Hacker News new | past | comments | ask | show | jobs | submit login

If you are a b2b company your customers will start to ask you at a certain point. Not having it can break a deal for sure although having it won't make the deal.

My advice to you is gradually improve your infosec posture and policies etc but rather than kicking off the certification, wait until a customer asks you for it during vendor due dilligence, then say "we're working towards it" and immediately after the meeting commission one of the outside firms who do the evaluation for you.

The evaluation process takes a while and in my experience customers are understanding about that especially given b2b sales aren't exactly quick normally.




This has been the best answer in my opinion, the cost of achieving the certification is only worth it if you have prospect customers demanding for it (so that their business will "pay" for the cost).

Oftentimes, companies from the USA will prefer SOC2 Type2 instead of ISO. So in my experience it is best to check with the market.

Regarding B2C companies, in my experience you'd like to get an ISO certification to reduce pressure from some governing body. For example, I was in a company were we did ISO-37001 because in our country that is a HUGE risk, and our market was attracting a lot of attention from government and regulators. Having an ISO gave us a "checkmark" in their eyes.


Yeah exactly that's the reason. In my last company we did eventually have to get ISO27001, SOC2 and ISAE3402 but by waiting until the customer demand is there you get the best sequencing and avoid duplication of effort as far as possible.

Your time and focus is an extremely precious resource especially early on in a startup's lifetime.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: