ISO 27001 is not an easy compliance framework to understand, especially for startups who are new to compliance. It is not quite straightforward and does not provide checklists and examples to make your job easy. But without ISO 27001, startups lose out on a ton of growth opportunities.
To address this, we’ve drafted this article to bridge the gap and offer directional guidance on the next steps. In this article, you will learn about the steps involved in becoming ISO 27001 compliant as a startup and the costs associated with it.
What type of startup needs to be ISO 27001 certified?
First things first, ISO is not compulsory. The compliance policy (if there was one) won’t come knocking on your doors if you don’t have one. However, it is becoming increasingly common for businesses to prioritize security as one of the criteria to partner with other service organizations.
Having said that, you should consider ISO 27001 if:
- Your business collects, stores, processes, transmits, or has access to sensitive customer data.
- You conduct business mainly outside the North American region.
- Your business’s global presence would benefit from an internationally recognized certification.
No matter what the type of industry and service you offer, you can be ISO certified. The chart below shows the number of ISO certifications in 2021 by industry.
ISO 27001 compliance: The startup-friendly approach
ISO 27001 has not officially released a unique compliance subset for startups. The way ahead is still the same. The overall strategy depends on a number of factors like type of data, company size, type of service, and more. However, we have combined best practices, suggestions, and expert recommendations to help you kick start this journey.
Here is the list of nine ISO 27001 startup-friendly approaches:
Build your team
Before starting an extensive project, it is crucial to figure out who takes care of what. ISO 27001 comprises a lengthy list of granular requirements, so it is a good practice to assign accountability for each task. Ideally, these roles would include:
Upper management – Usually includes CEO, COO, CISO, or other roles who would be actively participating in this process (This usually depends on the organization). They are responsible to align information security with the company goals, manage resource allocation, and overlook delivery.
Information security steering committee – Security decisions can be quite challenging for organizations with no existing structure for infosec management. Nevertheless, it is important to chalk out strategies with stakeholders and top decision makers from each department.
Information security steering committee deals with a plethora of issues: process approval, risks analysis, audit results, security strategy monitoring, security goals, performance indicators, disaster recovery plan, and more.
Chief information security officer – CISOs help to reduce interdepartmental chaos and improve coordination. You don’t necessarily need to hire someone for this role – anyone with a thorough knowledge of information flow should suffice.
CISOs engage with departmental heads to finalize security strategies, align business goals with security objectives, decide budget, set policies and processes, identify best options to mitigate risks, and monitor security activities. Additionally, they may conduct training and security awareness programs.
Some organizations assign the role of a system administrator to process data, make workflow changes, and be in charge of security controls.
Asset protection strategy
Now that you have the roles sorted, it’s time to figure out which data and assets need securing. One way to figure this out is by using the top down approach. You can use this data flow chart for reference.
In order to execute this process seamlessly, you should have clarity on each process and its type, who is responsible for what, and operational workflows. This helps to gain insight into the link between assets and activities.
System administrators have a comprehensive understanding of this and can help others too.
Another way to approach this is by the bottom up method. This is an ideal choice if you don’t sufficiently understand the processes. The bottom up approach relies on your ability to understand the type of information your organization handles throughout its end to end process.
For example, you may consider sensitive and non-sensitive personal data, enterprise data, design data, and more. Once you have the asset map ready, use it to know your data on a conceptual level.
Apart from electronic data, physical data storage facilities should be identified to secure them. You can use the bottom up technique to identify physical assets like paper documents, endpoint devices, hard drives, physical offices, and even employees. After identifying these assets, list them in categories. For example, CRM solutions and other tools can fall under software. Servers, laptops, and smartphones can go under hardware. Third-party providers like cloud hosting solutions or TLC providers.
Once you are done cataloging, use an excel sheet to track how information is connected to assets. Use the sheet below for convenience and keep it updated.
Download your PCI DSS Explanation of Non-Applicability Worksheet
Evaluate risks
The saying “know your enemies to defeat them” holds true for ISO – know your threats to mitigate them. A comprehensive insight into the existing and potential risks throughout your infrastructure is a crucial step towards ISO 27001 for startups. Knowing risks helps to prioritize them, implement appropriate controls, investigate breaches effectively and contain them.
The first step to your risk assessment is to know the level of risk. Use the asset flow map above to assign a value to each. A simple way to execute this is by assigning security based values like availability, integrity, and confidentiality. Use the table below to figure out where each stands.
Using the table above can result in the example shown below
Since all other assets have their main values related to the information they store, process or transmit, this first evaluation can be inherited by all assets connected with the evaluated information in the asset map. This assumes that their relationship with the highest evaluated information gives them their true value for the organization, as shown below.
The relationship with the highest evaluated information shows the actual value, as you can see in the downloadable sheet below.
Download your PCI DSS Explanation of Non-Applicability Worksheet
Evaluate context
Here, you need to understand your organization’s environment better. It will be required to define your information security requirements. To simplify this step, you could align your model with the EU Agency for Network and Information Security (ENISA) threat model.
| Threat category | Examples |
| Disaster | Earthquake, fire, flood, |
| Outage | Power shortage, service unavailability |
| Physical threats | Theft or sabotage |
| Legal | Violation of regulation or inability to follow law |
| Unintended damage | Device loss, unintentional disclosure of information |
| Malfunctioning | Hardware failure, technical glitches, device malfunctions |
| External data threat | Ransomware, trojans, zero day attack, social engineering |
| Internal data threat | Eavesdropping, espionage, man in the middle |
Use historical data and employee expertise to evaluate the level of threat for each of the threats in the table above. Now try to evaluate how prone your assets are to these threats using a questionnaire. For example, How prone is your office location to floods? How trustworthy are your employees? Or, Are there any gaps to compliance within the business?
You can use a rating system to answer these questions – like High, Medium, Low, and None.
Use the table below to quantify the level of risk. Assets that are not marked as “none” should be considered a potential risk.
Identify controls for ISMS
Annex A of ISO 27001 document is about security controls. These are simply measures and processes you implement to protect data from threats. It has a list of 114 controls, but not all are compulsory. You can choose the ones partially or fully applicable to you.
Once you have an idea of risks and assets, you can proceed to the next step – plan how to address the risks, a budget, and timeline. System administrators, steering committee, system processing officers are ideally involved for this task.
The decision making process for which control to implement in a given environment is easier said than done. For many organizations, this turns out to be a tedious process that is a combination of trial and error as well as permutation combination. The outcomes are almost always difficult to project and end up stretching the budget. Depending on the type of data, your team can make a call on which controls are required and which can be passed for the time being.
Manage information security plan
Periodic assessments are crucial to measure your progress as per the plan. Security administrators monitor this regularly; monthly or quarterly. This involves all the concerned members of the team – their input regarding updates, new requirements, changes, roadblocks, and more is to be reported. Even for minor changes, keep the top management in the loop.
A good practice that helps to stick to the plan is through audits. Auditors are independent bodies who check your described controls against what is implemented and create a report based on their observations. Audits can be conducted by internal staff but should not be biased.
The report must list the areas of non compliance and improvement. You should adequately address any gaps in compliance with corrective action to avoid issues in the future. Wherever you make changes, document it in your plan.
Monitor information security plan
Continuously monitor activities to ensure that your ISMS is working as planned. Address and document gaps as and when required. A good practice to efficiently monitor is by using performance indicators – codes set up to trigger a notification when a breach or unauthorized action is detected. Additionally, you can use goal indicators to measure your business objectives.
Use the suggested table below to measure performance in percentile values. Indicators vary from one organization to another.
External audits
Once you are done with internal processes, it’s time for an external audit (Stage 1). An ISO 27001 accredited auditor reviews your documents against the standards requirements. After reviewing and assessing your organization’s ISMS, they will provide an audit report which contains your certification.
After the stage 1 audit, you should go through the main or stage 2 audit. In this round, you basically demonstrate that your controls are functioning as per ISO requirements. The auditor reviews if you have implemented the corrective actions or improvements suggested in the first round.
Stage 2 audit also ends with a report detailing minor non conformities, and suggests areas for improvement. In case of major issues, you simply need to take corrective actions and share the evidence of the same with your auditor.
Here is a quick guide to ISO 27001 audit checklist
Continuous improvement
ISO 27001 compliance for startups is not a one time activity. Your job does not end with certification. As threats continue to evolve and malicious actors gain access to better technology, it is crucial to keep your system a step ahead of vulnerabilities.
For example, when you partner with new vendors, integrate new tools, employ more people, or make changes in your process, it changes the nature of risks. This means security issues will keep piling up – unless you perform risk assessments and continuously deploy measures to address them.
Also find out: How ISO 27001 can be automated
What does ISO 27001 certification cost to startups?
There are multiple ways to become ISO compliant. These include using an internal team, via an external consultant, using a Governance, Risk Management, and Compliance (GRC) tool, or compliance automation tool.
- Internal Team: Will cost you time and productivity. It can take up to at least five months.
- External consultant: Cost estimates up to $10,000+. Can take a minimum of five months.
- GRC: Costs an average of $7,500.
- Compliance automation: Costs about $8,000. Takes around two weeks.
There are additional preparation costs to be considered as given in the table below.
| Requirement | Cost estimation |
| Official standard document cost | $350 |
| Gap analysis | $7500 |
| Penetration tests | $5000 and $20000 |
| Vulnerability assessment | $2000 and $2500. |
| Employee training | $25 per user |
| Anti malware tools | $50 annually |
How ISO 27001 benefits startups
Startups and small businesses often look at ISO 27001 certification as an easy way to gain trust and demonstrate security efficiency. While it does both, you shouldn’t get compliant only to unlock business deals.
ISO 27001 is a control heavy standard. Most organizations rely on security controls to protect their data but fail to implement them efficiently – poor coordination among controls implemented as point solutions. ISMS offers a systematic solution that answers this problem.
Moreover, security controls often fail to secure non IT assets that contain data; such as paper documents, physical office locations, hard drives, and more. ISO 27001 guides organizations to secure every type of asset from data theft or damage.
Not to mention that data breaches are costly. A study by Ponemon Institute shows that more than 83% of organizations faced more than one breach. The same study found that organizations with security automation spent 65.2% less to remediate breaches compared to those with no automation.
As a startup, you cannot afford to shell out on corrective measures. It is cheaper to implement security compliance like ISO than to spend on corrective actions, at least in the long run.
With startups mushrooming everywhere, investors are no longer cutting checks to clean up after messy situations which could have been avoided in the first place. Not to mention that you would want your employees to focus on their tasks and growth opportunities rather than waste productive hours on damage control.
And lastly, as a small business, you are more likely to face a breach when compared to medium to large organizations. This is because large companies have the budget to spend on security while the smaller ones don’t – a fact that malicious actors know and exploit to their advantage.
FAQs
For which company is ISO 27001 useful?
ISO 27001 is useful for any service organization that manages, transmits, or processes sensitive customer data.
Is ISO 27001 certification for startups worth it?
The short answer is yes. No organization, especially small to medium sized ones is safe from breaches. ISO certification is your ticket to gain customer trust and ensure continued business growth.
Is ISO 27001 better than cyber essentials?
ISO 27001 is an internationally recognized standard for information security. It is much more comprehensive, intensive, and risk-focused.
