Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

This is a case-study about the certification path of kicker.cloud, an early stage startup, its SaaS product and high ambitions aiming towards a global market. kicker.cloud encountered the same issues so many others have faced before and will in the future – the dreaded procurement Excel-sheets with seemingly endless amounts of security requirements that need to be addressed before any business deals can go ahead.

kicker.cloud

Kicker.cloud is driven by two founders, Heini and Matt, who together have created a SaaS-solution for managing the lifecycles of M&A practices. The initial mail from Heini, one of the founders, reached Mint Security in October 2023 and read as follows.

And so it begins - the ISO 27001 certification project

It was very clear from the start that the certification would not be done by the end of 2023. Why is that? As we know, once all the heavy lifting work is done you need to

  1. perform an internal audit and
  2. process the results on a management review then
  3. do the stage 1 audit and process the results from that and then
  4. do the stage 2 (=certification) audit, pass that audit and then
  5. wait for the results and the actual certificate.

If we create a timeline working ourselves back through the phases, it becomes painfully clear that 2 months – including the year-end Christmas vacations – was not going to be feasible.

We then set the ambitious target to have everything prepared for the internal audit – and do the internal audit – before Christmas. That gave us roughly 5 weeks.

How we did what we did

A true key to this was management commitment. Heini and Matt, the two founders, had the best motivation ever – they needed the certification to prove that despite their small size, the team had implemented an information management system appropriate for enterprise level clients, and thereby break through the procurement glass ceilings and get their product out there. Both put in the effort and hours needed to get to know and understand the management system, and document what was needed. And learn, improve, and then learn some more.

Our jobs as consultants was constantly being alert and guiding and answering one question in a different context over and over again – is this good enough. What this meant was scaling down everything to a realistic level that could be expected from a small startup while maintaining the quality required from ISO27001, and communicating this to the entrepreneurs. That said, everything necessary and mandatory was still – thoroughly enough – documented. This included the core ISMS, related policies, standards and guidelines. Of course, the SaaS product, its development lifecycle as well as operations and incident management was also documented and duly implemented.

For this to be possible – applying a “minimum viable” -philosophy – meant understanding the context of the company clearly and immediately, creating good and sensible objectives, helping the entrepreneurs to approach and making sense of risk management and linking everything together. This exercise was not about tools nor templates, but all about applying the concept of taking necessary project risk and constantly planning for the certification audit by having bullet proof explanations and understanding for every decision made.

The final cut

The project started in October 2023. The internal audit was done in early December 2023. The management review was held in January 2024 and ISO 27001 certification was achieved in February 2024.

Lessons learned

  • Anyone can be certified

    Anyone can be certified, as long as there is a true business need and a true will.

  • Scaling down

    Scaling down is a risk in itself - known as the project risk. This must be managed by experts with a clear vision, understanding of the needs of the company, and a good eye for the auditing game, with knowledge of the spirit of certification (which includes a fair amount of psychology).

  • Ditch unrealistic schedules

    Unrealistic schedules should be shot down immediately. Focus on the things you can affect - the project itself. Let the rest sort itself out - Christmas holidays and auditors schedules.

Saku performing a security review

Internal audit – Using internal or external resources?

As part of the ISO/IEC 27001 certification process, organizations must conduct regular internal audits to ensure compliance and identify areas for improvement. One common dilemma faced by businesses is whether to conduct these audits internally or engage an external company to do it.

First steps of an ISMS project

Planning for an industry standard compliant information security management system — in brief: carrying out an ISO 27001 project — can break cover from various starting points. Some organizations have already familiarized themselves with the standard, some have even written the first mandatory documents. Yet for many, this article could be the first contact with any form of security work at all.

Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

contact us

Please do contact us. We most likely respond faster than you thought,