Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is the ISO 27001 certification worth it?
125 points by piotrgrudzien on Nov 3, 2021 | hide | past | favorite | 103 comments
ISO 27001 (https://en.wikipedia.org/wiki/ISO/IEC_27001) certifies that information security is properly managed at a company or organisation. But the process of obtaining it is costly and time-consuming so I wanted to ask people who have experience with it: is it worth it?

If you're a company doing B2B sales, how often do prospective customers ask about the certificate? Does it ever make or break a deal? When did you decide that it's time to get it done?

Thanks!




(I work at/cofounded Vanta)

We work with companies doing B2B sales and looking for help with compliance certifications like ISO 27001 and SOC 2. Some folks come to us early but most come with a deal on the line — which is to say, this is a process you can start “just in time” if you must.

From what I’ve seen, saying “no I won’t go through your security review process” is an (obvious) dealbreaker, but there’s a lot of ways to get through that process: ISO cert, SOC 2, the promise to get either of those certs by your go-live/implementation date, security questionnaire hell, etc.

As mentioned previously, ISO is preferred by European companies; SOC 2 is more likely to be mandated by American companies, and you’re likely to get pretty far, even in Europe, on just a SOC 2. If I had to construct the situation that’s most likely to be deal-breaking, it’d be an old-school European company that’s operating off a rigid flow chart: “if no ISO 27001 cert, go back to start. Do not pass Go. Do not collect $200.”

A few folks have mentioned cost (dollar and organizational) — ymmv and/but the cost of obtaining ISO 27001 certification varies with the number of employees, say $10-20k for smaller companies. Implementing ISO 27001 and an ISMS can be blitzed by small teams in a few weeks but probably will take a couple of months to a year for larger organizations.

(And we’d love to help if you decide to pursue this at Vanta etc etc)


We just signed up with Vanta to do our SOC2. I have to say that the process is a lot of work but can give a +1 for any other SaaS to use Vanta, they make the process simpler and lore automated helping guide you through the complexity and you have regular calls with your Vanta account rep, who actually gets on zoom calls with you every couple of weeks to make sure you get through the process, which is amazing support.

Thanks Christina and the Vanta team for making the SOC2 compliance process… digestible :)


Check out secureframe.com as well (I like them the most, albeit just getting going)

Also in the space:

- Drata

- Laika

- Tugboat

- Kintent


My experience is that you only don’t get far with ISO 27001 in the USA but the rest of the world are fine.


How can one reach you at Vanta?


christina@vanta.com


> When did you decide that it's time to get it done?

There is a time management component to this. If you're still in a deal without a 27001 certification, the security questions don't go away. Instead, you get sent a security question set to answer. These question sets can be huge - our record is about 300 - 400 questions. And once you've answered those, you're not done - then you go into discussions with their cybersecurity about your answers.

Once you're in the loop with a number of large deals, this becomes a huge time sink.

And no, you can't give this to an intern, or just search-and-answer most questions, because every company formulates their questions and requirements differently and it takes some knowledge to figure out what they mean and want.

And at times the discussions afterwards are even worse. I've had InfoSec-guys tell me they're concerned because I cannot give them the specific details on the physical security of an AWS datacenter because these are not available.

As much work as getting and maintaining an ISO27001 certification is, there is a point after which it'll save you time and nerves.


There's a very recently announced (https://security.googleblog.com/2021/10/launching-collaborat...) initiative by Google, Salesforce, Okta, Slack and others to create a minimal security standard - https://mvsp.dev/ - which will hopefully reduce this overhead and encourage an improvement in security across the industry.


I note that section 1.6 is "Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18".

That looks larger than all the other requirements.


I think the intent here is to note that there may be business requirements about these that affect the security of your business.

For example, if anyone pays you through credit cards, PCI DSS is non-optional. Certain transactions of health information will require Hitrust. Without them, you won't be able to do business, and while they seem large (PCI DSS if you have another company handle the cards, is a very simple self-assessment.)


IME the human time cost and direct expense associated with obtaining HITRUST, even if you've already done SOC2, is roughly in line with buying a Lamborghini.


Yes, unsurprisingly, this is set up to protect incumbents that have collected all these certifications.


The 'standard' one I've been asked to complete a few times is the CAIQ:

https://cloudsecurityalliance.org/artifacts/consensus-assess...


My experience doing this for several large companies at a time is that the questionnaires don't really go away with certification. There are probably some shops where audit reports will substitute for the Excel spreadsheet Q&A's, but there are plenty of others where the Q&A is a dealbreaker part of procurements no matter what.

If you're in a line of business where your customers have questionnaires, just plan on having someone whose job is to fill these things out.


We got a SOC2... and still get questionnaires. It's the worst. Companies are just outsourcing their security reviews to the vendor. Rather than rely on a 3rd party audited document companies want their custom questions answered. BUT - they aren't custom questions - it's the same questions for every vendor and they are very often poorly worded. Then when we turn them in - there's no follow up questions which to me implies that no one is reading them. Security theater...


I would argue it is "Compliance Theater."


We have a SOC2 report type II, and security questionnaires/meetings are still there. Once we had a security questionnaire from a potential customer, took a glance at it, told the customer "hey you can find all of the answers in our SOC2 report and in our CAIQ (CSA)", they told us to still fill the questionnaire...


Agreed with this, we still get questionnaires.


Absolutely this.

Each potential client has a unique generally quite substantial list of security/tech questions in several spreadsheets. You answer each one as well as possible, and give details. This is definitely not an intern gig: at my fintech startup we had the CEO or Dir Eng or myself (DevOps) do it. Generally all of us took turns. They're pretty onerous.

Having done the work for the ISO-27001 helped. For that cert we'd already had to think about and document a ton of security related things. Potential clients were happy to take our internal docs (written for ISO) as details to their questions. If they actually read our docs or if it was just a checkbox requirement, that's a good question :)


It's probably easier to start w/ a SOC2 TypeII though. Once you get that down, you're at least 50% done with the 27001.


Why a Type 2? The documentation you'll generate for the Type 1 covers just as much questionnaire terrain as the Type 2 does.


Type 1 is a point in time, and it expires. Type 2 maintains it.


Because most CISOs / security reviews we go through ask for it.


But that's not the reason you gave for getting the Type 2!

My experience has been that companies regularly close deals by committing to get a Type 1, for what it's worth.


Right, it's multiple benefits: the soc2 has a lot of overlap with 27001, a bunch of overlap with hitrust, it's a bit easier to do, and the CISOs we talk to want the Type 2. Internally, you can bump up your security practices, eg it forced us into a level of internal controls that was early for a startup. But beneficial, imo. I really can't think of many drawbacks if you work with customers that ask for these things.

In our case, the customer profile is from lower midmarket to Fortune 50.

You probably can close deals (depending customer, obviously) by committing to a Type 1. We did that at the beginning, but it exposes you to a lot more interactions with the security team. While you rarely see deals fail for security reasons, I've had it happen. So my experience is the less interaction you have with them, the better off you are. And a Type II plus the annual (or more than annual) pen tests make a lot of the questioning less intense.

btw (happy to disclose personally, but I keep my identity private on hn), you can get the audit done for a lot less than $70k if you use a smaller firm, and that never was a problem with our customers.


I've seen deals contingent on named and/or Big 4 auditors, so I'm going to go ahead and disagree there too. With major buyers, I think there's pretty general awareness that there's a race-to-the-bottom market for cheap SOC2 assessments.

Anyways: the point I'm making is: a Type 2 probably doesn't do anything more to prepare you for 27001 (which you should not get) than a Type 1 does. The subject matter of the assessments are the same (in fact, the Type 1 essentially sets the playbook for the Type 2, which is something you should be careful about).

Pentest reports can definitely mitigate security objections. T What's funny is that none of these certifications meaningfully require them. All the more reason not to pay much attention to them until you have to.

You should think of SOC2 and ISO 27001 as exotic sales expenses, not as something your startup needs to engineer against.


This is a YMMV situation I think. In our case, when we only had our Type 1, we did deals _conditional_ on getting Type 2 within a year.


I wouldn't agree with that. It seemed like it was more like 20% of 27001.


We had one that was over 500 questions.

And this is certainly the truth:

> And no, you can't give this to an intern, or just search-and-answer most questions,

Ah, but the answer for major suppliers such as AWS and Azure, etc, is their own ISO 27001, SOC2, etc, certifications that you can defer that risk to.


Caveat: even with ISO27001 you will still have those questions with huge actors, especially industrials (service businesses are way, way lighter) or private-public sectors with huge incentives (energy, construction and medical).

However, having passed the certification process still save time.


> specific details on the physical security of an AWS datacenter

So, you want to certify yourself as secure, yet you store data on other people's computers, and you don't know how they are protected?


Yeah, exactly, its always possible to fail someone if ANYTHING is outsourced. Keep on digging digging digging. For example Amazon is PCIDSS level 1 and more than willing to provide docs to prove it, so if you need pcidss 1 or less, that "should" be OK. OK fine, keep digging. In more detail you can see AWS brags about having linked their HR system to their security system so when someone is terminated their security access is immediately automatically revokes. OK fine, keep digging. I demand to see the python script or whatever that they wrote and I'd like to examine the system logs on both sides to verify operation of that security system. Ah got them now. OK now I demand to read the source code for the BIOS of the computer that connects those two systems. Can't do it? You're now officially insecure, cancel the deal.

You can shut down deals that aren't outsourced by demanding more difficult stuff like viewing the manufacturing masks for the microcontrollers in the badge scanners. No not a generic mask for the CPU family or similar model of slightly different capacity, I mean the mask that was specifically used to make the specific chips in the individual badge scanners. You do audit that, don't you? Why can't I have the firmware to the chip in your usb keyboard, are you guys hiding something in there like a password grabber? Can you provide the source code of your on premises Cisco routers for our security review? Does Cisco know you can do that (LOL?)

Security is not a checkmark, its always been a spectrum, and if you want to torpedo a deal its always possible to crank up the demands until the other side quits. It may not be useful or provide a business advantage, but nothing is ever truly secure. Probably the AWS stuff is better than average, LOL.


Do you actually run a soc or iso certified data center? Because 99.9% of companies, even those who don’t use cloud services, use other people’s racks, cages, power, network etc for certified systems.

I do t think I know a single serious security professional that would raise an eye at using cloud resources. Quite the opposite, there is a fairly straightforward & repeatable process for securing cloud resources. Unlike on prem.


AWS has ISO27001 certification and more. The whole point of these certifications is that it proves a competent auditor came in and checked all of these things, so your customers don’t have too.

Part of ISO27001 is proving that you’re supply chain is also ISO27001 compliant. So picking companies that are already certified makes that easy, because then the certification naturally recurses down your supply chain.


AWS is ISO and SOC certified so they get audited on physical security. I can m trust that they dis it right because they passed their audit. I don't have time to go bother AWS about their security cameras and key card procedures.


And no auditor is going to ding you for noting that you have deferred the risk to them.


Certification allows you to form a chain of trust via providers who have had auditors validate and verify their security. When my company gets SOC2 audited, we don't have to audit AWS because AWS is also SOC2 compliant, and their business critical vendors are likewise or have been independently validated, etc. all the way down the chain.


I don't expect companies to hand out every detail about their security architecture. Security by obscurity is bad when it is the only thing you have, but it is an important part of the system as a whole.

I also wouldn't want deal with someone who tells me details that are not publicly available. If he tells me somebody else secrets, he will tell others my secrets.

There is no good answer to these questions except "this is not publicly available data".


If you are a b2b company your customers will start to ask you at a certain point. Not having it can break a deal for sure although having it won't make the deal.

My advice to you is gradually improve your infosec posture and policies etc but rather than kicking off the certification, wait until a customer asks you for it during vendor due dilligence, then say "we're working towards it" and immediately after the meeting commission one of the outside firms who do the evaluation for you.

The evaluation process takes a while and in my experience customers are understanding about that especially given b2b sales aren't exactly quick normally.


This has been the best answer in my opinion, the cost of achieving the certification is only worth it if you have prospect customers demanding for it (so that their business will "pay" for the cost).

Oftentimes, companies from the USA will prefer SOC2 Type2 instead of ISO. So in my experience it is best to check with the market.

Regarding B2C companies, in my experience you'd like to get an ISO certification to reduce pressure from some governing body. For example, I was in a company were we did ISO-37001 because in our country that is a HUGE risk, and our market was attracting a lot of attention from government and regulators. Having an ISO gave us a "checkmark" in their eyes.


Yeah exactly that's the reason. In my last company we did eventually have to get ISO27001, SOC2 and ISAE3402 but by waiting until the customer demand is there you get the best sequencing and avoid duplication of effort as far as possible.

Your time and focus is an extremely precious resource especially early on in a startup's lifetime.


It's theatre, so it won't help actual security. Having said that, even quite small firms I've known have decided they needed it in order to get customers.

A fair few large customers require it and won't bother talking to you if you don't have it, so if you can otherwise do the sale there's a good reason to get it.

Your real problem as a small vendor is deciding when this is necessary, because you might be getting customers just fine when you're small and dealing with people who care about actual security, not paper security. At some point you are gonna have to pull a few people out to get all this paperwork done. I spent last summer doing a whole pile of "Information Security" policies for a friend I was helping. Luckily there are consultants who can get you most of the way there.


> It's theatre, so it won't help actual security.

I disagree with this sentiment. As a small firm who has undergone multiple security audits/certifications, I have found that the controls we added were generally practical and did improve our security.


This is also my experience with risk audits in IT: you get asked a lot of stupid questions and spend a lot of time engaging in extreme hypotheticals, but in the end there are always one or two “hmmm I hadn’t thought of that” moments which lead you to significantly increase your security.


I've seen the exact opposite thing happen: organizations that went into security engineering deficit because of stupid things they were led by an unguided audit process to believe they needed to do. Compliance is a byproduct of security, not the other way around. Never go into a compliance process without an already-clear idea of what your security practice goals are.


Looks that you don't have any idea of ISO/IEC 27001. ISO/IEC 27001 is actually a standard which forces you to think about your security practices and goals.


We are in the 'lucky' position that ISO 27001 is now simply a legal requirement because we offer a healthcare SaaS-product in the Netherlands (ISO 27001 is required via its Dutch NEN 7510/12/13 bastard child that is).

For a small company (less than twenty employees) it really is a lot of work. It brings some benefits in that it forces you to have your documentation and certain processes in order, but man… getting audited drains you. It depends a lot on the auditor you get, but from all the stuff I do for my job, this yearly event feels like the biggest waste of time. It's just that without it we would be out of business.


We’re also certified for similar reasons. It did bring information security more in the focus of upper management, so that’s a plus. I for the time for backup encryption, getting rid of outdated servers (fuck Arch Linux, really), and everyone now has a monitored laptop, and got a info sec training.


You could have organized your processes around ArchLinux instead of battling it, really. A living, dynamically developed software will benefit a lot from ArchLinux rolling releases.

Once your software becomes an ossified cash cow, moving it to RedHat makes more sense.


I'm sure that someone with enough knowledge of Arch Linux could have set it up properly, but I inherited multiple servers with three different distros (and the Ubuntu ones were on different versions). One of these was Arch Linux. It hadn't been updated in a long time, and the update simply failed. Once I got past that, it was going to break something (can't remember, but most likely the Python version). A little while later, it couldn't update anymore, because some file or package was no longer accessible. With Ubuntu (or Debian), you can at least install a new version even if some intermediate release is no longer downloadable. It's been a headache without any benefits from my point of view. By all means, run it on your personal servers, but it's an operational risk for an organization.


Same story here. Health tech in the UK. It's a pretty arduous process, but given our engineering team was already hot on security (and probably haven't been unlucky with auditors) we haven't had problems in practice.


There are some portions which are theatrical, but for the most part it is beneficial. I'd say that my company already had a large majority of the important things in place before getting SOC2, the process helped us close some gaps and organize the ongoing maintenance.

Certainly if the organization is not interested in security, they could fake their way through the certification with meaningless compliance and not actually achieve security.

But if your company does take security seriously, the certifications do help you get organized.

Sometimes it is just helpful when enforcing a good procedure across an organization to be able to tell a sales manager that they can't just email passwords around because we are SOC2, instead of trying to convince them from principle. It can elevate it above the level of company policy from which some people feel exempt. Now you can just threaten them that if they cause an exception on next year's SOC2 report it might scare away the big sale.


> It's theatre, so it won't help actual security.

I would disagree, as we had a very good security program and when we went through ISO 27001, I would have to say that it ended up measurably better.

But if you don't have a security culture, then it will be theater. Dangerously so.


First: the rule with these kinds of certifications is simple: don't do them until you have customer deals contingent on them. You should be able to weigh the costs of certification against hard, certain revenue. Depending on your customer base, you may get pushed into certification soon, or you might be able to push it off surprisingly far. If you can do that, you should.

Second: in North America, SOC2 is much more common than ISO 27001. 27001 is more common with gigantic companies than with startups. By way of example: Datadog just announced its 27001 last year, a few months after they went public. That they were able to scale their business to that point without 27001 certification --- and look closely at what Datadog's business is, and who their customers are! --- should tell you something about which certification you're likely to want first.

So for the rest of this comment I'm going to assume your company has no certification, and that you can get away with SOC2.

Third: while you will run into NA customers that want SOC2, there's a loose norm of purchases contingent on achieving a Type 1. That is to say: you can probably plan on deferring SOC2 until you have a contingent P.O. in hand, and do it then without losing that deal. You know your customers better than I do, but I spent a bunch of years doing this work for startups and don't think I ever told anyone to SOC2 preemptively.

Fourth: a real risk with rushing certification is that it can warp your security engineering and business processes. SOC2 is particularly amorphous, and SOC2 auditors are a weird bunch (people with strong opinions about which security tools you should be running that don't know the difference between an IP address and a domain name are people whose influence on your IT and engineering you should limit). You want a security team in place before you start chugging away at SOC2, so that your security team can be the primary influence on what engineering you do to support SOC2 (a competent security team will win any shootout with any major-label auditor).

Fifth: For most companies, you'll be 25-35 engineers before you contemplate a full-time security person, which gives you an idea of the normal lifecycle point at which you might start seriously consider certifying.

I wrote a blog post for my last company about some things to know about SOC2 and early-stage companies:

https://latacora.micro.blog/2020/03/12/the-soc-starting.html


This ^ is my favourite writeup on the question of how you implement SOC2. I wish I had read that before we started - after going through the Type 1 and Type 2 process, we've ended up with the same conclusions. I've lost count of the number of times I've recommended that. Our experience (global b2b customers, heavily skewed to NA) is that SOC2 Type 2 is the most frequently requested/expected standard, and if you have that, not having ISO is very rarely a dealbreaker. Neither makes the security questionnaires go away; they continue to be mandatory, require expert input, and are a significant drain on time. However, having SOC2 and/or ISO does mean that you've already thought of the answers to the questions and you'll have a defensible position, backed up by a track record of independent audits, when your particular approach doesn't meet the "gold" standard implied by the questionnaire. (Edit: typo)


> First: the rule with these kinds of certifications is simple: don't do them until you have customer deals contingent on them.

Getting an ISO 27001 certification can take months of effort, and not all deals can be stretched this far without significant repercussions.

Just a data point, I lead the certification project at my current company and it took us 8 months (~65 people in total, of which 3 full-time in IT): the auditors were a little hesitant at first because the system wasn't "battle-tested" as much as they'd liked.


Right. The short answer to the question this post asks is: "if you're a North America startup, do not get ISO 27001, and be wary of any advisor that says you should do so without a 7 figure purchase order closed and contingent on it."

SOC2 is a little bit trickier, but not much trickier: the strategy is the same: wait until you have to, and then get it to close the deal.


It’s a racket essentially, they make up a certification sell it to people buying software. Those buyers force it on their suppliers and they can charge for auditing and compliance. Not much you can do though, just have to grit your teeth and get on with it and try and avoid the most bureaucratic parts that slow down you ability to execute.


You will know when you need it. Half of the companies I’ve worked for required an ISO 2700x audit in order to do business with larger b2b customers. It was part of the customer’s due diligence process when selecting vendors.

It can take a long time to complete an audit, especially that first one. You’re going to need to show a lengthy paper trail of policies and documented compliance.

I think it can bring good discipline to an organization when embraced, but that is often not how it gets done. And in some organizations the discipline is stifling. You’ll want to pay attention to how it is impacting teams.

A previous company I worked for used Process Street for procedure completion and tracking, but I always wondered if all auditors would be OK with such a flexible system.


I worked for a telecomms/webcasting company for about 5 years as a product manager. I can tell you from personal experience that a significant portion of the Fortune 500 (if not all of them) required ISO 2700X certification to even be considered.

The certification burden increases in proportion to the level of PII you are storing. The burden was much higher for government or med/bio contracts (FedRAMP/HIPPA, etc.). It's also worth it to mention that we had whole teams dedicated to working through RFPs/RFCs as they can get VERY time consuming.

Bottom line is that if you are going to work with the big fish, you will probably need this level of certification to show them you are serious.


My experience is, you get to work with a company who "advices" you what to do and they also do the certification. In my opinion, this makes it worthless. The company i worked for got the certification like this every year.


PII is not as toxic as many types of data that I have dealt with. Consider legal discovery processes involving many terabytes of documents. These contain e.g., ingestion of laptop, mail folders, document repositories that themselves contain all the kinds of toxic material that you have ever heard of.


ISO 27001 and SOC2 are both very valuable ways to communicate your security posture to external partners and customers. Like others have mentioned this will allow you to close deals quicker and prevent a more costly outcome by navigating security reviews more quickly. Source of info: friends at https://pentestiq.com and https://vanta.com that handle security/compliance for many startups.


I think for a lot of startups this is mostly not true at all, and that you can get a pretty long way without doing SOC2. I think for most startups there's basically no sales value to 27001 at all, and I would be wary of anyone giving advice suggesting anyone should do a 27001 preemptively, rather than to close a 7 figure pilot or something where the deal will pay for the cert drama.


You are correct, in many ways even SOC2 is not a desirable investment for young companies. You can do 5 figure deals with fortune 500 companies without it but the process of closing that deal will require a lot more work. Maybe a good time to start investing in SOC2 or ISO certification is when you have multiple large deals with enterprises in your sales pipe. Before that, running a small security program (annual pentest, security awareness training) and communicating that via security questionnaires will get you first deals.


If you are doing business internationally, you are more likely to be asked about this. SOC2 is not all that requested internationally. For some deals with mature European customers, ISO 27001 is a hard requirement. For B2B US, SOC2 is most often requested.

Most organizations take a calendar year or more to get their ISO 27001 certification. One difference between that and a SOC2 is that you need to show that you are running it continuously. At the end of the first year, you get to have another audit. And you really need to show improvement over that year. And the following year. In the fourth year, you start over again with a full audit. Keep in mind that ISO 27001 will require staffing involvement.

Some deals can work if you show convincingly that you are on the road to getting it.

And no, having both won't make the questionnaires go away (contrary to my hope of obtaining it). They may be slightly reduced, but if you have a lot of large customers, you will find quite often hundreds of questions that don't exactly overlap with the last one you filled out. This make it hard to scale the questionnaire effort. There can be some luck if you prepare a standard one, like starting with the CIS controls.

We decided to get it done before it was a hard requirement, as we wanted to show a better security posture, and pursue international (not just EU) business.

One thought I share with teams building security practice is to obtain a copy of the ISO 27001/27002 standards and read through it. It may give you some ideas of how to measure your own security program. One thing that I like about that standard is documenting the executive commitment to funding and staffing the security effort. If you can wrangle that, you are ahead of the game.

The new (2017) SOC2 standard has new language that goes a bit in that direction, with controls like executive commitment to ethics, and division of responsibilities between the board and management.

With respect to security, in your own enlightened company self interest, don't let the idea of SOC2 or ISO 27001 lead you to think that you have security solved. Didn't SolarWinds have a SOC2? (Don't get me started on Third Party Risk Management.)


It's better to start early than anything, a lot of these certs are easier to get when you have nothing to audit. I've worked for 2 successful B2B fintechs, I wouldn't wait until a customer asks, I would be proactive if you have the time and money to go through it.


I think this is basically the opposite of the correct answer. If you do certification too early, you'll be pulled into pointless engineering projects that will likely have a TCO far larger than the certification itself. If you wait to do SOC2 until after you have a security team, you can avoid a lot of this work.

It doesn't help that SOC2 auditors are basically wrong about a lot of stuff, so that if you're getting certified before you have a sane security practice in place, your security engineering will get dragged into weird, unproductive places.


I disagree.

soc2 forced us to yubikeys everywhere; getting serious about knowing, auditing, and controlling access; etc. There def were useless bits (contingency plans? If an earthquake hits sfo bad we're screwed, you're screwed, etc)). But on the whole, I think it made us a more secure company.

Lots of it is basically best practices. Have, test, and document db backups. Have, test, and document a network diagram. Audit employee offboarding. Don't let all employees trivially touch prod. Put admin tools behind a vpn. Automate approvals and deploys (we did it all with aws tooling) so that you can audit deploy -> git sha -> [PR approval in github, ticket in jira]

Lots of this is probably dependent on your auditor though.

Also, it's a slow lead time to get, and the upper midmarket / lower enterprise demand it.

edit: bluntly, it also gave me some justification to slide things through when junior eng complained they couldn't touch the prod db.


SOC2 did not force you to use Yubikeys everywhere. How I know that is: no mid-sized organization I've seen SOC2 has ever gotten everyone onto Yubikeys. The median SOC2 auditor hasn't the slightest clue what a Yubikey is (the median SOC2 auditor probably doesn't know the difference between a URL and a hostname).

I understand what you're trying to say: the threat of a SOC2 information gathering process scared your engineering team into taking 2FA seriously. Your team was able to use it as a forcing function. Not to put too fine a point on it: your team is dysfunctional and has a poorly-communicating and unpersuasive security practice.†

That's the problem you needed to fix. There will be things you very seriously need to get rolled out after Yubikeys, and you won't have another $70,000 Big5 audit to wave around to get it done. Meanwhile: people who don't want to endure that audit can get Yubikeys deployed without bothering with the SOC2 part.

An important thing not enough people understand about SOC2 is that the profile of controls that you use (where controls are things like "logs we monitor" and "onboarding processes" and "2FA mechanisms") are self-determined. Auditors have a set of very high-level goals --- much higher level than "services need 2FA SSO --- and you get to pick what controls you map to them. You get to pick what SOC2 makes you deploy, and the auditors ostensibly just keep you honest.

I would be surprised if anything close to 50% of reliably SOC2 -Type-2'd shops had any hardware 2FA at all.

Almost everyone does!


Agreed, SOC2 says nothing about yubikey/u2f/etc. Almost any MFA will do unless one lets opinionated auditors head deep into the weeds.

You can use spreadsheet-based recordkeeping to satisfy very much of SOC2 as long as the processes are followed consistently.


Starting too early might not be the best move (though parent has a point on better auditability), but doing it at the last minute or once the product is plenty mature also means a ton of needless changes that can be disrupting depending on how the product was built/managed.

Perhaps it would make sense to at least know and understand the certifications as early as possible, and grow with it in mind. It makes it a lot easier to get certified when times come, or even to explain clients why it wouldn't be required in some cases ("we can already guarantee you this and that, if that's the part you're worrying about")


I actually looked into those certifications as a person who's considering one day starting a small 1 person SaaS company. It seems like both ISO 27001 and SOC 2 can both easily cost more than 10'000$ to get, even for very small organizations.

That is a dealbreaker. There is precisely 0 value for anyone working at such a small scale to attempt to pursue those certifications - their costs will not only take up a lot of their time, but probably also exceed their revenue. That said, at that scale it's likely that also doing enterprise sales will simply not be possible, given the long purchase cycles and ample bureaucracy.

It should probably only be a concern with at least 20 employees or more, when targeting enterprises. Until then, there might as well be fully automated purchasing funnels, with no way to "contact sales", with the "enterprise plans" simply being self-hosted offerings: if any potential clients want to ensure compliance, they can simply buy the source code and a license for X number of cores/instances/whatever and put it on their fully compliant servers, do code audits, make their own customizations etc.

Of course, if you don't jump through enough of the bureaucratic hoops put in place by the enterprises, then it's likely that they won't even purchase your code.


Hi, I'm one of the founders of Secureframe.com.

At Secureframe we help customers streamline their SOC 2, ISO 27001, HIPAA, and PCI compliance. And much more! If you are selling to customers in Europe or Asia, ISO 27001 is quite commonly requested. In the US, SOC 2 tends to be more common.

When it comes to the process, an ISO 27001 certification has two stages and includes an annual renewal.

- Stage 1: Evaluates the right documentation and controls in place in order to progress to Stage 2. - Stage 2: Evaluates the evidence to prove your controls and ISMS are effective, and that they meet the ISO 27001 requirements. Passing Stage 2 results in an ISO 27001 certification.

Stage 1 can be completed pretty quickly, but Stage 2 can take a bit more time to evaluate the evidence for. It can be done in a few weeks with a tool like Secureframe. It can cost < $10k for smaller companies. It often can make or break deals, so customers tend to get certified earlier rather than later.

Secureframe is the only security & compliance platform that has an ISO 27001 certification of its own. We save customers dozens of hours by automatically generating key documents like your Statement of Applicability. These can be incredibly time consuming and complex when you try to do it yourself.

Happy to chat more! shrav[at]secureframe.com


Typically this is your B2B infosec audit evolution:

1. No audits/certifications. Stay here until you're losing deals with big-ish companies to the point where it's worth investing $10-20k and ~200 hours into solving this.

2. SOC 2 Type 1. Takes about $10-20k/yr and 200 hours in my experience. If you use a platform like Drata it'll be a bit more money but less effort. This report satisfies a lot of security teams, and you have to get it once per year. The 2nd/3rd time is way less time investment than first. Stay here until you're losing deals over not having SOC 2 Type 2 / ISO27001.

3. SOC 2 Type 2. Takes about $15-30k/yr. If you've done SOC 2 Type 1 it should only take 80 hours or so to get. Again, platforms like Drata cost more but make this easier.

4. ISO27001. If SOC 2 Type 2 isn't enough for your big enterprise customers to buy, this is the next step. There's a lot of overlap between SOC 2 Type 2 and ISO27001, but ISO27001 definitely introduces some new controls. Drata can help with this as well, but pricing might go up to something more like $50k/yr for SOC 2 Type 2 + ISO27001.

If your company's very first sales will be enterprise deals, you may need to get SOC 2 Type 1/2 from the beginning. If you're starting out with SMB and eventually moving upstream, you could probably wait a few years before getting SOC 2 Type 1/2.

If a customer is asking "do you have ISO27001 certification?", saying "no" to that isn't (necessarily) damning. It might just mean they want you to fill out their security questionnaire. These can be time consuming, so you can even get around this by filling out a VSA Core once (standardized questionnaire) and trying to send them that instead of filling out each customer's custom questionnaire.


There's a lot of advice in this thread saying one shouldn't pursue a certification until you need it. Fine, that makes sense. I'm in the thick of our SOC-2 and it is indeed a pain in the ass.

But that doesn't mean you shouldn't worry about compliance! Almost any B2B company should be acutely aware of what the substance of a SOC-2 (at least) entails and what changes will eventually be required to satisfy it. You can make things much easier or harder on yourself by adopting certain principles and architectural patterns from day 1.

The goal is, when it is time for your SOC-2, it's just an administrative process and a rubber stamp, rather than needing to make major changes to your architecture and business processes.

And hey, you just might end up avoiding a costly security incident along the way.


SOC2 is an administrative process and rubber stamp whether or not you prepare for it. You should build a security practice to avoid costly security incidents, and let your sales process tell you when it's time to get a SOC2, which itself has zero to do with security.


I'm in Information Security at a large enterprise. We look for this kind certification, but it isn't required. Not having it though will lead to further scrutiny (lots more questions to answer). I would recommend getting it if you can, particularly if you are offering a service that is hosting the customer's data and/or is managing some part of their IT operations.

Bolstering the recommendation is the fact that the proliferation of supply chain attacks recently is adding pressure for companies to perform more thorough diligence on their vendors. The certification helps check all the boxes.


The objective of most companies is to make money (let us be honest), thus the objective of the information security team is to make sure that the organization can achieve its objectives.

Thus, a lot of times, to sign customers, you need to be secured, as an IT/Security department can easily shut down any SaaS project if it is not secure enough. Having a certification like ISO 27001 or a report like SOC2 can really be helpful, and is sometimes a necessity. So ask yourself "does our company needs a SOC2/ISO 27001 to sign customers? Is it a blocker for our business?". You never want to achieve compliance "just because", you need a business reason to do it.

We started building our security program (ISMS) based on ISO 27001 (which is a really good basis in my opinion), but decided to get a SOC2 report instead. We started with a SOC2 type I report, then a type II. I personally find that a SOC2 is much more flexible than an ISO 27001 certification.

We mainly deal with big European customers, and SOC2 and ISO 27001 are seen as equal; never had a problem there. Most customers don't even read the report to be honest; it's a check in a box.

Having a SOC2 report or ISO 27001 certification shows that you care about security, and it sets the tone from the start.


Depends on your industry and what your customers expect. Also worth noting that your customers might not be ISO27001 compliant, but expect their suppliers to be compliant.

Many customers will send you a huge questionnaire to understand your security posture, policies and procedures. You’ll quickly realise that these questionnaire are pretty much what an ISO27001 auditor will ask. So if you have ISO27001, then you can just copy and paste.

It’s much easier to become ISO27001 compliant early, before you have much built. It allows you to take cookie cutter policies and procedures from companies like Laika and apply them wholesale with only minor tweaks, and without the need to make technical changes, because there’s nothing to change. However the process is both expensive and time consuming, so make sure it’s something your customers will expect.

Finally, pay someone else to walk you through the process. I’ve used the company heylaika.com, it removes so much overhead and the need to read the standard in detail. Trying to go it alone will just be a huge waste of time and money, you’ll end up paying for expensive audits that you’ll fail. Getting external help in makes sure you’ll actual pass the audit before you pay an auditor.


I've been through this. I started a B2B SaaS and the very first customer required us to get it before we could go live.

I found engaging a specialist consulting company invaluable to guide us through understanding the spec and designing processes and policies that were proportionate to our size and skillset. But be warned, there are a lot of chancers in this space - e.g. I had a few companies say they could give us a pre-written set of policies and give us the cert in a couple of weeks. Do. Not. Do. This. This consultancy even sat in on our first external audit to help us work our way through it, which turned out to be critical as the auditor went off-beam and started faulting us for not doing things that weren't even in the spec. So this isn't something you can wing your way through - you have to become an expert and thoroughly understand the spec, and its implications, in depth.

I spent a couple of months, full time, on getting to grips with the spec, grinding down scope and coming up with the lightest-touch policies possible that would a) still be useful and b) satisfy the auditors. And yet it's still critically important that you get an auditor who understands small companies - there are still some out there that are adamant it has to be a massively cumbersome thing that takes entire teams just to run.

But, be warned, this does place an ongoing admin burden on your company that you wouldn't otherwise have. Documenting and evidencing actions that wouldn't necessarily need it before, as well as conducting your own internal audits to ensure you're still doing the things you said you'd do.

So I would not recommend getting it until you're forced to by a client.

The good news is I was able to argue all the things we were doing as a matter of course in our software dev lifecycle could be mapped directly onto 27001's requirements. Things like declaring that the documentation of our networking and infrastructure _is_ our terraform scripts. Just because an auditor doesn't know how to read them doesn't mean they're not a perfectly valid form of documentation for the team using them.

So, yes, small, agile companies can gain and maintain certification (our last external audit by the British Standards Institute was passed with no non-conformities), but it's hard work and means spending effort that doesn't directly add value to the business.


We[1] are one of few software houses, that actually got it. And we're relatively small (30+ people on board).

Certification is not easy and it's not cheap (don't anyone tell you it's otherwise), it's time consuming, but can be done in few weeks (we managed to get certified in 3 months). It's worth mentioning, that instead of covering whole company, you can cover only small department fitted in one room. Maybe not best practice, but certainly possible. And being slightly paranoid beforehand helps a lot. Also - given how time consuming it is once you have it, it's worth to have someone (somehow) dedicated to it in the company - fortunately my great COO does most of the paperwork and checks processes between audits.

Most of our (potential) clients do not ask often about it, but I think it helps to mention ISO at some point. Bigger clients dealing with personal (or health) data do require it and it's a deal breaker.

1. https://prograils.com


Ahh, ISO.

"you can cover only small department fitted in one room" - this is the most important part to remember when someone comes in waving their ISO certification and has beautiful badge on their website. You can certify your secretary, her cat and her desk in whatever fancy ISO certification you want. Funnily enough it does not really cost that much, there are consulting companies that gladly organize this for a few thousand dollars. This works like this for all ISO certifications.

Another thing, introduction of ISO in the company means only that there is some process to do X within the company. This process can be totally nuts and useless, but ISO certification holds as the process is there.

In general ISO makes a lot of sense for production line environment (like cars production, etc.) - the process is everything there, having someone to review this process is important and valuable, many other ISO certs are just marketing tool that does not really tell much without going into details what processes are covered by ISO.


Haha, yeah. We've covered whole company, but yeah, you're right and it's a joke.

Regarding processes - yes and no - if you can viably proof, that process is not (yet) needed and you're doing things in reasonably manner, then you're good. It's up to you what processes you'll introduce to the company. What we think we did well is that whole certification did not change how we work and it was (almost) painless for our employees (or at least I like to think so).


It's a line-item in many of your clients' checklists. If they don't tick it off then you will have to answer a bunch of questions. It's a one time pain to get out of the way.

You could also start the process and ask your certifying consultant to give you a certificate saying it's in progress which is also good in many cases but follow through to complete it.


> It's a one time pain to get out of the way.

It's also a yearly audit and a continuous process to maintain it though.


I would wonder if there is a heuristic where you don't need a specialized and mature security governance program until you are close to or have established PMF. Security is tech governance, so you need something to govern before you drop in a bunch of security people.

If you have an enterprise product, either you get the ISO cert, or give up some of your sales margin and leverage to be a "partner," to another vendor who does. e.g. If you are selling to a bank and you don't have it, it's likely the bank may ask a consultant from one of the big firms to "recommend," your product as part of an engagement, and the compliance risk nominally shifts onto them, which is super not-cheap. I'd start discussions with VaRs and consulting firms about partnering now in case you get a demand for it, just to be hedged.

However, as a security pro, I would almost never suggest it to a startup until they are much later stage, like B and C rounds, or above say, $20m ARR, and perhaps not even then. The reason for this is if you are still establishing PMF, ISO is an expensive distraction, same with FedRAMP. Pay for it out of profits only, or tack on the expense to a customer contract, as imo, it's a waste of precious runway.

Strategically, I think it's worth considering taking the revenue hit of partnering with a VaR or a big-N consulting firm early to grow your channel first, and who specializes in managing these dead weight regulatory burdens while you focus on building a product that grows fast enough that you can choose solve ISO yourself as an optimization problem later on when you are rolling in cash, and not as a strategic barrier. I'd venture that the lack of an ISO cert is not going to get in the way of an exit or early stage growth. It's an expense that I would punt to whoever acquires you. If you are acquiring companies, then maybe you're big enough to consider it.


We do B2B sales, we don't have an ISO certificate, and to my knowledge it has never cost us a deal (though some companies have asked).

But I'm sure it also depends what you're selling. We mostly sell marketing services and the risk is inherently low (we generally don't have access to any sensitive client data or systems).


Let me put my perspective on this.

The answer is both yes, and no.

Why no:

Seriously, if you need certification to put your processes in order you are in a deep shit anyway. As an organization, you should be striving to continuously learn and improve. ISO 27001 is just a standard, a minimum you should be doing anyway.

Why yes:

I think it makes sense to go over that material. A lot of that stuff makes total sense. Why learn the mistakes yourself when you can get over a lot of that stuff in one, easy to consume package? Security is a tough thing to get right, there is a lot of possibility to forget/be blind to some obvious things. While it is up to you to figure out what to do (see above) and you will be paying the price of missteps, it is always good idea to get some external validation. Especially if you are top level manager and you don't exactly know if you are getting accurate assessment of the situation from your underlings.


First of all management systems and ISO is a way of working, a method or a framework. Just like scrum and agile are methods for project management within a team, management systems within the context of ISO is a method or framework set up by the management to lead the company. If you don't believe in ISO as a method, then you should not do it. Simple as that.

Personally however I think that ISO and management systems solves a lot of the problems that most companies deals with, and it gives a structured way of setting goals and reaching them.

Secondly the certification is not the most important part. The certification proves that your management system works and that you are reaching your goals, but if your goals are shit then the certification rather proves that you are a shity company. In other words the certification in itself is not a quality badge.


ISO27001 is quite hard to achieve, and gets harder the bigger you are. In large companies it is a years' long initiative, if it is achievable at all. So for a smaller supplier, particularly if you have a SaaS product, it is of immense value and can be used as a differentiator.

We are really pleased that we went through the effort. From a sales perspective it makes a significant difference including being positive for marketing and reducing the sales cycle. From a technical perspective, all of the value that it provides to sales and revenue means that the technical team gets the resources needed to do a better job of security (which is the point of the process)


> If you're a company doing B2B sales, how often do prospective customers ask about the certificate?

We're an authorization API company, so we may not be representative, but it definitely comes up, even in the context of early-stage SaaS startups that are selling into larger accounts.

> When did you decide that it's time to get it done?

It's certainly a pain, but somewhat ironically, the smaller / younger your company is, the easier it is to institute some of the processes than if you wait until you're larger.

There are companies out there (hyperproof.io is one of them) that sell SaaS products that help you streamline the workflow for ISO, SOC2, et al.


I would definitely recommend ISO 27001 or SOC2 which is the equivalent in the US, but with a few caveats. Having gone through the process myself I can without a doubt say it elevates your security posture by introducing an almost uncomfortable amount of rigor in your processes and procedures. The caveat here is that it is an intense process - weeks or months to prepare for and the security procedures you put in place are especially heavy for a smaller company. Maintaining these certifications takes a lot of work too and you would almost need to hire a security officer to keep up with it.


We have been asked by Fortune500s for the ISO27001 along with the hundreds of security related questions. We got through without the certificate by convincing them in other ways how much we(the 2 of us) focus on security.


I worked somewhere which had a stack of potential clients waiting for the 27001 stamp. Afterwards they all signed within months bringing significant revenue to the company. It was night & day difference to them.


Yes it is. If you do it right, it will not only improve your security but also your reliability as well as scalability. It forces you to think about you business processes and documentation. This helps by onboarding new employees as well as bringing structure to existing. In addition, you gain stability to you enterprise.

But, this does not come for free. You have to invest time and Money and most companies don't understand the importance of not copy and pasting existing SOP and other documents.


It's useful as a moat: for an established player, maintaining a certification isn't a big effort. For a new player, it saps resources


For some companies it is enough to say "The data center is ISO certified". Which I always found strange, because almost every data center is ISO certified. But you will notice over time how relevant that will be for your customers. Simply ask with every lost offer what the reason was. Then you can still take care of your own certification.


Architect who works on a bunch of procurement - our approach is that a clean SOC2 Type 2 report is preferable, but not a deal-breaker (and reduces paperwork for me). But if you couldn't demonstrate that you could address the issues that SOC2 (etc) test, that would be a problem.


I just purchased software for our company and they had both ISO 27001 and SOC 2 which made it way easier to deal with our security and governance team. They like to see those certifications. It would be possible without, but the scrutiny would be much higher.


If you have or are aiming for large enterprise customers, ISO 27001 is basically a requirement. You'll probably also need ISO 27017, ISO 27018, ISO 27701, SOC 2, SOC 3, APEC and maybe more, all depending on which stage your company is at.


As someone who works in Infosec & Compliance, it makes third-party risk much easier when a vendor has a SOC2 report.

It depends on what kind of clients you have, if you are working with customers in regulated industries, then I believe it's worth it.


When big clients require it then you get it. This is my experience. I have seen consulting costs range from £20k to £100k to get you through it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: