Our Path to ISO 27001
At Drata, it’s important for us to lead by example when it comes to security. It’s why our founders achieved SOC 2 compliance coming out of stealth, why we use our own tool to monitor our security posture, and why we hold our internal security programs to the highest standards.
On that note, we’re excited to announce our ISO 27001 certification. As we helped more and more customers achieve ISO 27001 certification and remain compliant with our tool, reaching this milestone was a natural next step for us.
Since we’re a compliance and security company, our journey to ISO 27001 might be a bit different than a company starting from scratch. However, our team still gathered a few key learnings and best practices that might help our customers as they go through their certification. Read all about our path to ISO 27001 certification below.
Why We Chose to Achieve ISO 27001
Internationally, ISO 27001 is a highly recognized and respected security standard. It’s designed by the International Standards Organization (ISO) and can generally be applied to companies of all sizes and industries.
The ISMS requires companies to maintain the confidentiality, integrity, and availability of information via a risk management strategy and should factor information security in the company’s design of processes, information systems, and controls.
For any company, ISO 27001 helps signal to outside parties that you’re keeping customer data safe, complying with stringent security laws and regulations, and that your company places security at the forefront of your operations.
Our security team also likes applying ISO 27001 to on-premise software. Since ISO standards cover system and software approaches to the SDLC, it allows teams to make their controls more robust and develop secure information systems.
What it Means for Our Customers
As a global company, ISO 27001 certification is another testament to our commitment to building a secure environment for our customers. By using our tool to achieve ISO 270001 certification, we’re not only reassuring customers that our security programs and controls are effective, but that the team can guide them through their accreditation.
ISO 27001 and SOC 2
Although ISO 27001 is a more intensive process, having SOC 2 Type 2 made our journey to ISO 27001 a lot more streamlined.
However, it’s important to note that while SOC 2 focuses on controls and showing the results of those controls, ISO takes a deeper dive into your security program and culture. It requires a strong tone-at-the-top and internal audit of your security programs.
Preparing for the Audit
Again, since we’re already SOC 2 compliant, the team started by getting an understanding of how our SOC 2 controls matched to the ISO framework and identifying any gaps. This step can help you guide your ISMS meetings and inform you of any additional processes you’ll need to implement to ensure certification.
We took a look at our Statement of Applicability (SoA) to map controls to specific teams and identify key stakeholders. Each stakeholder was notified of any new controls they’ll need to own and what the audit process will look like for their teams. Here, using Drata played a key role in helping our team monitor their controls, pinpoint any failures, and prepare for the interview with the auditor.
Our Audit Process
The certification process consists of two audit stages to properly validate the efficacy and implementation of the company’s policies and controls.
It’s a three-year certification with surveillance audit during year two and year three. During these audits, an auditor from a certification body will test that our organization is still operating our controls as designed. Depending on company size, ISO 27001 traditionally can be completed between several months to a year.
Overall, our entire process from prep to certification took four months. Keep in mind that this timeline was on the shorter end for us given that we’re in the security and compliance space and the effectiveness of our platform.
Our team used Drata to assign controls owners, test and monitor those controls, automate evidence collection, and set up reminder notifications. Our auditing partner, Aprio, was then able to download all the necessary evidence from the platform as they conducted their audit.
As it does with any of our customers, our tool became an integral part of our security team’s day-to-day throughout our audit.
One of the reasons why our audit results showed no nonconformities—meaning there were no findings of noncompliance with ISO 27001—is because our tool helps us continuously test and monitor our controls for any failures. On the other hand, companies without a compliance automaton tool might not discover any nonconformities until during the audit.
Moving forward, our team will keep using Drata as a preventative tool to review, monitor, and test our security posture, controls, and compliance with ISO and other frameworks and regulations like SOC 2 and GDPR.
It’s also important to prepare for your annual risk assessment and internal audit by keeping your ISMS plan up to date. If you were to add a new product, be sure to onboard that new product within the new scope.
Key Learnings and Best Practices
From our own journey and guiding clients through their own ISO 27001 certification, here are a few learnings, tips, and best practices we wanted to share:
Get executive buy-in.
Little can get done if you don’t have support from your team. Set clear responsibilities and expectations, create an audit calendar, schedule reminders, and make sure leaders relay the importance of this process to their teams.
Set expectations with your auditor.
Communicate often, ask for clarification, and be proactive about raising any issues or concerns.
Review the evidence collection list.
Become familiar with what the auditor will require and communicate those with your stakeholders and team members well in advance.
When possible, stay ahead of deadlines.
Your auditor will provide a timeline and meeting deadlines ahead of time will help communicate that you’re taking the process seriously.
Schedule a walk-through with key stakeholders.
If you don’t have a dedicated security team or if this is your first audit, scheduling a walk-through and making sure what you’ve written matches your processes can help avoid any nonconformities.
For us, ISO makes a great addition to security programs and companies trying to set a strong security-first culture. We’re happy to be able to provide this reassurance to our customers and excited to continue helping them achieve their own ISO 27001 certifications. If you’re looking to automate ISO 27001 and facilitate compliance maintenance, book some time with our team.