Where the work happens for ISO 27001 compliance

The tricky part about growth is that when it happens, not only new possibilities arise, but also challenges appear. This also applies to your SaaS business. As it develops, you’re able to reach and sell to a wider variety of customers, with a particular focus on big ones. That’s great, because big customers may mean big opportunities. This doesn’t come without any extra effort though - that group often has specific requirements, such as expecting you to show that your service is secure. Proving that to each and every of your new potential customers doesn’t sound like a scalable task. The consequence is, eventually you could end up spending more time convincing customers about paperwork that you do than on delivering actual value.

A woman sitting at a table with lots of papers.

Photo by Dimitri Karastelev on Unsplash

Thankfully, you can reduce your time and effort devoted to case-by-case negotiation by designing and implementing an information security management system (ISMS). This would open the door to obtaining an ISO 27001 certificate that proves you are committed to managing information securely and safely - an additional layer of confidence approved by an external independent body. Certification helps your potential customers trust you with their data - and that trust you earn is the most valuable asset in the modern digital economy.

Once you’ve identified the benefits, you’ll want to understand the cost and the time to get certified for security. As often happens in life, there is no one right path to achieve that. There are infinitely many ways, as the time and effort depend on where you start from (just like with travel).

Your path to achieve ISO 27001

You might think that getting certified means an auditor forcing you to tick off each and every bullet point from their checklist. To be absolutely clear, there probably are checklists, but it’s largely up to your organisation to pick which one to use. You may even decide to write your own. This amount of freedom can initially feel a little overwhelming, but it’s important to remember that the whole point of the certification is to be able to show that you’ve put information security controls in place that are tailored specifically for your business. This should take multiple factors, such as your starting point, but also size and area of operation, into account.

Having said that, the first step on your journey is to identify gaps where your organisation isn’t managing information security well. Only after that, you can have a more concrete idea about the schedule of your journey. The approach you take depends on how many technical remediation tasks you expect your IT and product management to have, especially in what place they are regarding information as well as product-related security.

Let’s start with an easier option. If you’re happy with how these two aspects are looking at your organisation and not many tweaks are needed, the work typically follows two parallel tracks. The first area would be implementing automated evidence capture to check and prove that the existing controls work. At the same time, you review or introduce non-technical policy elements, such as having a user onboarding policy, or a policy on secure remote working.

Maybe you’re starting from a point where there aren’t those controls already in place, and you know big change needs to happen. In this case, you’ll need to comprehensively analyse some of the key risks across your business. This may sound a bit overwhelming, but let me underline once again that the procedure is mostly tailored to your specifics, contrary to imposing a one-size-fits-all checklist. That fortunately means that as a company starting from scratch you don’t have to fix all the gaps to get certified. Instead, you need to understand the landscape and show that they’re being just rigorous enough that they can prioritise what’s important and fix risks where feasible - even if it means managing only one key risk.

Still not sure where to start?

In case that high-level view still appears too blurry, I prepared a list of the most common risks, based on our experience:

  1. Too broad access to your cloud resources: This often shows up as full admin permissions for most of the staff, which is against the principle of least privilege and minimising the blast radius in case of an incident.
  2. Systems and services without adequate controls: Despite being far from good practice, we still often encounter all of the following in cloud environments: services directly accessible from the internet, your server having port 22 open, or your data not being properly encrypted.
  3. Lack of environment separation: Another factor to consider is whether your environments are separated enough (setting up a landing zone may help). Can a security gap in development have an impact on production? You’d hope not. In particular, I advise you not to keep all your cloud infrastructure in one AWS account.

It’s important to treat that 3-item list as a loose guideline; good information security is not about a one-off box-ticking exercise. On the contrary, it requires a systematic and holistic approach towards addressing risks. Achieving ISO 27001 certification comes with a commitment to annual surveillance audits, as well as a full audit every three years. This includes continuous monitoring and improvements.

In fact, a key outcome is to show that you’ve planned these improvements and prioritised them for your business context. ISO 27001 isn’t a fixed checklist that every firm follows, and the adaptive way of working may require a complete change of mindset. Taking into account that the efforts may result in a higher and more robust lead rate, this may be worth it.

At this point, it’s worth getting a tool to simplify your compliance work (have a look at our blog post with a survey of them). Doing it all with spreadsheets, Word documents, or generic apps such as Confluence is feasible. A dedicated SaaS tool pays for itself in time saved, providing advantages such as visibility, consistency, and integrated notifications. Your compliance journey doesn’t end with achieving ISO 27001; once you’re compliant and certified, tooling automation means that a lot of your evidence for remaining compliant is automatically collected and aggregated (maybe even coming with a nice dashboard functionality), so your annual audits are becoming less hectic and burdensome.


Regardless of which of the two outlined scenarios you identify with, once you’ve got those processes in place, you’ve got a picture of what improvements you need to make and why. Whether these are small snags around documentation, or big changes to lock down your cloud software, you’ve shown why those changes are worth doing and you know the risks of not doing them.

That’s really what ISO 27000 is about. You get an evidence-led plan to work on improvements. Start on that plan and keep at it. Once you’re up and running, you can get a certificate to show that you’re doing this properly, according to ISO 27001, and show it to your sales leads.

Are you ready for ISO 27001? Do you have an effective information security management system that delivers the right technical controls in your AWS environment?

Our whitepaper looks at the tasks involved and makes some recommendations. Or for a quick expert check and report of your infrastructure against the reference controls of ISO 27002, see our AWS Readiness Assessment.

Book your assessment now or book a free chat with us to discuss this further.

This blog is written exclusively by The Scale Factory team. We do not accept external contributions.

Free Healthcheck

Get an expert review of your AWS platform, focused on your business priorities.

Book Now

Discover how we can help you.

Consulting packages

Advice, engineering, and training, solving common SaaS problems at a fixed price.

Learn more >

Growth solutions

Complete AWS solutions, tailored to the unique needs of your SaaS business.

Learn more >

Support services

An ongoing relationship, providing access to our AWS expertise at any time.

Learn more >