[HN Gopher] Ask HN: Is the ISO 27001 certification worth it? ___________________________________________________________________ Ask HN: Is the ISO 27001 certification worth it? ISO 27001 (https://en.wikipedia.org/wiki/ISO/IEC_27001) certifies that information security is properly managed at a company or organisation. But the process of obtaining it is costly and time- consuming so I wanted to ask people who have experience with it: is it worth it? If you're a company doing B2B sales, how often do prospective customers ask about the certificate? Does it ever make or break a deal? When did you decide that it's time to get it done? Thanks! Author : piotrgrudzien Score : 72 points Date : 2021-11-03 14:15 UTC (8 hours ago) | eli wrote: | We do B2B sales, we don't have an ISO certificate, and to my | knowledge it has never cost us a deal (though some companies have | asked). | | But I'm sure it also depends what you're selling. We mostly sell | marketing services and the risk is inherently low (we generally | don't have access to any sensitive client data or systems). | lordnacho wrote: | It's theatre, so it won't help actual security. Having said that, | even quite small firms I've known have decided they needed it in | order to get customers. | | A fair few large customers require it and won't bother talking to | you if you don't have it, so if you can otherwise do the sale | there's a good reason to get it. | | Your real problem as a small vendor is deciding when this is | necessary, because you might be getting customers just fine when | you're small and dealing with people who care about actual | security, not paper security. At some point you are gonna have to | pull a few people out to get all this paperwork done. I spent | last summer doing a whole pile of "Information Security" policies | for a friend I was helping. Luckily there are consultants who can | get you most of the way there. | a13n wrote: | > It's theatre, so it won't help actual security. | | I disagree with this sentiment. As a small firm who has | undergone multiple security audits/certifications, I have found | that the controls we added were generally practical and did | improve our security. | leokennis wrote: | This is also my experience with risk audits in IT: you get | asked a lot of stupid questions and spend a lot of time | engaging in extreme hypotheticals, but in the end there are | always one or two "hmmm I hadn't thought of that" moments | which lead you to significantly increase your security. | Freak_NL wrote: | We are in the 'lucky' position that ISO 27001 is now simply a | legal requirement because we offer a healthcare SaaS-product in | the Netherlands (ISO 27001 is required via its Dutch NEN | 7510/12/13 bastard child that is). | | For a small company (less than twenty employees) it really is a | lot of work. It brings some benefits in that it forces you to | have your documentation and certain processes in order, but | man... getting audited drains you. It depends a lot on the | auditor you get, but from all the stuff I do for my job, this | yearly event feels like the biggest waste of time. It's just | that without it we would be out of business. | robertlagrant wrote: | Same story here. Health tech in the UK. It's a pretty arduous | process, but given our engineering team was already hot on | security (and probably haven't been unlucky with auditors) we | haven't had problems in practice. | tgv wrote: | We're also certified for similar reasons. It did bring | information security more in the focus of upper management, | so that's a plus. I for the time for backup encryption, | getting rid of outdated servers (fuck Arch Linux, really), | and everyone now has a monitored laptop, and got a info sec | training. | breckenedge wrote: | You will know when you need it. Half of the companies I've worked | for required an ISO 2700x audit in order to do business with | larger b2b customers. It was part of the customer's due diligence | process when selecting vendors. | | It can take a long time to complete an audit, especially that | first one. You're going to need to show a lengthy paper trail of | policies and documented compliance. | | I think it can bring good discipline to an organization when | embraced, but that is often not how it gets done. And in some | organizations the discipline is stifling. You'll want to pay | attention to how it is impacting teams. | | A previous company I worked for used Process Street for procedure | completion and tracking, but I always wondered if all auditors | would be OK with such a flexible system. | mritzmann wrote: | For some companies it is enough to say "The data center is ISO | certified". Which I always found strange, because almost every | data center is ISO certified. But you will notice over time how | relevant that will be for your customers. Simply ask with every | lost offer what the reason was. Then you can still take care of | your own certification. | avianlyric wrote: | Depends on your industry and what your customers expect. Also | worth noting that your customers might not be ISO27001 compliant, | but expect their suppliers to be compliant. | | Many customers will send you a huge questionnaire to understand | your security posture, policies and procedures. You'll quickly | realise that these questionnaire are pretty much what an ISO27001 | auditor will ask. So if you have ISO27001, then you can just copy | and paste. | | It's much easier to become ISO27001 compliant early, before you | have much built. It allows you to take cookie cutter policies and | procedures from companies like Laika and apply them wholesale | with only minor tweaks, and without the need to make technical | changes, because there's nothing to change. However the process | is both expensive and time consuming, so make sure it's something | your customers will expect. | | Finally, pay someone else to walk you through the process. I've | used the company heylaika.com, it removes so much overhead and | the need to read the standard in detail. Trying to go it alone | will just be a huge waste of time and money, you'll end up paying | for expensive audits that you'll fail. Getting external help in | makes sure you'll actual pass the audit before you pay an | auditor. | a13n wrote: | Typically this is your B2B infosec audit evolution: | | 1. No audits/certifications. Stay here until you're losing deals | with big-ish companies to the point where it's worth investing | $10-20k and ~200 hours into solving this. | | 2. SOC 2 Type 1. Takes about $10-20k/yr and 200 hours in my | experience. If you use a platform like Drata it'll be a bit more | money but less effort. This report satisfies a lot of security | teams, and you have to get it once per year. The 2nd/3rd time is | way less time investment than first. Stay here until you're | losing deals over not having SOC 2 Type 2 / ISO27001. | | 3. SOC 2 Type 2. Takes about $15-30k/yr. If you've done SOC 2 | Type 1 it should only take 80 hours or so to get. Again, | platforms like Drata cost more but make this easier. | | 4. ISO27001. If SOC 2 Type 2 isn't enough for your big enterprise | customers to buy, this is the next step. There's a lot of overlap | between SOC 2 Type 2 and ISO27001, but ISO27001 definitely | introduces some new controls. Drata can help with this as well, | but pricing might go up to something more like $50k/yr for SOC 2 | Type 2 + ISO27001. | | If your company's very first sales will be enterprise deals, you | may need to get SOC 2 Type 1/2 from the beginning. If you're | starting out with SMB and eventually moving upstream, you could | probably wait a few years before getting SOC 2 Type 1/2. | | If a customer is asking "do you have ISO27001 certification?", | saying "no" to that isn't (necessarily) damning. It might just | mean they want you to fill out their security questionnaire. | These can be time consuming, so you can even get around this by | filling out a VSA Core once (standardized questionnaire) and | trying to send them that instead of filling out each customer's | custom questionnaire. | seanhunter wrote: | If you are a b2b company your customers will start to ask you at | a certain point. Not having it can break a deal for sure although | having it won't make the deal. | | My advice to you is gradually improve your infosec posture and | policies etc but rather than kicking off the certification, wait | until a customer asks you for it during vendor due dilligence, | then say "we're working towards it" and immediately after the | meeting commission one of the outside firms who do the evaluation | for you. | | The evaluation process takes a while and in my experience | customers are understanding about that especially given b2b sales | aren't exactly quick normally. | xtracto wrote: | This has been the best answer in my opinion, the cost of | achieving the certification is only worth it if you have | prospect customers demanding for it (so that their business | will "pay" for the cost). | | Oftentimes, companies from the USA will prefer SOC2 Type2 | instead of ISO. So in my experience it is best to check with | the market. | | Regarding B2C companies, in my experience you'd like to get an | ISO certification to reduce pressure from some governing body. | For example, I was in a company were we did ISO-37001 because | in our country that is a HUGE risk, and our market was | attracting a lot of attention from government and regulators. | Having an ISO gave us a "checkmark" in their eyes. | Descon wrote: | I just purchased software for our company and they had both ISO | 27001 and SOC 2 which made it way easier to deal with our | security and governance team. They like to see those | certifications. It would be possible without, but the scrutiny | would be much higher. | groundthrower wrote: | We have been asked by Fortune500s for the ISO27001 along with the | hundreds of security related questions. We got through without | the certificate by convincing them in other ways how much we(the | 2 of us) focus on security. | mathie25 wrote: | The objective of most companies is to make money (let us be | honest), thus the objective of the information security team is | to make sure that the organization can achieve its objectives. | | Thus, a lot of times, to sign customers, you need to be secured, | as an IT/Security department can easily shut down any SaaS | project if it is not secure enough. Having a certification like | ISO 27001 or a report like SOC2 can really be helpful, and is | sometimes a necessity. So ask yourself "does our company needs a | SOC2/ISO 27001 to sign customers? Is it a blocker for our | business?". You never want to achieve compliance "just because", | you need a business reason to do it. | | We started building our security program (ISMS) based on ISO | 27001 (which is a really good basis in my opinion), but decided | to get a SOC2 report instead. We started with a SOC2 type I | report, then a type II. I personally find that a SOC2 is much | more flexible than an ISO 27001 certification. | | We mainly deal with big European customers, and SOC2 and ISO | 27001 are seen as equal; never had a problem there. Most | customers don't even read the report to be honest; it's a check | in a box. | | Having a SOC2 report or ISO 27001 certification shows that you | care about security, and it sets the tone from the start. | exhibitapp wrote: | It's better to start early than anything, a lot of these certs | are easier to get when you have nothing to audit. I've worked for | 2 successful B2B fintechs, I wouldn't wait until a customer asks, | I would be proactive if you have the time and money to go through | it. | tptacek wrote: | I think this is basically the opposite of the correct answer. | If you do certification too early, you'll be pulled into | pointless engineering projects that will likely have a TCO far | larger than the certification itself. If you wait to do SOC2 | until after you have a security team, you can avoid a lot of | this work. | | It doesn't help that SOC2 auditors are basically wrong about a | lot of stuff, so that if you're getting certified before you | have a sane security practice in place, your security | engineering will get dragged into weird, unproductive places. | Aaronstotle wrote: | As someone who works in Infosec & Compliance, it makes third- | party risk much easier when a vendor has a SOC2 report. | | It depends on what kind of clients you have, if you are working | with customers in regulated industries, then I believe it's worth | it. | nikanj wrote: | It's useful as a moat: for an established player, maintaining a | certification isn't a big effort. For a new player, it saps | resources | comprev wrote: | I worked somewhere which had a stack of potential clients waiting | for the 27001 stamp. Afterwards they all signed within months | bringing significant revenue to the company. It was night & day | difference to them. | jnorthrop wrote: | I'm in Information Security at a large enterprise. We look for | this kind certification, but it isn't required. Not having it | though will lead to further scrutiny (lots more questions to | answer). I would recommend getting it if you can, particularly if | you are offering a service that is hosting the customer's data | and/or is managing some part of their IT operations. | | Bolstering the recommendation is the fact that the proliferation | of supply chain attacks recently is adding pressure for companies | to perform more thorough diligence on their vendors. The | certification helps check all the boxes. | tetha wrote: | > When did you decide that it's time to get it done? | | There is a time management component to this. If you're still in | a deal without a 27001 certification, the security questions | don't go away. Instead, you get sent a security question set to | answer. These question sets can be huge - our record is about 300 | - 400 questions. And once you've answered those, you're not done | - then you go into discussions with their cybersecurity about | your answers. | | Once you're in the loop with a number of large deals, this | becomes a huge time sink. | | And no, you can't give this to an intern, or just search-and- | answer most questions, because every company formulates their | questions and requirements differently and it takes some | knowledge to figure out what they mean and want. | | And at times the discussions afterwards are even worse. I've had | InfoSec-guys tell me they're concerned because I cannot give them | the specific details on the physical security of an AWS | datacenter because these are not available. | | As much work as getting and maintaining an ISO27001 certification | is, there is a point after which it'll save you time and nerves. | danuker wrote: | > specific details on the physical security of an AWS | datacenter | | So, you want to certify yourself as secure, yet you store data | on other people's computers, and you don't know how they are | protected? | VLM wrote: | Yeah, exactly, its always possible to fail someone if | ANYTHING is outsourced. Keep on digging digging digging. For | example Amazon is PCIDSS level 1 and more than willing to | provide docs to prove it, so if you need pcidss 1 or less, | that "should" be OK. OK fine, keep digging. In more detail | you can see AWS brags about having linked their HR system to | their security system so when someone is terminated their | security access is immediately automatically revokes. OK | fine, keep digging. I demand to see the python script or | whatever that they wrote and I'd like to examine the system | logs on both sides to verify operation of that security | system. Ah got them now. OK now I demand to read the source | code for the BIOS of the computer that connects those two | systems. Can't do it? You're now officially insecure, cancel | the deal. | | You can shut down deals that aren't outsourced by demanding | more difficult stuff like viewing the manufacturing masks for | the microcontrollers in the badge scanners. No not a generic | mask for the CPU family or similar model of slightly | different capacity, I mean the mask that was specifically | used to make the specific chips in the individual badge | scanners. You do audit that, don't you? Why can't I have the | firmware to the chip in your usb keyboard, are you guys | hiding something in there like a password grabber? Can you | provide the source code of your on premises Cisco routers for | our security review? Does Cisco know you can do that (LOL?) | | Security is not a checkmark, its always been a spectrum, and | if you want to torpedo a deal its always possible to crank up | the demands until the other side quits. It may not be useful | or provide a business advantage, but nothing is ever truly | secure. Probably the AWS stuff is better than average, LOL. | travgary wrote: | AWS is ISO and SOC certified so they get audited on physical | security. I can m trust that they dis it right because they | passed their audit. I don't have time to go bother AWS about | their security cameras and key card procedures. | jkingsman wrote: | Certification allows you to form a chain of trust via | providers who have had auditors validate and verify their | security. When my company gets SOC2 audited, we don't have to | audit AWS because AWS is also SOC2 compliant, and their | business critical vendors are likewise or have been | independently validated, etc. all the way down the chain. | avianlyric wrote: | AWS has ISO27001 certification and more. The whole point of | these certifications is that it proves a competent auditor | came in and checked all of these things, so your customers | don't have too. | | Part of ISO27001 is proving that you're supply chain is also | ISO27001 compliant. So picking companies that are already | certified makes that easy, because then the certification | naturally recurses down your supply chain. | kasey_junk wrote: | Do you actually run a soc or iso certified data center? | Because 99.9% of companies, even those who don't use cloud | services, use other people's racks, cages, power, network etc | for certified systems. | | I do t think I know a single serious security professional | that would raise an eye at using cloud resources. Quite the | opposite, there is a fairly straightforward & repeatable | process for securing cloud resources. Unlike on prem. | arraypad wrote: | There's a very recently announced | (https://security.googleblog.com/2021/10/launching- | collaborat...) initiative by Google, Salesforce, Okta, Slack | and others to create a minimal security standard - | https://mvsp.dev/ - which will hopefully reduce this overhead | and encourage an improvement in security across the industry. | Mesmoria wrote: | I note that section 1.6 is "Comply with all industry security | standards relevant to your business such as PCI DSS, HITRUST, | ISO27001, and SSAE 18". | | That looks larger than all the other requirements. | ghiculescu wrote: | Yes, unsurprisingly, this is set up to protect incumbents | that have collected all these certifications. | x0x0 wrote: | It's probably easier to start w/ a SOC2 TypeII though. Once you | get that down, you're at least 50% done with the 27001. | tptacek wrote: | Why a Type 2? The documentation you'll generate for the Type | 1 covers just as much questionnaire terrain as the Type 2 | does. | spurgelaurels wrote: | Type 1 is a point in time, and it expires. Type 2 maintains | it. | x0x0 wrote: | Because most CISOs / security reviews we go through ask for | it. | john-tells-all wrote: | Absolutely this. | | Each potential client has a unique generally quite substantial | list of security/tech questions in several spreadsheets. You | answer each one as well as possible, and give details. This is | definitely not an intern gig: at my fintech startup we had the | CEO or Dir Eng or myself (DevOps) do it. Generally _all_ of us | took turns. They 're pretty onerous. | | Having done the work for the ISO-27001 helped. For that cert | we'd already had to think about and document a ton of security | related things. Potential clients were happy to take our | internal docs (written for ISO) as details to their questions. | If they actually read our docs or if it was just a checkbox | requirement, that's a good question :) | tptacek wrote: | My experience doing this for several large companies at a time | is that the questionnaires don't really go away with | certification. There are probably some shops where audit | reports will substitute for the Excel spreadsheet Q&A's, but | there are plenty of others where the Q&A is a dealbreaker part | of procurements no matter what. | | If you're in a line of business where your customers have | questionnaires, just plan on having someone whose job is to | fill these things out. | mathie25 wrote: | We have a SOC2 report type II, and security | questionnaires/meetings are still there. Once we had a | security questionnaire from a potential customer, took a | glance at it, told the customer "hey you can find all of the | answers in our SOC2 report and in our CAIQ (CSA)", they told | us to still fill the questionnaire... | curmudgeon22 wrote: | Agreed with this, we still get questionnaires. | mrclark411 wrote: | We got a SOC2... and still get questionnaires. It's the | worst. Companies are just outsourcing their security reviews | to the vendor. Rather than rely on a 3rd party audited | document companies want their custom questions answered. BUT | - they aren't custom questions - it's the same questions for | every vendor and they are very often poorly worded. Then when | we turn them in - there's no follow up questions which to me | implies that no one is reading them. Security theater... | orwin wrote: | Caveat: even with ISO27001 you will still have those questions | with huge actors, especially industrials (service businesses | are way, way lighter) or private-public sectors with huge | incentives (energy, construction and medical). | | However, having passed the certification process still save | time. | pschneidr wrote: | ISO 27001 and SOC2 are both very valuable ways to communicate | your security posture to external partners and customers. Like | others have mentioned this will allow you to close deals quicker | and prevent a more costly outcome by navigating security reviews | more quickly. Source of info: friends at https://pentestiq.com | and https://vanta.com that handle security/compliance for many | startups. | tptacek wrote: | I think for a lot of startups this is mostly not true at all, | and that you can get a pretty long way without doing SOC2. I | think for _most_ startups there 's basically no sales value to | 27001 at all, and I would be wary of anyone giving advice | suggesting anyone should do a 27001 preemptively, rather than | to close a 7 figure pilot or something where the deal will pay | for the cert drama. | pschneidr wrote: | You are correct, in many ways even SOC2 is not a desirable | investment for young companies. You can do 5 figure deals | with fortune 500 companies without it but the process of | closing that deal will require a lot more work. Maybe a good | time to start investing in SOC2 or ISO certification is when | you have multiple large deals with enterprises in your sales | pipe. Before that, running a small security program (annual | pentest, security awareness training) and communicating that | via security questionnaires will get you first deals. | motohagiography wrote: | I would wonder if there is a heuristic where you don't need a | specialized and mature security governance program until you are | close to or have established PMF. Security _is_ tech governance, | so you need something to govern before you drop in a bunch of | security people. | | If you have an enterprise product, either you get the ISO cert, | or give up some of your sales margin and leverage to be a | "partner," to another vendor who does. e.g. If you are selling to | a bank and you don't have it, it's likely the bank may ask a | consultant from one of the big firms to "recommend," your product | as part of an engagement, and the compliance risk nominally | shifts onto them, which is super not-cheap. I'd start discussions | with VaRs and consulting firms about partnering now in case you | get a demand for it, just to be hedged. | | However, as a security pro, I would almost never suggest it to a | startup until they are much later stage, like B and C rounds, or | above say, $20m ARR, and perhaps not even then. The reason for | this is if you are still establishing PMF, ISO is an expensive | distraction, same with FedRAMP. Pay for it out of profits only, | or tack on the expense to a customer contract, as imo, it's a | waste of precious runway. | | Strategically, I think it's worth considering taking the revenue | hit of partnering with a VaR or a big-N consulting firm early to | grow your channel first, and who specializes in managing these | dead weight regulatory burdens while you focus on building a | product that grows fast enough that you can choose solve ISO | yourself as an optimization problem later on when you are rolling | in cash, and not as a strategic barrier. I'd venture that the | lack of an ISO cert is not going to get in the way of an exit or | early stage growth. It's an expense that I would punt to whoever | acquires you. If you are acquiring companies, then maybe you're | big enough to consider it. | lmilcin wrote: | Let me put my perspective on this. | | The answer is both yes, and no. | | Why no: | | Seriously, if you need certification to put your processes in | order you are in a deep shit anyway. As an organization, you | should be striving to continuously learn and improve. ISO 27001 | is just a standard, a minimum you should be doing anyway. | | Why yes: | | I think it makes sense to go over that material. A lot of that | stuff makes total sense. Why learn the mistakes yourself when you | can get over a lot of that stuff in one, easy to consume package? | Security is a tough thing to get right, there is a lot of | possibility to forget/be blind to some obvious things. While it | is up to you to figure out what to do (see above) and you will be | paying the price of missteps, it is always good idea to get some | external validation. Especially if you are top level manager and | you don't exactly know if you are getting accurate assessment of | the situation from your underlings. | christinac wrote: | (I work at/cofounded Vanta) | | We work with companies doing B2B sales and looking for help with | compliance certifications like ISO 27001 and SOC 2. Some folks | come to us early but most come with a deal on the line -- which | is to say, this is a process you can start "just in time" if you | must. | | From what I've seen, saying "no I won't go through your security | review process" is an (obvious) dealbreaker, but there's a lot of | ways to get through that process: ISO cert, SOC 2, the promise to | get either of those certs by your go-live/implementation date, | security questionnaire hell, etc. | | As mentioned previously, ISO is preferred by European companies; | SOC 2 is more likely to be mandated by American companies, and | you're likely to get pretty far, even in Europe, on just a SOC 2. | If I had to construct the situation that's most likely to be | deal-breaking, it'd be an old-school European company that's | operating off a rigid flow chart: "if no ISO 27001 cert, go back | to start. Do not pass Go. Do not collect $200." | | A few folks have mentioned cost (dollar and organizational) -- | ymmv and/but the cost of obtaining ISO 27001 certification varies | with the number of employees, say $10-20k for smaller companies. | Implementing ISO 27001 and an ISMS can be blitzed by small teams | in a few weeks but probably will take a couple of months to a | year for larger organizations. | | (And we'd love to help if you decide to pursue this at Vanta etc | etc) | 1cvmask wrote: | How can one reach you at Vanta? | cols wrote: | I worked for a telecomms/webcasting company for about 5 years as | a product manager. I can tell you from personal experience that a | significant portion of the Fortune 500 (if not all of them) | required ISO 2700X certification to even be considered. | | The certification burden increases in proportion to the level of | PII you are storing. The burden was much higher for government or | med/bio contracts (FedRAMP/HIPPA, etc.). It's also worth it to | mention that we had whole teams dedicated to working through | RFPs/RFCs as they can get VERY time consuming. | | Bottom line is that if you are going to work with the big fish, | you will probably need this level of certification to show them | you are serious. | GrumpyNl wrote: | My experience is, you get to work with a company who "advices" | you what to do and they also do the certification. In my | opinion, this makes it worthless. The company i worked for got | the certification like this every year. | Puts wrote: | First of all management systems and ISO is a way of working, a | method or a framework. Just like scrum and agile are methods for | project management within a team, management systems within the | context of ISO is a method or framework set up by the management | to lead the company. If you don't believe in ISO as a method, | then you should not do it. Simple as that. | | Personally however I think that ISO and management systems solves | a lot of the problems that most companies deals with, and it | gives a structured way of setting goals and reaching them. | | Secondly the certification is not the most important part. The | certification proves that your management system works and that | you are reaching your goals, but if your goals are shit then the | certification rather proves that you are a shity company. In | other words the certification in itself is not a quality badge. | paxys wrote: | If you have or are aiming for large enterprise customers, ISO | 27001 is basically a requirement. You'll probably also need ISO | 27017, ISO 27018, ISO 27701, SOC 2, SOC 3, APEC and maybe more, | all depending on which stage your company is at. | mnd999 wrote: | It's a racket essentially, they make up a certification sell it | to people buying software. Those buyers force it on their | suppliers and they can charge for auditing and compliance. Not | much you can do though, just have to grit your teeth and get on | with it and try and avoid the most bureaucratic parts that slow | down you ability to execute. | tptacek wrote: | First: the rule with these kinds of certifications is simple: | don't do them until you have customer deals contingent on them. | You should be able to weigh the costs of certification against | hard, certain revenue. Depending on your customer base, you may | get pushed into certification soon, or you might be able to push | it off surprisingly far. If you can do that, you should. | | Second: in North America, SOC2 is much more common than ISO | 27001. 27001 is more common with gigantic companies than with | startups. By way of example: Datadog just announced its 27001 | last year, a few months after they went public. That they were | able to scale their business to that point without 27001 | certification --- and look closely at what Datadog's business is, | and who their customers are! --- should tell you something about | which certification you're likely to want first. | | So for the rest of this comment I'm going to assume your company | has no certification, and that you can get away with SOC2. | | Third: while you will run into NA customers that want SOC2, | there's a loose norm of purchases contingent on achieving a Type | 1. That is to say: you can probably plan on deferring SOC2 until | you have a contingent P.O. in hand, and do it then without losing | that deal. You know your customers better than I do, but I spent | a bunch of years doing this work for startups and don't think I | ever told anyone to SOC2 preemptively. | | Fourth: a real risk with rushing certification is that it can | warp your security engineering and business processes. SOC2 is | particularly amorphous, and SOC2 auditors are a weird bunch | (people with strong opinions about which security tools you | should be running that don't know the difference between an IP | address and a domain name are people whose influence on your IT | and engineering you should limit). You want a security team in | place before you start chugging away at SOC2, so that your | security team can be the primary influence on what engineering | you do to support SOC2 (a competent security team will win any | shootout with any major-label auditor). | | Fifth: For most companies, you'll be 25-35 engineers before you | contemplate a full-time security person, which gives you an idea | of the normal lifecycle point at which you might start seriously | consider certifying. | | I wrote a blog post for my last company about some things to know | about SOC2 and early-stage companies: | | https://latacora.micro.blog/2020/03/12/the-soc-starting.html | quicksilver03 wrote: | > First: the rule with these kinds of certifications is simple: | don't do them until you have customer deals contingent on them. | | Getting an ISO 27001 certification can take months of effort, | and not all deals can be stretched this far without significant | repercussions. | | Just a data point, I lead the certification project at my | current company and it took us 8 months (~65 people in total, | of which 3 full-time in IT): the auditors were a little | hesitant at first because the system wasn't "battle-tested" as | much as they'd liked. | paddybyers wrote: | This ^ is my favourite writeup on the question of how you | implement SOC2. I wish I had read that before we started - | after going through the Type 1 and Type 2 process, we've ended | up with the same conclusions. I've lost count of the number of | times I've recommended that. Our experience (global b2b | customers, heavily skewed to NA) is that SOC2 Type 2 is the | most frequently requested/expected standard, and if you have | that, not having ISO is very rarely a dealbreaker. Neither | makes the security questionnaires go away; they continue to be | mandatory, require expert input, and are a significant drain on | time. However, having SOC2 and/or ISO does mean that you've | already thought of the answers to the questions and you'll have | a defensible position, backed up by a track record of | independent audits, when your particular approach doesn't meet | the "gold" standard implied by the questionnaire. (Edit: typo) | vishnugupta wrote: | It's a line-item in many of your clients' checklists. If they | don't tick it off then you will have to answer a bunch of | questions. It's a one time pain to get out of the way. | | You could also start the process and ask your certifying | consultant to give you a certificate saying it's in progress | which is also good in many cases but follow through to complete | it. | Freak_NL wrote: | > It's a one time pain to get out of the way. | | It's also a yearly audit and a continuous process to maintain | it though. ___________________________________________________________________ (page generated 2021-11-03 23:00 UTC)