ISO 27001 certification: A pocket guide for SaaS companies

As a founder or a senior executive in a SaaS company, how can you reassure your customers that their data is safe and protected?

This is where the ISO 27001 certification (an international standard for information security) can really help you and get you to a position where your customers can trust you more, and work with you confidently.

We’ve put together this guide to help you learn about what the ISO 27001 certification is, how it can help your SaaS company, what the rough costs are, and how you can get started.

What is the ISO 27001 certification?

Before diving deep about the certification, let’s first talk about what the term “ISO 27001” means and how it applies to your company.

ISO 27001 is:

• A part of a set of internationally recognised standards
  It lays out the best practices for how companies should manage important information.
  
  
• A blueprint of policies, procedures, and controls
  It allows companies of all sizes and industries to create an effective and reliable system to manage their information (ISMS).
  
  Tip: So if you follow this blueprint when you are setting up an ISMS or building one from scratch, this ensures that your ISMS is ISO 27001 compliant (or following the ISO 27001 standard).

   

Now that you know what “ISO 27001” is, the “ISO 27001 certification” simply means that your ISMS has been given a seal of approval - in other words certified by an independent certifying body.

Let’s go over why you need the certification, especially the benefits it has for SaaS companies.

How can the ISO 27001 certification help SaaS companies like yours?

ISO 27001 certification helps you in more ways than one:

• Earn customer trust and confidence. Let your customers know that their personal data/information is safe and secure, and their privacy is respected at all times.
• Low chance of data breach. Maintaining an ISO 27001-compliant ISMS helps your company calculate and manage risks.
• Win new customers and keep existing ones. Your customers will feel more confident sharing their data and working with you when you have the ISO 27001 certification, a globally accepted standard for information security.
• Improve your reputation and gain a competitive edge over your competitors.
• Comply with laws and regulations involving information privacy such as the UK GDPR and GDPR.
• Manage your information with integrity by setting up an information security management system (ISMS).

Now that you know what the ISO 27001 certification is, and how it can help your company, let’s take a look at what you need to do to get certified.

What does your SaaS company need to get certified?

Before starting the certification process, you have to first prepare for it. This means ensuring your company has all the processes in place and also meets all the requirements needed to be certified.

Here’s what you need to get started:

(You can also take a look at our implementation roadmap for a detailed step-by-step guide.)

•  Scope of the ISMS
  An outline of what information you want to protect.
  
  
• ISO 27001 documentation
  Set of documents required by the ISO 27001 standard with specific criteria to be followed.

• Up-to-date ISMS
  An information security management system that regularly undergoes audits to make sure your company has best practices in place.
  
  
• Gap analysis
  An analysis to compare how you currently protect your information and what ISO 27001 requirements are.

• Risk assessment
  A process that identifies security flaws and helps set up processes to prevent them.
  
  
• Asset management
  A process that takes account of all the important tangible and intangible assets and how they will be protected.
  
• Control sets/sections
  A set of rules that your information security management system should follow. Pick the controls that work for your company’s needs and objectives.

To make sure these points are completed, you’ll also need to have people in your team who can help you and oversee this project from start to finish.

Typically, there are 3 key roles:

• ISO 27001 expert consultant
  They help you decide who should be on the project team, their roles, and the order of the process.
• Project manager
  They should lead the project and ensure that the scope is followed.
• Security officer
  They work for your company and are accountable for the project's security.

How much does it cost to get ISO 27001 certified?

Short answer: It depends.

It depends on:

• The size of the company and scope,
• Current level of the information security management system (ISMS) and how much work is required for it to be aligned with the ISO 27001 standard,
• In-house resources available to work on the ISMS project,
• How quickly is the certificate required,
• The certifying authority.

The cost of obtaining ISO 27001 certification can range from £10,000 to £48,000. Learn more about costs and their breakdown in the ISO 27001 certification cost article.

What is the ISO 27001 certification process and how long does it usually take?

Getting the ISO 27001 for SaaS companies can initially seem challenging but understanding the process and how long it can take will help you navigate it successfully.

Typically, the certification process is performed by an independent certification body in three parts:

1. Document review
   An auditor from the independent certification body will review all your documentation and compare it to the ISO 27001 standard.
2. Main audit
   An auditor first determines whether your company is ready for a full audit or not. After, your ISMS is carefully inspected to see if it complies with the ISO 27001 standard. If you pass this, you are awarded the certification!
3. Surveillance audits
   An auditor conducts an audit on one or more parts of your ISMS.

Once the company is awarded an ISO 27001 certification, it is valid for 3 years. To keep the certificate active, remember to recertify every three years. This helps keep your ISMS up to date and in line with best practices.

The time taken to get certified depends on the following:

• Resources available
• How complicated are the operations of the company
• Auditor availability
• Number of employees free to work on the ISMS implementation project

Here’s a rough estimate of how long the process may take:

• 1 to 20 employees - Up to 3 months
• 20 to 50 employees - 3 to 5 months
• 50 to 200 employees - 5 to 8 months
• More than 200 employees - 8 to 20 months

With all this information, you’re almost at the finish line!

How can DataGuard help you build customer trust and confidence with the ISO 27001 certification?

We help SaaS companies get their ISO 27001 certification with ease, and show their customers their data is safe.

• Work with trusted experts
  100% of our users pass certification for the first time. Our team has extensive expertise in legal and technical fields of compliance.
• 1:1 free expert consultation
  Get answers to any of your questions regarding to ISO 27001 and our services.
• Customised solutions for your company
  Find out what works best for your SaaS company.
• Easy to use ISMS
  Our Info-Sec platform will become your living ISMS. You can track your assets, documents, risks and audits, all in one place.

Interested in getting ISO 27001 certified? Get in touch with our experts today.

If you enjoyed this article, you may also be interested in SOC 2 vs ISO 27001: Key Differences Explained