Not every company needs ISO 27001 certification. But if you want to show that your company is actively working on information security and meeting the requirements of various stakeholders and laws, certification is a good investment. But the path to certification is rarely straightforward, and tough demands are placed on both you as a CISO and the entire company. Here, Stratsys CISO Per Gustavsson tells us how we achieved ISO 27001 certification in just eight months, and highlights the key factors that are crucial to success.
What does ISO 27001 certification mean?
ISO 27001 certification is a stamp of approval that a company takes information security seriously. Certification requires a structured and effective approach to information security. Achieving ISO 27001 certification is a significant achievement, but it requires careful planning and execution.
Not every company needs ISO 27001 certification, but it does require a systematic approach to information security. A positive aspect of certification is that an external party reviews and confirms that your work meets your information security objectives. This makes it easier to know what efforts are required and what the company should focus on going forward. It also makes it easier to communicate with subcontractors, as communicating that you have ISO 27001 certification reduces the number of information security issues by around 90 percent.
The value of ISO 27001 certification
It's not really the certification itself that matters, but the systematic information security management that a company applies. An ISO certification is a best practice that shows that the work your company does is done correctly. On the one hand, the company shows the outside world that information security is taken seriously, and on the other hand, there are tools in place to continuously keep internal track of information security work and make continuous improvements.
To be honest, the GDPR caused some panic when it came, but for companies that had a routine for dealing with constant change, it was much easier to navigate. In other words, if you already have strategies in place and are doing the right thing, it will be much easier once a new law comes into force.
Keep up with upcoming legislation
With the entry into force of the EU Cyber Security Act in 2019, a number of pieces of legislation were introduced. All of them require a systematic approach to data protection and information security, and ISO certification is an effective way to keep up with new legislation. The main focus is on the following legislations:
- GDPR - the General Data Protection Regulation, which was adopted in 2016 and came into force in 2018.
- DORA (Digital Operational Resilience Act) - Decided in 2023 with compliance requirements from January 2025.
- NIS & NIS2 - Directives adopted; NIS came into force in 2018 and NIS2 comes into force on October 18, 2024.
- CER (Critical Entities Resilience Directive) - Directive decided in 2022, applicable from October 10, 2024.
- EU AI Act B - The proposal was made in 2021, and it is under preparation in 2023. It is hoped that it will be ready in 2023 and will apply from 2025.
- CRA (Cyber Resilience Act) - Regulation proposed in 2020, work on the regulation is ongoing in 2023, and a decision should be taken in 2024 and apply from 2026.
5 key factors for successful certification
It is possible to complete certification in six months, if preparatory work has already been done, which usually takes about a year. Once the decision to certify has been made, you carry out internal work and possibly bring in someone from outside for analysis. Then you contact the certification body.
"Culture and staff are really key to success"
How long the process takes depends to some extent on whether you bring in someone to help or whether you go it alone, says Per. "We went ahead, even though we knew we had shortcomings and would have deviations. It's pretty obvious that you will have deviations as the world changes and we change with it. But you have three months to correct the deviations, and with our competent staff and good corporate culture combined with good preparatory work and system support in place, I knew we could fix it. The culture and the staff are really key to success, which is important to emphasize.
Per Gustavsson , CISO at Stratsys
1. Start with your customer success function
A key success factor to find out how well your work is going is to start with your customer success function. Customer success measures how the company is doing and is therefore an excellent starting point to start reviewing how internal security is. Based on the feedback from your customers, you can break out common issues that tend to come up, and get information about any serious security incidents.Start from what your core business is. For us as a SaaS company, our core business is the software and service we deliver. The most important thing is that our service, our deliveries and support work. A company is most vulnerable when the core of the business is exposed, so it is good to start right there.
2. CISO as coordinator and pillar
As a CISO, you are the coordinator of the entire process. It is clear what needs to be done in the form of risk analyses and to fulfill the various points of the certification through these. You are the one who ensures that the opportunities exist to push through the certification even though information security applies to everyone in the company. To succeed, you need to implement it in your daily work and introduce changes continuously.
Also, get help from a reference group with people from HR, legal and development. After all, all changes affect staff, which makes it particularly important to involve HR. It's good to have a smaller group to brainstorm with and not burden the management team too much.3. Everyone is involved
If you only start the work the week before the follow-up audit, you are thinking wrong. The work needs to be distributed throughout the organization and you need to ensure that everyone is involved throughout the year. Everyone should contribute, although some will naturally have more responsibility.Try to show employees what to do rather than tell them what to do. Allocate responsibility for risk analysis in different areas and tell them what challenges you see. Communicate that you will help identify risks, and ask simple questions to help them move forward. See yourself as a mentor, not a boss. You are there to help, lead and provide the right conditions for them to do their job - even if it will be challenging for many. In short: act as their anxiety coach.
4. System support
Your company will have some deviations, but hopefully not major ones. Without system support, the work can be tough to do, but that depends entirely on your circumstances, and is not something that all companies need. But for us, our system support was a strong contributing factor to the work going so smoothly. Among other things, it simplified data collection from our different parts of the company, and made it easier for employees to focus on and perform their tasks. Included in the system support is support for legal requirements linked to information security, which also made the process much easier.5. Get management on board
Finally, a common challenge is to get management on board. There are different ways to do this, but generally speaking, it's about understanding the organization and who you are talking to. Even if the message is the same for the CEO and the management team, you may need to formulate it in a language that each level of management understands.Let a management exercise bring management to life
An excellent exercise to expose management to is the Kalix scenario, which is based on the cyberattack that took out large parts of Kalix municipality's operations in 2021. The management team is confronted with this scenario and tasked with discussing what should be done.
After 15 minutes, the phone rings on a communication device of choice. It's a journalist from TV4 with tough questions (but really it's someone you ask to call and pretend to be a journalist.) Presumably the management team will want to let the CISO or CTO take the call, but you announce that unfortunately the CISO is on leave and the CTO has got tonsillitis. The CEO has to take the call.
When I do this exercise myself, I actually hope it doesn't go well, because it raises awareness and makes the participants realize the seriousness of what can happen. If you didn't have management's attention before, you will have it after this exercise. I succeeded in my approach but I already had full trust and attention from day one. So you have to nurture that trust well.
Want to know more about our system support and how it can help your company accelerate ISO 27001 certification? Read more about the platform or contact us for more information.
