're likely to get pretty far, even in Europe, on just a SOC 2.
| If I had to construct the situation that's most likely to be
| deal-breaking, it'd be an old-school European company that's
| operating off a rigid flow chart: "if no ISO 27001 cert, go back
| to start. Do not pass Go. Do not collect $200."
|
| A few folks have mentioned cost (dollar and organizational) --
| ymmv and/but the cost of obtaining ISO 27001 certification varies
| with the number of employees, say $10-20k for smaller companies.
| Implementing ISO 27001 and an ISMS can be blitzed by small teams
| in a few weeks but probably will take a couple of months to a
| year for larger organizations.
|
| (And we'd love to help if you decide to pursue this at Vanta etc
| etc)
| 1cvmask wrote:
| How can one reach you at Vanta?
| cols wrote:
| I worked for a telecomms/webcasting company for about 5 years as
| a product manager. I can tell you from personal experience that a
| significant portion of the Fortune 500 (if not all of them)
| required ISO 2700X certification to even be considered.
|
| The certification burden increases in proportion to the level of
| PII you are storing. The burden was much higher for government or
| med/bio contracts (FedRAMP/HIPPA, etc.). It's also worth it to
| mention that we had whole teams dedicated to working through
| RFPs/RFCs as they can get VERY time consuming.
|
| Bottom line is that if you are going to work with the big fish,
| you will probably need this level of certification to show them
| you are serious.
| GrumpyNl wrote:
| My experience is, you get to work with a company who "advices"
| you what to do and they also do the certification. In my
| opinion, this makes it worthless. The company i worked for got
| the certification like this every year.
| Puts wrote:
| First of all management systems and ISO is a way of working, a
| method or a framework. Just like scrum and agile are methods for
| project management within a team, management systems within the
| context of ISO is a method or framework set up by the management
| to lead the company. If you don't believe in ISO as a method,
| then you should not do it. Simple as that.
|
| Personally however I think that ISO and management systems solves
| a lot of the problems that most companies deals with, and it
| gives a structured way of setting goals and reaching them.
|
| Secondly the certification is not the most important part. The
| certification proves that your management system works and that
| you are reaching your goals, but if your goals are shit then the
| certification rather proves that you are a shity company. In
| other words the certification in itself is not a quality badge.
| paxys wrote:
| If you have or are aiming for large enterprise customers, ISO
| 27001 is basically a requirement. You'll probably also need ISO
| 27017, ISO 27018, ISO 27701, SOC 2, SOC 3, APEC and maybe more,
| all depending on which stage your company is at.
| mnd999 wrote:
| It's a racket essentially, they make up a certification sell it
| to people buying software. Those buyers force it on their
| suppliers and they can charge for auditing and compliance. Not
| much you can do though, just have to grit your teeth and get on
| with it and try and avoid the most bureaucratic parts that slow
| down you ability to execute.
| tptacek wrote:
| First: the rule with these kinds of certifications is simple:
| don't do them until you have customer deals contingent on them.
| You should be able to weigh the costs of certification against
| hard, certain revenue. Depending on your customer base, you may
| get pushed into certification soon, or you might be able to push
| it off surprisingly far. If you can do that, you should.
|
| Second: in North America, SOC2 is much more common than ISO
| 27001. 27001 is more common with gigantic companies than with
| startups. By way of example: Datadog just announced its 27001
| last year, a few months after they went public. That they were
| able to scale their business to that point without 27001
| certification --- and look closely at what Datadog's business is,
| and who their customers are! --- should tell you something about
| which certification you're likely to want first.
|
| So for the rest of this comment I'm going to assume your company
| has no certification, and that you can get away with SOC2.
|
| Third: while you will run into NA customers that want SOC2,
| there's a loose norm of purchases contingent on achieving a Type
| 1. That is to say: you can probably plan on deferring SOC2 until
| you have a contingent P.O. in hand, and do it then without losing
| that deal. You know your customers better than I do, but I spent
| a bunch of years doing this work for startups and don't think I
| ever told anyone to SOC2 preemptively.
|
| Fourth: a real risk with rushing certification is that it can
| warp your security engineering and business processes. SOC2 is
| particularly amorphous, and SOC2 auditors are a weird bunch
| (people with strong opinions about which security tools you
| should be running that don't know the difference between an IP
| address and a domain name are people whose influence on your IT
| and engineering you should limit). You want a security team in
| place before you start chugging away at SOC2, so that your
| security team can be the primary influence on what engineering
| you do to support SOC2 (a competent security team will win any
| shootout with any major-label auditor).
|
| Fifth: For most companies, you'll be 25-35 engineers before you
| contemplate a full-time security person, which gives you an idea
| of the normal lifecycle point at which you might start seriously
| consider certifying.
|
| I wrote a blog post for my last company about some things to know
| about SOC2 and early-stage companies:
|
| https://latacora.micro.blog/2020/03/12/the-soc-starting.html
| quicksilver03 wrote:
| > First: the rule with these kinds of certifications is simple:
| don't do them until you have customer deals contingent on them.
|
| Getting an ISO 27001 certification can take months of effort,
| and not all deals can be stretched this far without significant
| repercussions.
|
| Just a data point, I lead the certification project at my
| current company and it took us 8 months (~65 people in total,
| of which 3 full-time in IT): the auditors were a little
| hesitant at first because the system wasn't "battle-tested" as
| much as they'd liked.
| paddybyers wrote:
| This ^ is my favourite writeup on the question of how you
| implement SOC2. I wish I had read that before we started -
| after going through the Type 1 and Type 2 process, we've ended
| up with the same conclusions. I've lost count of the number of
| times I've recommended that. Our experience (global b2b
| customers, heavily skewed to NA) is that SOC2 Type 2 is the
| most frequently requested/expected standard, and if you have
| that, not having ISO is very rarely a dealbreaker. Neither
| makes the security questionnaires go away; they continue to be
| mandatory, require expert input, and are a significant drain on
| time. However, having SOC2 and/or ISO does mean that you've
| already thought of the answers to the questions and you'll have
| a defensible position, backed up by a track record of
| independent audits, when your particular approach doesn't meet
| the "gold" standard implied by the questionnaire. (Edit: typo)
| vishnugupta wrote:
| It's a line-item in many of your clients' checklists. If they
| don't tick it off then you will have to answer a bunch of
| questions. It's a one time pain to get out of the way.
|
| You could also start the process and ask your certifying
| consultant to give you a certificate saying it's in progress
| which is also good in many cases but follow through to complete
| it.
| Freak_NL wrote:
| > It's a one time pain to get out of the way.
|
| It's also a yearly audit and a continuous process to maintain
| it though.
___________________________________________________________________
(page generated 2021-11-03 23:00 UTC)