Rollee is compliant with ISO 27001

How to get ISO-compliant as an early-stage start-up - 7 easy steps and 3 additional tips for security managers

January 12, 2023
6 min read
Rollee is compliant with ISO 27001

The ISO standard is a must-have for tech companies to grow and scale. As an early-stage startup, we wanted to tackle this topic as soon as possible because we consider security a top priority, for our product and for our customers.

What is ISO? It is an organization called the International Standard Organization. The members of the ISO organisation co-write norms to fit international expectations and can apply to all legal standards.

There are a lot of ISO norms, about health, industry standards, quality and many more… and ISO 27001 is the standard for data management in all its forms.

ISO 27001 contains over 150 checkpoints to cover quality requirements in a company. It is not mandatory, but at Rollee, we decided to get certified for 2 reasons.

Reason N1 is that security (and especially relying on data) is at the core of our product. Reason N2 is that we wanted to follow an official standard to set up our operational security framework. Following a standard that is internationally recognized means that our international customers can trust us and rely on our products.

Our Methodology to be compliant with ISO 27001

At Rollee, we value well-thought processes and headed to the ISO 27001 certification with a plan. We planned several steps beforehand to ensure our success, to avoid rework and to plan our resources efficiently.

Step 1 ⇒ Know what is done, and what is not done

We run an internal audit to understand our present processes, how we work and what processes are already implemented. This helps us get a situational analysis of our present standards to identify gaps and opportunities for improvement.

Step 2 ⇒ Train yourself and others on the standard

Your standard needs to be known and understood by your team. To make sure that our employees understand the impact of the standard we organized informational sessions and Q&A.  Creating awareness around the security standard is the first step to implementing working policies.

Step 3 ⇒ Create the framework of your policy

We choose an external supplier that allows us to provide the inventory, internal tools etc. We documented our process and created our security policy and our framework to match our needs and our industry.

Step 4 ⇒ Implement new security measures

Then, it was time to implement new security measures, that didn’t exist until then.

  • We implemented a password manager tool for all employees, to reduce the risk of poor password management.
  • We implemented a supplier management review process.
  • We measured the efficiency of our Information Security Management System with relevant KPIs.
  • We conduct regular security training for employees.
  • We improve the security of physical assets.

And this is just the tip of the iceberg.

Step 5 ⇒ Identify your certification agency

Once we felt confident in our framework implementation, we set out to find a certification organism. Our goal was to find an organism and set a certification date that would fit in our certification roadmap and overall timing.

Step 6 ⇒ Schedule the certification audits

As soon as we found the right organism, we started to organize the certification audits. Stage 1 of the certification is lighter and will determine if the company is ready to pass the certification and if the standard is well implemented.

Stage 2 of the certification is more detail-oriented and focused on double-checking and verifying the claims we make in our policy.

Step 7 ⇒ Keep up the good work 💪

Getting ISO 27001 certified is a continuous effort. We got our 2022 audit certification and are now getting ready for the 2023 Surveillance audit.

Our goal is clear: we want to stay up-to-date with security trends and policies, follow the norms and requirements, and extend our policy depending on the needs and the evolution of our company.

Why is this standard important in our industry?

The ISO certification requires a lot of effort and investment: internal resources, but also financial resources, to set up the necessary tools and to actually make it to the audit.

Our Mission is to empower workers to take control of their income data in a secure environment. By investing in the security of our infrastructure and environments, we walk the talk and create an example for our users.

At Rollee, we decided that the investments are worth it, as we want to show our commitment to a secure work environment, proving our engagement to security first and maintaining our security standard over the years.

Security is at the core of our company culture: by enforcing security, we minimize risks and can better protect our customers.

Our tips for a successful 27001 certification

Tip N1: ⇒ Provide a budget estimation.

Depending on the size of your company, the internal resources needed and the tools you will implement, your budget will vary. Don’t forget to take into account the budget for the audit itself, ranging from X to Y depending on various factors.

Tip N2: ⇒ Invest in training

Providing extensive and quality training to employees, and technical teams is essential to guarantee a successful implementation of the certification standards. Your team will use the standard every day and they are ensuring the high standard will be respected. Don’t underestimate the training you will do - take all the time it takes to give your teams the best tools to be compliant.

Tip N3: ⇒ Automate everything you can

If you can automate something, then do it. Don’t let manual processes slow you down!

Supplier management, employee onboarding and offboarding, evidence collection and continuous monitoring can all be automated, and help you reduce any risks of human mistakes.

Are you thinking of getting ISO certified? Do you want to learn more about our security processes? Reach out and we will happily share more details about our security policy with you!

Check out our Homepage to learn more about Rollee, and follow us on Linkedin.