5 Key Learnings From Our Path to ISO 27001

Our Path to ISO 27001

What's Inside

Read about what our ISO 27001 certification process looked like and 5 key learnings your team may find useful as you begin your certification journey.

At Drata, it’s important for us to lead by example when it comes to security. It’s why our founders achieved SOC 2 compliance coming out of stealth, why we use our own tool to monitor our security posture, and why we hold our internal security programs to the highest standards. 

Achieving our own ISO 27001 certification and helping more and more customers achieve and maintain compliance with our tool, we've learned a few things along the way.

Since we’re a compliance and security company, our journey to ISO 27001 might be a bit different than a company starting from scratch. However, our team still gathered five key learnings and best practices that might help you in your journey.

Read all about our path to ISO 27001 certification below. 

Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us take you from security novice to continuous monitoring in a few hours.

Learn More

Why We Chose to Achieve ISO 27001

Internationally, ISO 27001 is a highly recognized and respected security standard. It’s designed by the International Standards Organization (ISO) and can generally be applied to companies of all sizes and industries.

The ISMS requires companies to maintain the confidentiality, integrity, and availability of information via a risk management strategy and should factor information security in the company’s design of processes, information systems, and controls. 

For any company, ISO 27001 helps signal to outside parties that you’re keeping customer data safe, complying with stringent security laws and regulations, and that your company places security at the forefront of your operations. 

“Drata was an instantaneous value add for us as a scaling company. Their product combined with their personal touch allowed us to to navigate the the compliance process for SOC 2 and now ISO 27001, we are excited to continue using it as we expand our compliance capabilities faster than we could have without it!” — Patti Degnan, Notion

Our security team also likes applying ISO 27001 to on-premise software. Since ISO standards cover system and software approaches to the SDLC, it allows teams to make their controls more robust and develop secure information systems.

5 Key Learnings and Best Practices 

From our own journey and guiding clients through their own ISO 27001 certification, here are a few learnings, tips, and best practices we wanted to share: 

Get Executive Buy-In

Little can get done if you don’t have support from your team. Set clear responsibilities and expectations, create an audit calendar, schedule reminders, and make sure leaders relay the importance of this process to their teams. 

Set Expectations With Your Auditor

Communicate often, ask for clarification, and be proactive about raising any issues or concerns. 

Review the Evidence Collection List

Become familiar with what the auditor will require and communicate those with your stakeholders and team members well in advance. 

When Possible Stay Ahead of Deadlines

Your auditor will provide a timeline and meeting deadlines ahead of time will help communicate that you’re taking the process seriously. 

Schedule a Walk-Through With Key Stakeholders

If you don’t have a dedicated security team or if this is your first audit, scheduling a walk-through and making sure what you’ve written matches your processes can help avoid any nonconformities. 

Start Your ISO 27001 Journey With These 8 Steps

Download our eight-step checklist to help you get started on your ISO 27001 certification journey the right way.

Download Now

A Note on ISO 27001 vs. SOC 2 

Although ISO 27001 is a more intensive process, having SOC 2 Type 2 made our journey to ISO 27001 a lot more streamlined. 

However, it’s important to note that while SOC 2 focuses on controls and showing the results of those controls, ISO takes a deeper dive into your security program and culture. It requires a strong tone-at-the-top and internal audit of your security programs. 

Preparing for the Audit 

Again, since we’re already SOC 2 compliant, the team started by getting an understanding of how our SOC 2 controls matched to the ISO framework and identifying any gaps. This step can help you guide your ISMS meetings and inform you of any additional processes you’ll need to implement to ensure certification. 

We took a look at our Statement of Applicability (SoA) to map controls to specific teams and identify key stakeholders. Each stakeholder was notified of any new controls they’ll need to own and what the audit process will look like for their teams. Here, using Drata played a key role in helping our team monitor their controls, pinpoint any failures, and prepare for the interview with the auditor. 

Our Audit Process

The certification process consists of two audit stages to properly validate the efficacy and implementation of the company’s policies and controls.

It’s a three-year certification with surveillance audit during year two and year three. During these audits, an auditor from a certification body will test that our organization is still operating our controls as designed. Depending on company size, ISO 27001 traditionally can be completed between several months to a year.

Overall, our entire process from prep to certification took four months. Keep in mind that this timeline was on the shorter end for us given that we’re in the security and compliance space and the effectiveness of our platform. 

Our team used Drata to assign controls owners, test and monitor those controls, automate evidence collection, and set up reminder notifications. Our auditing partner, Aprio, was then able to download all the necessary evidence from the platform as they conducted their audit.

As it does with any of our customers, our tool became an integral part of our security team’s day-to-day throughout our audit.

Staying Complaint

One of the reasons why our audit results showed no nonconformities—meaning there were no findings of noncompliance with ISO 27001—is because our tool helps us continuously test and monitor our controls for any failures. On the other hand, companies without a compliance automaton tool might not discover any nonconformities until during the audit. 

Moving forward, our team will keep using Drata as a preventative tool to review, monitor, and test our security posture, controls, and compliance with ISO and other frameworks and regulations like SOC 2 and GDPR.

It’s also important to prepare for your annual risk assessment and internal audit by keeping your ISMS plan up to date. If you were to add a new product, be sure to onboard that new product within the new scope.

For us, ISO makes a great addition to security programs and companies trying to set a strong security-first culture. We’re happy to help you provide the same reassurance to your customers with your own ISO 27001 certification.

Get Audit-Ready Faster With Drata's ISO 27001 Compliance Solution

Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Keep Reading

ISO 27001 Risk Assessment 10 Step Guide to an Effective Assessment

ARTICLE

ISO 27001 Risk Assessment: 10 Step Guide to an Effective Assessment

ISO 27001 How to Write a Statement of Applicability

ARTICLE

ISO 27001: How to Write a Statement of Applicability

Understanding ISO 27001 Controls A Guide to Annex A

ARTICLE

Understanding ISO 27001 Controls: A Guide to Annex A

Our Path to ISO 27001

ARTICLE

5 Key Learnings From Our Path to ISO 27001

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.

Explore ISO 27001 Hub