This is a case-study about the certification path of kicker.cloud, an early stage startup, its SaaS product and high ambitions aiming towards a global market. kicker.cloud encountered the same issues so many others have faced before and will in the future – the dreaded procurement Excel-sheets with seemingly endless amounts of security requirements that need to be addressed before any business deals can go ahead.
Kicker.cloud is driven by two founders, Heini and Matt, who together have created a SaaS-solution for managing the lifecycles of M&A practices. The initial mail from Heini, one of the founders, reached Mint Security in October 2023 and read as follows.
And so it begins - the ISO 27001 certification project
It was very clear from the start that the certification would not be done by the end of 2023. Why is that? As we know, once all the heavy lifting work is done you need to
- perform an internal audit and
- process the results on a management review then
- do the stage 1 audit and process the results from that and then
- do the stage 2 (=certification) audit, pass that audit and then
- wait for the results and the actual certificate.
If we create a timeline working ourselves back through the phases, it becomes painfully clear that 2 months – including the year-end Christmas vacations – was not going to be feasible.
We then set the ambitious target to have everything prepared for the internal audit – and do the internal audit – before Christmas. That gave us roughly 5 weeks.
How we did what we did
A true key to this was management commitment. Heini and Matt, the two founders, had the best motivation ever – they needed the certification to prove that despite their small size, the team had implemented an information management system appropriate for enterprise level clients, and thereby break through the procurement glass ceilings and get their product out there. Both put in the effort and hours needed to get to know and understand the management system, and document what was needed. And learn, improve, and then learn some more.
Our jobs as consultants was constantly being alert and guiding and answering one question in a different context over and over again – is this good enough. What this meant was scaling down everything to a realistic level that could be expected from a small startup while maintaining the quality required from ISO27001, and communicating this to the entrepreneurs. That said, everything necessary and mandatory was still – thoroughly enough – documented. This included the core ISMS, related policies, standards and guidelines. Of course, the SaaS product, its development lifecycle as well as operations and incident management was also documented and duly implemented.
For this to be possible – applying a “minimum viable” -philosophy – meant understanding the context of the company clearly and immediately, creating good and sensible objectives, helping the entrepreneurs to approach and making sense of risk management and linking everything together. This exercise was not about tools nor templates, but all about applying the concept of taking necessary project risk and constantly planning for the certification audit by having bullet proof explanations and understanding for every decision made.
The final cut
The project started in October 2023. The internal audit was done in early December 2023. The management review was held in January 2024 and ISO 27001 certification was achieved in February 2024.
Lessons learned
Practical guidance on risk in the context of ISO 27001
Within the context of ISO 27001, risk comes up as a topic all over the place. The standard itself, as most of ISO standards nowadays
Internal audit – Using internal or external resources?
As part of the ISO/IEC 27001 certification process, organizations must conduct regular internal audits to ensure compliance and identify areas for improvement. One common dilemma faced by businesses is whether to conduct these audits internally or engage an external company to do it.
First steps of an ISMS project
Planning for an industry standard compliant information security management system — in brief: carrying out an ISO 27001 project — can break cover from various starting points. Some organizations have already familiarized themselves with the standard, some have even written the first mandatory documents. Yet for many, this article could be the first contact with any form of security work at all.
