What's Inside

At Drata, it’s important for us to lead by example when it comes to security. It’s why our founders achieved SOC 2 compliance coming out of stealth, why we use our own tool to monitor our security posture, and why we hold our internal security programs to the highest standards. 

Achieving our own ISO 27001 certification and helping more and more customers achieve and maintain compliance with our tool, we've learned a few things along the way.

Since we’re a compliance and security company, our journey to ISO 27001 might be a bit different than a company starting from scratch. However, our team still gathered five key learnings and best practices that might help you in your journey.

Read all about our path to ISO 27001 certification below. 

Why We Chose to Achieve ISO 27001

Internationally, ISO 27001 is a highly recognized and respected security standard. It’s designed by the International Standards Organization (ISO) and can generally be applied to companies of all sizes and industries.

The ISMS requires companies to maintain the confidentiality, integrity, and availability of information via a risk management strategy and should factor information security in the company’s design of processes, information systems, and controls. 

For any company, ISO 27001 helps signal to outside parties that you’re keeping customer data safe, complying with stringent security laws and regulations, and that your company places security at the forefront of your operations. 

Our security team also likes applying ISO 27001 to on-premise software. Since ISO standards cover system and software approaches to the SDLC, it allows teams to make their controls more robust and develop secure information systems.

5 Key Learnings and Best Practices 

From our own journey and guiding clients through their own ISO 27001 certification, here are a few learnings, tips, and best practices we wanted to share: 

Get Executive Buy-In

Little can get done if you don’t have support from your team. Set clear responsibilities and expectations, create an audit calendar, schedule reminders, and make sure leaders relay the importance of this process to their teams. 

Set Expectations With Your Auditor

Communicate often, ask for clarification, and be proactive about raising any issues or concerns. 

Review the Evidence Collection List

Become familiar with what the auditor will require and communicate those with your stakeholders and team members well in advance. 

When Possible Stay Ahead of Deadlines

Your auditor will provide a timeline and meeting deadlines ahead of time will help communicate that you’re taking the process seriously. 

Schedule a Walk-Through With Key Stakeholders

If you don’t have a dedicated security team or if this is your first audit, scheduling a walk-through and making sure what you’ve written matches your processes can help avoid any nonconformities. 

A Note on ISO 27001 vs. SOC 2 

Although ISO 27001 is a more intensive process, having SOC 2 Type 2 made our journey to ISO 27001 a lot more streamlined. 

However, it’s important to note that while SOC 2 focuses on controls and showing the results of those controls, ISO takes a deeper dive into your security program and culture. It requires a strong tone-at-the-top and internal audit of your security programs. 

Preparing for the Audit 

Again, since we’re already SOC 2 compliant, the team started by getting an understanding of how our SOC 2 controls matched to the ISO framework and identifying any gaps. This step can help you guide your ISMS meetings and inform you of any additional processes you’ll need to implement to ensure certification. 

We took a look at our Statement of Applicability (SoA) to map controls to specific teams and identify key stakeholders. Each stakeholder was notified of any new controls they’ll need to own and what the audit process will look like for their teams. Here, using Drata played a key role in helping our team monitor their controls, pinpoint any failures, and prepare for the interview with the auditor. 

Our Audit Process

The certification process consists of two audit stages to properly validate the efficacy and implementation of the company’s policies and controls.

It’s a three-year certification with surveillance audit during year two and year three. During these audits, an auditor from a certification body will test that our organization is still operating our controls as designed. Depending on company size, ISO 27001 traditionally can be completed between several months to a year.

Overall, our entire process from prep to certification took four months. Keep in mind that this timeline was on the shorter end for us given that we’re in the security and compliance space and the effectiveness of our platform. 

Our team used Drata to assign controls owners, test and monitor those controls, automate evidence collection, and set up reminder notifications. Our auditing partner, Aprio, was then able to download all the necessary evidence from the platform as they conducted their audit.

As it does with any of our customers, our tool became an integral part of our security team’s day-to-day throughout our audit.

Staying Complaint

One of the reasons why our audit results showed no nonconformities—meaning there were no findings of noncompliance with ISO 27001—is because our tool helps us continuously test and monitor our controls for any failures. On the other hand, companies without a compliance automaton tool might not discover any nonconformities until during the audit. 

Moving forward, our team will keep using Drata as a preventative tool to review, monitor, and test our security posture, controls, and compliance with ISO and other frameworks and regulations like SOC 2 and GDPR.

It’s also important to prepare for your annual risk assessment and internal audit by keeping your ISMS plan up to date. If you were to add a new product, be sure to onboard that new product within the new scope.

For us, ISO makes a great addition to security programs and companies trying to set a strong security-first culture. We’re happy to help you provide the same reassurance to your customers with your own ISO 27001 certification.