Ask HN: Is the ISO 27001 certification worth it?

(I work at&#x2F;cofounded Vanta)<p>We work with companies doing B2B sales and looking for help with compliance certifications like ISO 27001 and SOC 2. Some folks come to us early but most come with a deal on the line — which is to say, this is a process you can start “just in time” if you must.<p>From what I’ve seen, saying “no I won’t go through your security review process” is an (obvious) dealbreaker, but there’s a lot of ways to get through that process: ISO cert, SOC 2, the promise to get either of those certs by your go-live&#x2F;implementation date, security questionnaire hell, etc.<p>As mentioned previously, ISO is preferred by European companies; SOC 2 is more likely to be mandated by American companies, and you’re likely to get pretty far, even in Europe, on just a SOC 2. If I had to construct the situation that’s most likely to be deal-breaking, it’d be an old-school European company that’s operating off a rigid flow chart: “if no ISO 27001 cert, go back to start. Do not pass Go. Do not collect $200.”<p>A few folks have mentioned cost (dollar and organizational) — ymmv and&#x2F;but the cost of obtaining ISO 27001 certification varies with the number of employees, say $10-20k for smaller companies. Implementing ISO 27001 and an ISMS can be blitzed by small teams in a few weeks but probably will take a couple of months to a year for larger organizations.<p>(And we’d love to help if you decide to pursue this at Vanta etc etc)

&gt; When did you decide that it&#x27;s time to get it done?<p>There is a time management component to this. If you&#x27;re still in a deal without a 27001 certification, the security questions don&#x27;t go away. Instead, you get sent a security question set to answer. These question sets can be huge - our record is about 300 - 400 questions. And once you&#x27;ve answered those, you&#x27;re not done - then you go into discussions with their cybersecurity about your answers.<p>Once you&#x27;re in the loop with a number of large deals, this becomes a huge time sink.<p>And no, you can&#x27;t give this to an intern, or just search-and-answer most questions, because every company formulates their questions and requirements differently and it takes some knowledge to figure out what they mean and want.<p>And at times the discussions afterwards are even worse. I&#x27;ve had InfoSec-guys tell me they&#x27;re concerned because I cannot give them the specific details on the physical security of an AWS datacenter because these are not available.<p>As much work as getting and maintaining an ISO27001 certification is, there is a point after which it&#x27;ll save you time and nerves.

If you are a b2b company your customers will start to ask you at a certain point. Not having it can break a deal for sure although having it won&#x27;t make the deal.<p>My advice to you is gradually improve your infosec posture and policies etc but rather than kicking off the certification, wait until a customer asks you for it during vendor due dilligence, then say &quot;we&#x27;re working towards it&quot; and immediately after the meeting commission one of the outside firms who do the evaluation for you.<p>The evaluation process takes a while and in my experience customers are understanding about that especially given b2b sales aren&#x27;t exactly quick normally.

It&#x27;s theatre, so it won&#x27;t help actual security. Having said that, even quite small firms I&#x27;ve known have decided they needed it in order to get customers.<p>A fair few large customers require it and won&#x27;t bother talking to you if you don&#x27;t have it, so if you can otherwise do the sale there&#x27;s a good reason to get it.<p>Your real problem as a small vendor is deciding when this is necessary, because you might be getting customers just fine when you&#x27;re small and dealing with people who care about actual security, not paper security. At some point you are gonna have to pull a few people out to get all this paperwork done. I spent last summer doing a whole pile of &quot;Information Security&quot; policies for a friend I was helping. Luckily there are consultants who can get you most of the way there.

First: the rule with these kinds of certifications is simple: don&#x27;t do them until you have customer deals contingent on them. You should be able to weigh the costs of certification against hard, certain revenue. Depending on your customer base, you may get pushed into certification soon, or you might be able to push it off surprisingly far. If you can do that, you should.<p>Second: in North America, SOC2 is much more common than ISO 27001. 27001 is more common with gigantic companies than with startups. By way of example: Datadog just announced its 27001 last year, a few months after they went public. That they were able to scale their business to that point without 27001 certification --- and look closely at what Datadog&#x27;s business is, and who their customers are! --- should tell you something about which certification you&#x27;re likely to want first.<p>So for the rest of this comment I&#x27;m going to assume your company has no certification, and that you can get away with SOC2.<p>Third: while you will run into NA customers that want SOC2, there&#x27;s a loose norm of purchases contingent on achieving a Type 1. That is to say: you can probably plan on deferring SOC2 until you have a contingent P.O. in hand, and do it then without losing that deal. You know your customers better than I do, but I spent a bunch of years doing this work for startups and don&#x27;t think I ever told anyone to SOC2 preemptively.<p>Fourth: a real risk with rushing certification is that it can warp your security engineering and business processes. SOC2 is particularly amorphous, and SOC2 auditors are a weird bunch (people with strong opinions about which security tools you should be running that don&#x27;t know the difference between an IP address and a domain name are people whose influence on your IT and engineering you should limit). You want a security team in place before you start chugging away at SOC2, so that your security team can be the primary influence on what engineering you do to support SOC2 (a competent security team will win any shootout with any major-label auditor).<p>Fifth: For most companies, you&#x27;ll be 25-35 engineers before you contemplate a full-time security person, which gives you an idea of the normal lifecycle point at which you might start seriously consider certifying.<p>I wrote a blog post for my last company about some things to know about SOC2 and early-stage companies:<p><a href="https:&#x2F;&#x2F;latacora.micro.blog&#x2F;2020&#x2F;03&#x2F;12&#x2F;the-soc-starting.html" rel="nofollow">https:&#x2F;&#x2F;latacora.micro.blog&#x2F;2020&#x2F;03&#x2F;12&#x2F;the-soc-starting.html</a>

It’s a racket essentially, they make up a certification sell it to people buying software. Those buyers force it on their suppliers and they can charge for auditing and compliance. Not much you can do though, just have to grit your teeth and get on with it and try and avoid the most bureaucratic parts that slow down you ability to execute.

You will know when you need it. Half of the companies I’ve worked for required an ISO 2700x audit in order to do business with larger b2b customers. It was part of the customer’s due diligence process when selecting vendors.<p>It can take a long time to complete an audit, especially that first one. You’re going to need to show a lengthy paper trail of policies and documented compliance.<p>I think it can bring good discipline to an organization when embraced, but that is often not how it gets done. And in some organizations the discipline is stifling. You’ll want to pay attention to how it is impacting teams.<p>A previous company I worked for used Process Street for procedure completion and tracking, but I always wondered if all auditors would be OK with such a flexible system.

I worked for a telecomms&#x2F;webcasting company for about 5 years as a product manager. I can tell you from personal experience that a significant portion of the Fortune 500 (if not all of them) required ISO 2700X certification to even be considered.<p>The certification burden increases in proportion to the level of PII you are storing. The burden was much higher for government or med&#x2F;bio contracts (FedRAMP&#x2F;HIPPA, etc.). It&#x27;s also worth it to mention that we had whole teams dedicated to working through RFPs&#x2F;RFCs as they can get VERY time consuming.<p>Bottom line is that if you are going to work with the big fish, you will probably need this level of certification to show them you are serious.

ISO 27001 and SOC2 are both very valuable ways to communicate your security posture to external partners and customers. Like others have mentioned this will allow you to close deals quicker and prevent a more costly outcome by navigating security reviews more quickly. Source of info: friends at <a href="https:&#x2F;&#x2F;pentestiq.com" rel="nofollow">https:&#x2F;&#x2F;pentestiq.com</a> and <a href="https:&#x2F;&#x2F;vanta.com" rel="nofollow">https:&#x2F;&#x2F;vanta.com</a> that handle security&#x2F;compliance for many startups.

If you are doing business internationally, you are more likely to be asked about this. SOC2 is not all that requested internationally. For some deals with mature European customers, ISO 27001 is a hard requirement. For B2B US, SOC2 is most often requested.<p>Most organizations take a calendar year or more to get their ISO 27001 certification. One difference between that and a SOC2 is that you need to show that you are running it continuously. At the end of the first year, you get to have another audit. And you really need to show improvement over that year. And the following year. In the fourth year, you start over again with a full audit. Keep in mind that ISO 27001 will require staffing involvement.<p>Some deals can work if you show convincingly that you are on the road to getting it.<p>And no, having both won&#x27;t make the questionnaires go away (contrary to my hope of obtaining it). They may be slightly reduced, but if you have a lot of large customers, you will find quite often hundreds of questions that don&#x27;t exactly overlap with the last one you filled out. This make it hard to scale the questionnaire effort. There can be some luck if you prepare a standard one, like starting with the CIS controls.<p>We decided to get it done before it was a hard requirement, as we wanted to show a better security posture, and pursue international (not just EU) business.<p>One thought I share with teams building security practice is to obtain a copy of the ISO 27001&#x2F;27002 standards and read through it. It may give you some ideas of how to measure your own security program. One thing that I like about that standard is documenting the executive commitment to funding and staffing the security effort. If you can wrangle that, you are ahead of the game.<p>The new (2017) SOC2 standard has new language that goes a bit in that direction, with controls like executive commitment to ethics, and division of responsibilities between the board and management.<p>With respect to security, in your own enlightened company self interest, don&#x27;t let the idea of SOC2 or ISO 27001 lead you to think that you have security solved. Didn&#x27;t SolarWinds have a SOC2? (Don&#x27;t get me started on Third Party Risk Management.)

It&#x27;s better to start early than anything, a lot of these certs are easier to get when you have nothing to audit. I&#x27;ve worked for 2 successful B2B fintechs, I wouldn&#x27;t wait until a customer asks, I would be proactive if you have the time and money to go through it.

I actually looked into those certifications as a person who&#x27;s considering one day starting a small 1 person SaaS company. It seems like both ISO 27001 and SOC 2 can both easily cost more than 10&#x27;000$ to get, even for very small organizations.<p>That is a dealbreaker. There is precisely 0 value for anyone working at such a small scale to attempt to pursue those certifications - their costs will not only take up a lot of their time, but probably also exceed their revenue. That said, at that scale it&#x27;s likely that also doing enterprise sales will simply not be possible, given the long purchase cycles and ample bureaucracy.<p>It should probably only be a concern with at least 20 employees or more, when targeting enterprises. Until then, there might as well be fully automated purchasing funnels, with no way to &quot;contact sales&quot;, with the &quot;enterprise plans&quot; simply being self-hosted offerings: if any potential clients want to ensure compliance, they can simply buy the source code and a license for X number of cores&#x2F;instances&#x2F;whatever and put it on their fully compliant servers, do code audits, make their own customizations etc.<p>Of course, if you don&#x27;t jump through enough of the bureaucratic hoops put in place by the enterprises, then it&#x27;s likely that they won&#x27;t even purchase your code.

Hi, I&#x27;m one of the founders of Secureframe.com.<p>At Secureframe we help customers streamline their SOC 2, ISO 27001, HIPAA, and PCI compliance. And much more! If you are selling to customers in Europe or Asia, ISO 27001 is quite commonly requested. In the US, SOC 2 tends to be more common.<p>When it comes to the process, an ISO 27001 certification has two stages and includes an annual renewal.<p>- Stage 1: Evaluates the right documentation and controls in place in order to progress to Stage 2. - Stage 2: Evaluates the evidence to prove your controls and ISMS are effective, and that they meet the ISO 27001 requirements. Passing Stage 2 results in an ISO 27001 certification.<p>Stage 1 can be completed pretty quickly, but Stage 2 can take a bit more time to evaluate the evidence for. It can be done in a few weeks with a tool like Secureframe. It can cost &lt; $10k for smaller companies. It often can make or break deals, so customers tend to get certified earlier rather than later.<p>Secureframe is the only security &amp; compliance platform that has an ISO 27001 certification of its own. We save customers dozens of hours by automatically generating key documents like your Statement of Applicability. These can be incredibly time consuming and complex when you try to do it yourself.<p>Happy to chat more! shrav[at]secureframe.com

Typically this is your B2B infosec audit evolution:<p>1. No audits&#x2F;certifications. Stay here until you&#x27;re losing deals with big-ish companies to the point where it&#x27;s worth investing $10-20k and ~200 hours into solving this.<p>2. SOC 2 Type 1. Takes about $10-20k&#x2F;yr and 200 hours in my experience. If you use a platform like Drata it&#x27;ll be a bit more money but less effort. This report satisfies a lot of security teams, and you have to get it once per year. The 2nd&#x2F;3rd time is way less time investment than first. Stay here until you&#x27;re losing deals over not having SOC 2 Type 2 &#x2F; ISO27001.<p>3. SOC 2 Type 2. Takes about $15-30k&#x2F;yr. If you&#x27;ve done SOC 2 Type 1 it should only take 80 hours or so to get. Again, platforms like Drata cost more but make this easier.<p>4. ISO27001. If SOC 2 Type 2 isn&#x27;t enough for your big enterprise customers to buy, this is the next step. There&#x27;s a lot of overlap between SOC 2 Type 2 and ISO27001, but ISO27001 definitely introduces some new controls. Drata can help with this as well, but pricing might go up to something more like $50k&#x2F;yr for SOC 2 Type 2 + ISO27001.<p>If your company&#x27;s very first sales will be enterprise deals, you may need to get SOC 2 Type 1&#x2F;2 from the beginning. If you&#x27;re starting out with SMB and eventually moving upstream, you could probably wait a few years before getting SOC 2 Type 1&#x2F;2.<p>If a customer is asking &quot;do you have ISO27001 certification?&quot;, saying &quot;no&quot; to that isn&#x27;t (necessarily) damning. It might just mean they want you to fill out their security questionnaire. These can be time consuming, so you can even get around this by filling out a VSA Core once (standardized questionnaire) and trying to send them that instead of filling out each customer&#x27;s custom questionnaire.

There&#x27;s a lot of advice in this thread saying one shouldn&#x27;t pursue a certification until you need it. Fine, that makes sense. I&#x27;m in the thick of our SOC-2 and it is indeed a pain in the ass.<p>But that doesn&#x27;t mean you shouldn&#x27;t worry about compliance! Almost any B2B company should be acutely aware of what the substance of a SOC-2 (at least) entails and what changes will eventually be required to satisfy it. You can make things much easier or harder on yourself by adopting certain principles and architectural patterns from day 1.<p>The goal is, when it is time for your SOC-2, it&#x27;s just an administrative process and a rubber stamp, rather than needing to make major changes to your architecture and business processes.<p>And hey, you just might end up avoiding a costly security incident along the way.

I&#x27;m in Information Security at a large enterprise. We look for this kind certification, but it isn&#x27;t required. Not having it though will lead to further scrutiny (lots more questions to answer). I would recommend getting it if you can, particularly if you are offering a service that is hosting the customer&#x27;s data and&#x2F;or is managing some part of their IT operations.<p>Bolstering the recommendation is the fact that the proliferation of supply chain attacks recently is adding pressure for companies to perform more thorough diligence on their vendors. The certification helps check all the boxes.

The objective of most companies is to make money (let us be honest), thus the objective of the information security team is to make sure that the organization can achieve its objectives.<p>Thus, a lot of times, to sign customers, you need to be secured, as an IT&#x2F;Security department can easily shut down any SaaS project if it is not secure enough. Having a certification like ISO 27001 or a report like SOC2 can really be helpful, and is sometimes a necessity. So ask yourself &quot;does our company needs a SOC2&#x2F;ISO 27001 to sign customers? Is it a blocker for our business?&quot;. You never want to achieve compliance &quot;just because&quot;, you need a business reason to do it.<p>We started building our security program (ISMS) based on ISO 27001 (which is a really good basis in my opinion), but decided to get a SOC2 report instead. We started with a SOC2 type I report, then a type II. I personally find that a SOC2 is much more flexible than an ISO 27001 certification.<p>We mainly deal with big European customers, and SOC2 and ISO 27001 are seen as equal; never had a problem there. Most customers don&#x27;t even read the report to be honest; it&#x27;s a check in a box.<p>Having a SOC2 report or ISO 27001 certification shows that you care about security, and it sets the tone from the start.

Depends on your industry and what your customers expect. Also worth noting that your customers might not be ISO27001 compliant, but expect their suppliers to be compliant.<p>Many customers will send you a huge questionnaire to understand your security posture, policies and procedures. You’ll quickly realise that these questionnaire are pretty much what an ISO27001 auditor will ask. So if you have ISO27001, then you can just copy and paste.<p>It’s much easier to become ISO27001 compliant early, before you have much built. It allows you to take cookie cutter policies and procedures from companies like Laika and apply them wholesale with only minor tweaks, and without the need to make technical changes, because there’s nothing to change. However the process is both expensive and time consuming, so make sure it’s something your customers will expect.<p>Finally, pay someone else to walk you through the process. I’ve used the company heylaika.com, it removes so much overhead and the need to read the standard in detail. Trying to go it alone will just be a huge waste of time and money, you’ll end up paying for expensive audits that you’ll fail. Getting external help in makes sure you’ll actual pass the audit before you pay an auditor.

I&#x27;ve been through this. I started a B2B SaaS and the very first customer required us to get it before we could go live.<p>I found engaging a specialist consulting company invaluable to guide us through understanding the spec and designing processes and policies that were proportionate to our size and skillset. But be warned, there are a lot of chancers in this space - e.g. I had a few companies say they could give us a pre-written set of policies and give us the cert in a couple of weeks. Do. Not. Do. This. This consultancy even sat in on our first external audit to help us work our way through it, which turned out to be critical as the auditor went off-beam and started faulting us for not doing things that weren&#x27;t even in the spec. So this isn&#x27;t something you can wing your way through - you have to become an expert and thoroughly understand the spec, and its implications, in depth.<p>I spent a couple of months, full time, on getting to grips with the spec, grinding down scope and coming up with the lightest-touch policies possible that would a) still be useful and b) satisfy the auditors. And yet it&#x27;s still critically important that you get an auditor who understands small companies - there are still some out there that are adamant it has to be a massively cumbersome thing that takes entire teams just to run.<p>But, be warned, this does place an ongoing admin burden on your company that you wouldn&#x27;t otherwise have. Documenting and evidencing actions that wouldn&#x27;t necessarily need it before, as well as conducting your own internal audits to ensure you&#x27;re still doing the things you said you&#x27;d do.<p>So I would not recommend getting it until you&#x27;re forced to by a client.<p>The good news is I was able to argue all the things we were doing as a matter of course in our software dev lifecycle could be mapped directly onto 27001&#x27;s requirements. Things like declaring that the documentation of our networking and infrastructure _is_ our terraform scripts. Just because an auditor doesn&#x27;t know how to read them doesn&#x27;t mean they&#x27;re not a perfectly valid form of documentation for the team using them.<p>So, yes, small, agile companies can gain and maintain certification (our last external audit by the British Standards Institute was passed with no non-conformities), but it&#x27;s hard work and means spending effort that doesn&#x27;t directly add value to the business.

We[1] are one of few software houses, that actually got it. And we&#x27;re relatively small (30+ people on board).<p>Certification is not easy and it&#x27;s not cheap (don&#x27;t anyone tell you it&#x27;s otherwise), it&#x27;s time consuming, but can be done in few weeks (we managed to get certified in 3 months). It&#x27;s worth mentioning, that instead of covering whole company, you can cover only small department fitted in one room. Maybe not best practice, but certainly possible. And being slightly paranoid beforehand helps a lot. Also - given how time consuming it is once you have it, it&#x27;s worth to have someone (somehow) dedicated to it in the company - fortunately my great COO does most of the paperwork and checks processes between audits.<p>Most of our (potential) clients do not ask often about it, but I think it helps to mention ISO at some point. Bigger clients dealing with personal (or health) data do require it and it&#x27;s a deal breaker.<p>1. <a href="https:&#x2F;&#x2F;prograils.com" rel="nofollow">https:&#x2F;&#x2F;prograils.com</a>

It&#x27;s a line-item in many of your clients&#x27; checklists. If they don&#x27;t tick it off then you will have to answer a bunch of questions. It&#x27;s a one time pain to get out of the way.<p>You could also start the process and ask your certifying consultant to give you a certificate saying it&#x27;s in progress which is also good in many cases but follow through to complete it.

I would wonder if there is a heuristic where you don&#x27;t need a specialized and mature security governance program until you are close to or have established PMF. Security <i>is</i> tech governance, so you need something to govern before you drop in a bunch of security people.<p>If you have an enterprise product, either you get the ISO cert, or give up some of your sales margin and leverage to be a &quot;partner,&quot; to another vendor who does. e.g. If you are selling to a bank and you don&#x27;t have it, it&#x27;s likely the bank may ask a consultant from one of the big firms to &quot;recommend,&quot; your product as part of an engagement, and the compliance risk nominally shifts onto them, which is super not-cheap. I&#x27;d start discussions with VaRs and consulting firms about partnering now in case you get a demand for it, just to be hedged.<p>However, as a security pro, I would almost never suggest it to a startup until they are much later stage, like B and C rounds, or above say, $20m ARR, and perhaps not even then. The reason for this is if you are still establishing PMF, ISO is an expensive distraction, same with FedRAMP. Pay for it out of profits only, or tack on the expense to a customer contract, as imo, it&#x27;s a waste of precious runway.<p>Strategically, I think it&#x27;s worth considering taking the revenue hit of partnering with a VaR or a big-N consulting firm early to grow your channel first, and who specializes in managing these dead weight regulatory burdens while you focus on building a product that grows fast enough that you can choose solve ISO yourself as an optimization problem later on when you are rolling in cash, and not as a strategic barrier. I&#x27;d venture that the lack of an ISO cert is not going to get in the way of an exit or early stage growth. It&#x27;s an expense that I would punt to whoever acquires you. If you are acquiring companies, then maybe you&#x27;re big enough to consider it.

We do B2B sales, we don&#x27;t have an ISO certificate, and to my knowledge it has never cost us a deal (though some companies have asked).<p>But I&#x27;m sure it also depends what you&#x27;re selling. We mostly sell marketing services and the risk is inherently low (we generally don&#x27;t have access to any sensitive client data or systems).

Let me put my perspective on this.<p>The answer is both yes, and no.<p>Why no:<p>Seriously, if you need certification to put your processes in order you are in a deep shit anyway. As an organization, you should be striving to continuously learn and improve. ISO 27001 is just a standard, a minimum you should be doing anyway.<p>Why yes:<p>I think it makes sense to go over that material. A lot of that stuff makes total sense. Why learn the mistakes yourself when you can get over a lot of that stuff in one, easy to consume package? Security is a tough thing to get right, there is a lot of possibility to forget&#x2F;be blind to some obvious things. While it is up to you to figure out what to do (see above) and you will be paying the price of missteps, it is always good idea to get some external validation. Especially if you are top level manager and you don&#x27;t exactly know if you are getting accurate assessment of the situation from your underlings.

First of all management systems and ISO is a way of working, a method or a framework. Just like scrum and agile are methods for project management within a team, management systems within the context of ISO is a method or framework set up by the management to lead the company. If you don&#x27;t believe in ISO as a method, then you should not do it. Simple as that.<p>Personally however I think that ISO and management systems solves a lot of the problems that most companies deals with, and it gives a structured way of setting goals and reaching them.<p>Secondly the certification is not the most important part. The certification proves that your management system works and that you are reaching your goals, but if your goals are shit then the certification rather proves that you are a shity company. In other words the certification in itself is not a quality badge.

ISO27001 is quite hard to achieve, and gets harder the bigger you are. In large companies it is a years&#x27; long initiative, if it is achievable at all. So for a smaller supplier, particularly if you have a SaaS product, it is of immense value and can be used as a differentiator.<p>We are really pleased that we went through the effort. From a sales perspective it makes a significant difference including being positive for marketing and reducing the sales cycle. From a technical perspective, all of the value that it provides to sales and revenue means that the technical team gets the resources needed to do a better job of security (which is the point of the process)

&gt; If you&#x27;re a company doing B2B sales, how often do prospective customers ask about the certificate?<p>We&#x27;re an authorization API company, so we may not be representative, but it definitely comes up, even in the context of early-stage SaaS startups that are selling into larger accounts.<p>&gt; When did you decide that it&#x27;s time to get it done?<p>It&#x27;s certainly a pain, but somewhat ironically, the smaller &#x2F; younger your company is, the easier it is to institute some of the processes than if you wait until you&#x27;re larger.<p>There are companies out there (hyperproof.io is one of them) that sell SaaS products that help you streamline the workflow for ISO, SOC2, et al.

I would definitely recommend ISO 27001 or SOC2 which is the equivalent in the US, but with a few caveats. Having gone through the process myself I can without a doubt say it elevates your security posture by introducing an almost uncomfortable amount of rigor in your processes and procedures. The caveat here is that it is an intense process - weeks or months to prepare for and the security procedures you put in place are especially heavy for a smaller company. Maintaining these certifications takes a lot of work too and you would almost need to hire a security officer to keep up with it.

We have been asked by Fortune500s for the ISO27001 along with the hundreds of security related questions. We got through without the certificate by convincing them in other ways how much we(the 2 of us) focus on security.

I worked somewhere which had a stack of potential clients waiting for the 27001 stamp. Afterwards they all signed within months bringing significant revenue to the company. It was night &amp; day difference to them.

Yes it is. If you do it right, it will not only improve your security but also your reliability as well as scalability. It forces you to think about you business processes and documentation. This helps by onboarding new employees as well as bringing structure to existing. In addition, you gain stability to you enterprise.<p>But, this does not come for free. You have to invest time and Money and most companies don&#x27;t understand the importance of not copy and pasting existing SOP and other documents.

It&#x27;s useful as a moat: for an established player, maintaining a certification isn&#x27;t a big effort. For a new player, it saps resources

For some companies it is enough to say &quot;The data center is ISO certified&quot;. Which I always found strange, because almost every data center is ISO certified. But you will notice over time how relevant that will be for your customers. Simply ask with every lost offer what the reason was. Then you can still take care of your own certification.

Architect who works on a bunch of procurement - our approach is that a clean SOC2 Type 2 report is preferable, but not a deal-breaker (and reduces paperwork for me). But if you couldn&#x27;t demonstrate that you could address the issues that SOC2 (etc) test, that would be a problem.

I just purchased software for our company and they had both ISO 27001 and SOC 2 which made it way easier to deal with our security and governance team. They like to see those certifications. It would be possible without, but the scrutiny would be much higher.

If you have or are aiming for large enterprise customers, ISO 27001 is basically a requirement. You&#x27;ll probably also need ISO 27017, ISO 27018, ISO 27701, SOC 2, SOC 3, APEC and maybe more, all depending on which stage your company is at.

As someone who works in Infosec &amp; Compliance, it makes third-party risk much easier when a vendor has a SOC2 report.<p>It depends on what kind of clients you have, if you are working with customers in regulated industries, then I believe it&#x27;s worth it.

When big clients require it then you get it. This is my experience. I have seen consulting costs range from £20k to £100k to get you through it.