We recently successfully gained certification for the internationally recognized ISO standards 27 001 and 9 001.
This proves that we have implemented a management system for information security and quality and are driving a continuous improvement process in these areas.
But how did we manage this as a young start-up with just four employees in around three full-time positions?
How difficult is it? And what does it cost? We open the curtains and take a look behind the scenes.
Contents
- Why ISO 27 001 and 9 001?
- What is ISO?
- How does the certification process work?
- ISO with or without support?
- Our consulting meetings
- Our tasks up to certification
- Our management system
- Initial certification
- Next steps
- The added value of ISO
- The added value of external consulting
- Challenges
- How much did the ISO certification cost us?
- A first conclusion
Why ISO 27 001 and 9 001?
Since our company was founded in 2020, we have been focusing on data protection and information security with Friendly. The first few years of business have shown that we are well positioned. We are receiving more and more inquiries from companies that attach great importance to compliance: Insurance companies, banks and companies in the healthcare sector.
In 2023, however, we lost an important major contract in the compliance review process because we were unable to present a recognized safety certification.
We realized that our offering is interesting and relevant for security-sensitive large companies and public administrations. This target group has high information security requirements.
As we see great potential for us in this target group, we decided to go to the effort and expense of obtaining ISO 27 001 certification.
ISO 27 001 is the world’s most important standard in the field of information security. It includes the introduction of an information security management system (ISMS) – a systematic approach that encompasses people, processes and IT systems. Read more about ISO 27 001 in our blog post.
It is only in the US that SOC 2 certification is more important than ISO 27 001 in the area of information security, but since our main markets are Switzerland and the EU, ISO 27 001 is more relevant for us.
During preparation, we learned that ISO 27 001 has a lot of overlap with ISO 9 001, the ISO standard for quality management. With manageable additional effort, it should be possible to be certified for both standards together. That’s why we also opted for ISO 9 001. Learn more about it here.
We were won over by the fact that both ISO standards offer great potential for internal company improvements. The standards are highly flexible in terms of their requirements. This minimizes bureaucratic redundancy.
Their evidence-based and goal-oriented approach allows improvements to be prioritized where actual and urgent risks exist or where current and significant goals can be achieved. This approach convinced us.
What is ISO?
The International Organization for Standardization, internationally abbreviated to ISO, is the body behind the ISO standards. It is an international association of standardization organizations and has been developing international standards in various areas since 1947.
However, the ISO itself does not monitor the certification of ISO standards. It is the legislative body, if you like. The judicial part, that is, the verification of conformity with the standard, is carried out by independent certification bodies. In Switzerland, these in turn are monitored by the Swiss Accreditation Service (SAS).
In principle, it is possible to learn about the ISO requirements yourself, implement them and certify your own compliance with the standard. However, the credibility of such self-certification would of course be low.
Therefore, the most common way is to have a recognized certification body verify compliance with the standard. The certification body holds registered seals so that outsiders can verify the legitimacy of the ISO certification.
How does the certification process work?
In short, the roadmap to ISO certification looks like this. These are the first steps:
- Selection of ISO certifications: It can make sense to acquire several certifications together. Sometimes there are synergies that can be leveraged.
- Selection of a consulting firm or software solution: This step is optional, but highly recommended.
- Selection of a certification body: The certification body will carry out the audit and issue the certificate.
This is followed by preparation for the audit, either independently or with the help of a consultant.
- Understanding requirements: The official ISO documents (here for ISO 27 001, for example) can be used for this – or a consultant can explain the requirements and the process.
- Implementing standards: The ISO standards may require documentation, the establishment of a management system and the implementation of efficient processes.
- Registration for the certification audit: The application can be made as soon as a realistic deadline for implementing the standards can be set.
The next step is to obtain certification:
- Initial certification audit: Usually a full-day on-site meeting in which the auditor reviews the implementation of the ISO standards with the management.
- Certification with audit report: If everything went well, the company receives certification and a detailed audit report within a few weeks. From now on, the seal of certification may be used and communicated.
- Implementation of requirements from the audit report: The audit report will usually contain conditions or suggestions for improvement that are to be implemented by the next audit.
Moving on – after the audit is before the audit. Annual audits are due in the following years:
- Review audit in the 2nd year: One year after the initial certification, the performance of the established systems and processes will be reviewed.
- Review audit in the 3rd year: Another review audit takes place the following year.
- Re-certification in the 4th year: Every three years, the company is undergoing re-certification with a more extensive audit. All documents and systems are reassessed.
ISO with or without support?
There are two different ways to obtain support on the way to ISO certification.
On the one hand, there are software solutions. For ISO 27 001, these include Vanta, SecJur or SecFix. They offer preparation for certification and implementation of the required measures via software. In addition, they provide a limited amount of personal support.
We researched various offers in this area and ultimately decided against a software solution. Our personal reasons for this were:
- The price/performance ratio did not seem ideal to us. The solutions were just as expensive or even more expensive than a consulting service. They ranged from CHF 10 000 to CHF 20 000 for the software including limited consulting.
- As a small start-up, we shied away from one-size-fits-all solutions. We assume that software can only address our specific situation as a very small company with a specific offering to a certain extent. A standard implementation of ISO could be too bulky for us.
In dealing with the software providers, we noticed that they were really good salespeople. They responded quickly and professionally to our inquiries and were able to present themselves well. In most cases, it was possible to book a consultation appointment directly on the website, which we really appreciated.
Another option for support in the ISO process is offered by consulting agencies. They have the advantage of being able to respond to specific individual needs. We anticipated less redundancies from this.
Unfortunately, some of the consulting firms on our shortlist were less strong in sales and took over a week to respond to our inquiries. The company that made our shortlist was a positive exception and responded to our messages very promptly.
In the end, we chose this consulting firm for the following reasons:
- We liked their focused and pragmatic approach. They promised to tailor the process to us as a small company. We shouldn’t get bogged down with measures that wouldn’t be relevant for our company size.
- We appreciated that the provider was Swiss and familiar with the business and legal framework in Switzerland.
- We had a personal reference from a business partner who had a positive experience with this company.
- For us as a start-up, the fair price offer also played a role (CHF 15 000 fixed rate, more on the costs below).
A third option is to carry out the ISO preparation completely autonomously using resources from the Internet. This was not realistic for us because we do not have the personnel resources required to familiarize ourselves with the process. We also doubt that this solution would pay off. In our estimation, the personnel costs could quickly exceed the costs for external consulting.
After choosing the consulting firm, we selected a certification body. We researched which certification bodies other Swiss companies in the tech sector work with (this can be identified on their certification seals), paid particular attention to Swiss providers and compared prices here too.
Once the contracts were signed and the first meetings were scheduled, we got started.
Our consulting meetings
The certification process began with an initial meeting with our consultant in August 2023 at our Friendly office in Hergiswil near beautiful Lake Lucerne. He gave us an initial understanding of the certification requirements with his characteristic whiteboard drawings.
In three further meetings, our consultant explained further elements of the ISO standards to us and addressed any questions that had arisen in the meantime. This personalised process was invaluable for us, as the ISO standard itself does not provide any didactic assistance. We were guided step by step through the requirements and were given a clear orientation.
The following meetings took place at monthly intervals so that we always had enough time to realise the next tasks.
These four meetings in four months were sufficient for us. We worked so efficiently and purposefully between the meetings that we even overtook the timetable. However, depending on the size and structure of a company, this process can take well over a year.
Our tasks up to certification
These were the tasks we completed one by one:
- Compiling a list of evidence: In order to document the current state of our company, we had to compile a list of evidence: Information about all areas of our company that documents that we are a solidly managed and organised company. This included organisational charts, employment contracts, company objectives, business balance sheets, product descriptions and a description of our IT infrastructure.
- Completing risk checklists and statements of applicability: A central element of the requirements for ISO 27 001 and ISO 9 001 are two risk checklists: possible risk factors in the areas of business quality and information security are identified and individually weighted according to risk potential in order to identify the most important development areas in the organisation. ISO 27 001 also has a so-called “Statement of Applicability” with 93 criteria for information security, which are weighted according to relevance. We carefully analysed all risk factors and control points and assessed them in relation to our company.
- Setting up a work environment: We set up a work environment in our workspace to gather all documents, checklists and tasks relevant to the ISO process in one place. We use Notion as a team workspace and we were able to seamlessly integrate the ISO workspace into it.
- Understanding the continuous improvement process: The continuous improvement process (CIP) is one of the most important concepts of ISO standards 27 001 and 9 001. The aim of both standards is not immediate perfection, but a risk-based and goal-orientated approach: improvements should be implemented where actual and urgent risks exist or where current and significant goals can be achieved.
- Setting up a management system: We integrated a Kanban task board into our work environment, which allows us to record, monitor and implement our improvement measures. All tasks are linked to our personal task boards. This ensures that the ISO tasks do not get overlooked in our day-to-day business.
- Clarifying open questions & revising material: We repeatedly clarified open questions with our consultant that had arisen in the process and then revised our material. For example, our understanding of how to interpret the probabilities from 1 to 6 in the risk checklists evolved. The external guidance was a great advantage for us on these and many other matters.
- Transferring Excel tables to our system: During the process, we decided to transfer the Excel risk tables to our Notion work environment. This allows us to link the control points with the planned measures, making it much easier to maintain an overview.
- Determining critical risk factors: In dialogue with our consultant, we determined the critical risk factors and urgent control points in the checklists in order to tackle improvements in these areas first. For us as a software company, for example, the risk of a hacker attack is very relevant, as is the management of data security incidents.
- Deriving measures: We derived specific implementation measures from the most important control points, which we entered into our Kanban board in Notion. These tasks contain a reference to the control point, the person responsible, a deadline and usually also initial notes on the topic.
- Planning management reviews and internal audits: Management reviews and internal audits are helpful tools for keeping an eye on compliance with quality and safety requirements. We have integrated these into our planning. We will carry out at least one internal audit per ISO standard and year, the topic of which we determine based on key control points.
- Scheduling regular checks of all areas: We will update the risk checklists and the Statement of Applicability once or twice a year to check the status of improvements. We also set a date to plan the management reviews and internal audits for the following years.
- Final checks for the certification audit: Finally, we carried out a last examination of our management system together with our consultant.
Our management system
Our complete management system, which we use to map and implement the requirements for ISO 27 001 and 9 001, currently comprises the following elements:
- Overview and resources: An area where we store our evidence list, audit reports, templates and other tools and resources.
- Checklists and Statement of Applicability: This is where we keep the checklists defined by the ISO standards, which allow us to measure our improvements.
- Continuous improvement process: The Kanban task board for the ISO measures. As mentioned, all ISO tasks are also displayed on our respective personal task boards.
- Internal audits: A database in which we plan internal audits and store the logs of previous internal audits.
- Management reviews & corporate objectives: A database in which we store our annual management reviews, as well as an overview of our quality targets, IS targets and KPIs.
As already mentioned, we benefit from synergies between the ISO standards 9 001 and 27 001, as both require the introduction of a management system but with a different focus. This can be a joint management system in which the measures for both areas are managed, for quality management and for information security.
Initial certification
Our initial certification audit took place at the end of November. We met with the auditor at our office in Hergiswil and presented our management system in an all-day meeting.
These topics were part of the audit:
- Overview of the management system
- Operation of the management system
- Our completed Statement of Applicability
- Performance of our system
- Planned internal audits
- Our CIP (continuous improvement process)
At the end of the meeting, the auditor suggested areas for improvement and the tasks we should tackle next. One of these is incident management: the development of processes and guidelines in the event of a data breach, which is a relevant topic for us as a software company.
At the same time, the auditor assured us that we would pass the audit. A few weeks later, we received our certificates for ISO 27 001 and 9 001 as well as a detailed audit report.
Next steps
Our audit report states that our management system fulfils the conformity requirements of ISO 27 001 and 9 001 and we therefore received the certifications without any further conditions.
Click here for an overview of our current certifications.
However, the principle of ISO standards stipulates that improvements are to be implemented on an ongoing basis. Accordingly, the audit report provides some binding and some non-binding suggestions for improvements that can or should be implemented up to the next review audit.
Further measures that we will implement are derived from the checklists of the two ISO standards.
For example, we will issue employee regulations, present a business continuity plan, define and review information security objectives and carry out penetration tests.
This year, it is crucial that the management system works in practice and that the improvement process is actively applied. This will be the main focus of next year’s surveillance audit.
And for us as a company, it is important that this improvement process not only gives us a seal for advertising purposes, but also creates real added value for our company.
The added value of ISO
We were convinced from the outset that the ISO 27 001 and 9 001 certifications would create added value for us and our customers. For this reason, we were willing to shoulder the significant costs (see below).
In the meantime, we have seen proof: Both ISO standards offer useful suggestions for improvement, which we will be happy to implement. In both areas, the ISO standards are based on a wealth of experience and cover a wide range of risks and control points.
Using the checkpoints, we can reflect on the potential for improvement in a wide range of areas and processes and identify those in which we can achieve the most efficient results. This helps us to make sustainable progress.
Our customers benefit from this in the following areas:
- Increased security: We have introduced an information security management system (ISMS) that meets international standards. This ensures that we have a functional, robust, evolving system to protect data.
- Compliance: Our ISO 27 001 certification provides our customers with proof that we know and implement the applicable legal regulations regarding IT security and data protection. This also supports them in complying with their legal obligations.
- Quality and reliability: Our customers can trust that, as a certified company, we consistently deliver high-quality products and services.
- Commitment to continuous improvement: We are committed to actively improving our services and processes on an ongoing basis. Our customers can be confident that they are working with a successful company for the long term.
Further added value: See our blog posts on ISO 27 001 and ISO 9 001.
The added value of external consulting
Looking back, we are very pleased that we sought the support of an external consultant. This has helped us significantly in the following areas:
- Overview: The requirements of the ISO standards are extensive. Our consultant guided us didactically through all the concepts and materials. This gave us a good overview at all times.
- Explanations: Some wording and requirements were not readily understandable for us. Our consultant answered our questions and provided helpful explanations.
- Roadmap for implementation: It is up to each company to draw up its own implementation plan. Our consultant prepared this process for us and indicated the specific next tasks.
- Prioritisation: The two ISO standards contain a total of over 180 control points. Our consultant used his experience to help us prioritise the right areas and thus avoid tackling too much at once.
- Resources: Our consultant provided us with additional materials and templates, for example for management reviews, internal audits and asset management.
In addition, our consultant gave us an independent view of our company’s performance. We were pleased that he confirmed from his external perspective that our company was already very solidly organised before the certification. He hadn’t necessarily expected this for a young start-up.
This motivated us and gave us confidence that we would manage the ISO process well.
Challenges
We see three challenges that we will have to face in the coming years:
- Further implementation: We have successfully set up our management system. However, the real test is that the system is effective in practice and initiates continuous improvements. We operate with just four employees and have to prioritise very well in order to make enough working time available for further ISO implementation. We have to pay close attention to this.
- New customers: We have invested in the certifications in order to activate the market potential in the area of security-sensitive (larger) customers. Now it is up to us to convert this potential into new orders.
- Finances: The certification costs were not trivial. We will see whether we have invested this money well. More about this in the next section:
How much did the ISO certification cost us?
The financial costs of ISO 27 001 certification can vary greatly depending on the size, complexity and structure of a company.
As an Open Startup, we also share the costs that Friendly has incurred for this long-term investment. As we were certified for ISO 9 001 at the same time and the costs largely overlap, the figures apply to both certifications together.
As mentioned, we engaged an external consultant to help us prepare for the audit and set up the management system in our company. We paid a fixed fee of CHF 15 000 for all the work involved up to successful initial certification.
In addition, there are internal personnel costs. Our CEO Stefan Vetter invested around 40 working hours in preparing for the certifications, while our CISO Kathrin Schmid spent around 16% of her time over four months.
As the founder and sole investor at Friendly, Stefan has not yet paid himself a salary. We have estimated an internal hourly rate of CHF 100 as the basis for his salary. Calculated in this way, our salary costs for preparing for certification total CHF 10 114.
The initial certification audit and issuing of the certificate cost us another CHF 5 820.
This means that the initial ISO certification cost us CHF 30 934.
In the following years, the consulting effort will be smaller. But every year, we have to implement further measures and pass the annual surveillance audit as well as the recertification audit every three years.
Most of the responsibility for the ongoing implementation of the measures will lie with Kathrin. As a rough estimate, we expect a permanent workload of around 10% for this task, which corresponds to CHF 11 463 per year based on Kathrin’s current salary.
We expect our CTO Joey Keller to spend around 3% of his working hours on this and Stefan a good 40 hours more.
The external audit costs us CHF 5 820 per year.
We therefore anticipate long-term annual follow-up costs of around CHF 23 401.
In the course of the certification process, it became clear that our certification costs were – relatively speaking – still quite low. We are able to implement the required standards efficiently because our structures and processes are still lean and simple and we can quickly get all employees on board.
In a larger company, we would have to expect a disproportionately higher restructuring effort and therefore also significantly higher costs.
Nonetheless, the certification costs are not an insignificant sum for us as a small start-up. Measured against our last annual revenue of CHF 279 004, the certification costs of CHF 30,934 are a hefty sum. It remains to be seen whether the investment will pay off.
A first conclusion
So far, the ISO 27 001 and 9 001 certifications have been a success for us. We have received confirmation that we run a reliable and sustainable company and we have established a solid system for continuous improvement in the areas of information security and quality management.
The certification process was pleasant and focussed for us thanks to the professional support. In our opinion, the standards themselves are sensibly designed and do not generate administrative redundancy, but rather set effective processes in motion.
The certifications will pay off in the long term if we master the challenges mentioned. It remains to be seen whether we can achieve this. That is why the conclusion at this point is provisional. We will keep you posted.
Friendly in your inbox? Sign up for our newsletter.