A SaaS start-up can only go so far before it’s time to consider certifications and compliance standards for advancement. But let’s make it clear that at Detectify, we don’t see compliance as security. If you’re stuck in between the two right now, here’s our use case for getting ISO 27001 certification and how we made it work for Detectify, a SaaS-based web application security scale-up that has its fair share of passionate security defenders aboard!
On Jan 20, we hosted a Livestream to detail our use case. We invited Jenny Gabrielsson, CFO at Detectify, and Johan Edholm, co-founder and security engineer at Detectify, to discuss the business impact and technical implementation of our Information Security Management System (ISMS) and ISO 27001 certification project. Watch the recording on demand.
Getting ISO 27001 certification could be the next phase for a SaaS company looking to expand its marketing and attract more established business partners. The motivation for obtaining ISO 27001 leads to apparent benefits like reduced cybersecurity risks and associated financial risks that came with it. SaaS companies that are ISO-certified also reap benefits of:
Gaining a new market segment and competitive edge
We started to hear this term pop up more in dialogues, and that our prospective partners were ISO 27001-certified, which required their future partners to have this accolade. Even our existing customers started to demand ISO certification to maintain the relationship. Gaining this has now boosted our position amongst SaaS companies in our space as certified as a trustworthy vendor with a reliable information security management system (ISMS).
Clearer structures in place for internal work processes.
Having the ISO 27001 badge signifies that the ISMS implemented maintains the security and privacy of all the user information flowing through our solutions and work operations. But even as a security company, it wasn’t a cake-walk, and we had to work for it. The project’s initiation showed us how good or bad we were with information management and what it took to become certified secure to meet our stakeholders’ expectations. Now we’ve come out with organized ways to collect and store evidence related to ISO controls.
Increased awareness for information security risks and evaluations
ISO 27001 isn’t rocket science, but it isn’t a one-person show either. It takes an adjustment to get everyone in the organization to see the same vision and gains to achieve the goal together. As Johan put it: “Security might make things a bit more complicated, but we accept that in our everyday life already (for example, you lock your door even if it’s a bit more of a hassle). To make it more acceptable to employees, you will need to try to make the policies and processes to enable people to do their work instead of blocking it as much as possible and make sense. Nobody likes doing things that feel unnecessary or things they don’t understand why. Spreading knowledge helps this a lot.”
Rolling out this program included our infrastructure defenders and our entire workforce dedicated to building the technology, forging meaningful customer relationships, and team member satisfaction. Here are our top tips for implementing your ISMS to achieve ISO 27001:
1. Get buy-in from top to bottom
Security should never be a one-man show, and becoming ISO compliant and implementing security practices beyond this takes commitment from the board, management, and the rest of the organization. This helps put your efforts to ISO certification on the table as a priority for business operations. Everyone has a part in understanding what achieving this means for your company’s outlook and meeting customers’ service expectations. Also, be prepared to discuss whether ISO or other projects need to come first and why.
2. Start security champions program
At Detectify, security is top-of-mind in our business since we are a security company. Still, we also face the same challenges for adopting practices and spreading security knowledge to all. A common method in the industry is to have Security Champions in place to be the beacon for tech teams’ security knowledge. We took this on with our spin to roll this out in all groups as information security goes beyond the tech functions. Even admin and commercial functions have a champion to help the central ISMS team communicate about changes to daily operations, policy implements, and answer questions related to security in the day-to-day. Our Security Champions shared their top tips for organization awareness here.
3. Bring in an expert
Remember, we aren’t compliance experts, so we needed to take someone externally to guide us through the process. They coached and helped us set up documentation, which validated things along the way before the big audit day. This proved to be valuable in realizing how big the project was ahead of us and anticipating what would be looked at more closely by the auditor, especially since we are a SaaS company trying to make our set-up work for a standard that was developed for an on-premise Windows set-up.
4. Implement new tools, and start simple
As a security automation company, we have an affinity for automated tools to help us achieve and maintain ISO needs standards. However, there’s no need to go out and buy all the things right away. Start simple with existing programs you are using. For example, we used Google Sheets and Docs to build up the checklist, control inventories, and create policies for us to start collecting evidence for the ISMS group and org-wise resources.
5. Don’t use old solutions in new environments
As a SaaS company with a flexible remote-work policy from an early stage, we needed to make sure the solutions we implemented would fit our tech-agnostic landscape with Windows, Mac and Linux, and affinity for cloud-friendly tech like slack. The security tools would also need to enable and not block everyone from doing their job. We added several security automation solutions (surprise!), including Kolide for endpoint security alerts directly into our digital workplace. This works well for our organization, including our less-technical people and slack-hosted communications:
“I am in sales, and I get these Kolide notifications straight to slack. I have found it very simple to follow the instructions on how to remediate!” – Account Executive at Detectify.
Johan Edholm, Security Engineer and co-founder at Detectify, provides more on the actual technical implementation of our automation tools in the recording.
6. Host security training online
We tried different solutions and recommend that you allow time for evaluating whether a tool or program will work long-term for your organization – security is an infinite goal! There are many options out there for training, and hosting it virtually lets training happen on the individual’s schedule. It’s essential to find something that the least technical or security-interested individual would be willing to do. In this case, we moved security training to host our training content with quizzes and involved our Security Champions and the ISMS group to help with the material. If you don’t have an interest in creating the training lessons, there are options for online training that comes populated with content.
7. Don’t stop at passing the test
Going through ISO 27001 certification might be the kick-in-the-butt you need to start looking at your security practices and whether you have the programs and automation in place to call yourself secure. Both speakers stressed that you can use this opportunity to learn about the gaps in your security set-up, and then start implementing security – not compliance. Achieving ISO certification is a milestone. From there, the true effort comes in to make improvements based on your audit, and then maintain the information security level so you can keep the certification.
Is it worth it without a business need?
When we asked Johan Edholm, he answered, “If your only goal is to be more secure, you can look at the standard and see what would make sense for you. Unless you have a business need to show off your ISO 27001 certificate, you might as well spend the money on something else with higher business value on your list.”
How can Detectify help?
ISO 27001 control A.12.6.1 requires that you have procedures for timely identification of vulnerabilities and evaluating any exposures and appropriate action to mitigate the security risks. Detectify is a dynamic web application security scanner that continuously monitors across your attack surface for vulnerabilities and exposures and throughout your web app layer for known vulnerabilities actively exploited by persistent attackers.
Detectify collaborates with leading ethical hackers to develop the latest research into security tests from hacker-to-scanner in as fast as 25-minutes. Give Detectify a go with a free 2-week trial or book a demo with our security experts to learn how Detectify can help you set up app security that goes beyond ISO 27001 requirements.