For more than five years, we have been selling software to customers worldwide. But so far, we mainly sold software solutions that customers run on their own cloud infrastructure. Last year, we started attachmentAV, a Software-as-a-Service (SaaS) solution to protect Jira, Confluence, Salesforce, and other applications from viruses and malware. To scan files for malware, attachmentAV sends those files to our backend, where we run an antivirus engine powered by Sophos. So we are facing the challenge of building trust with potential customers and proof that we take information security seriously and protect their data. Many prospects asked about an ISO 27001 certification. That’s why we decided to prepare for an ISO 27001 audit in February 2025.
We had doubts about getting ISO 27001 certified. First, we imagined that getting ISO 27001 certified is not for 2-person companies, as we are. Second, we expected the process to involve a lot of paperwork and bureaucracy without adding any real value. But things turned out differently.
What is ISO 27001?
ISO 27001 is an international standard for putting an information security management system (ISMS) in place to meet the following requirements:
- Identify and assess information security risks, including threats and weaknesses.
- Put in place effective security measures or other ways to handle unacceptable risks.
- Maintain a process to regularly review and update security controls as needed.
Our journey to ISO 27001
Our research showed that there are two main ways to prepare for an ISO 27001 audit:
- Work with a consultancy helping you to implement an ISMS and the necessary procedures.
- Buy a tool that guides you through the process in an automated way.
We decided to go with the second option. We looked at a few tools and chose Sprinto, which describes itself as a continuous security and compliance platform.
First, we set up policies and controls that define who is responsible for which part of information security in our company with the help of the Sprinto team. Second, we started implementing the controls. Luckily, Sprinto comes with integrations for most of the tools and platforms we use: Amazon Web Services, Google Workspaces, GitHub, and many more. So implementing controls means configuring the integrations and going through the checks in Sprinto. More on those checks in the following.
It took us eight weeks to implement the controls. Then, we handed over the collected evidence to an external auditor. And nine weeks after we started the project, we hold the ISO 27001 certificate in our hands.
Infrastructure
100% of our infrastructure is hosted on Amazon Web Services. Sprinto provides an integration that connects with the AWS API and creates a list of all assets. Those assets need to get classified as non-production or production. Then, Sprinto runs checks against the production assets to ensure, they comply with the specified controls.
It took us a while to roll out the Sprinto integration to all our AWS accounts because there was no way to automate the process. Luckily, Sprinto released a new feature allowing us to benefit from AWS Organizations and CloudFormation StackSets to roll out the integration to all AWS accounts.
Even though, our AWS infrastructure follows security best practices, Sprinto created a list of 100+ checks that needed to be addressed. At the beginning, we were strictly implementing any change raised by Sprinto. But we soon realized that some of the changes were not applicable to our infrastructure. And we started to document exceptions for those cases. For example, the checks raised concerns about missing backups for some DynamoDB tables. However, we are using DynamoDB tables to store sessions and cached data that is deleted after a short period of time (TTL) and therefore does not need to be backed up. Even worse, enabling backups for those tables where a lot of data gets created and deleted would have increased costs significantly.
Vulnerabilities
Another important part is vulnerability management. And that’s an area, where we did not have any established processes before. We enabled the vulnerability management in Sprinto and connected it with GitHub’s Dependabot and AWS Inspector. Now, when a vulnerability is detected, we are getting notified, and Sprinto tracks that we roll out an update to fix the vulnerability.
- Critical Vulnerabilities should be resolved in 3 days
- High Vulnerabilities should be resolved in 30 days
- Moderate Vulnerabilities should be resolved in 60 days
- Low Vulnerabilities should be resolved in 100 days
Meeting those deadlines is a challenge for a 2-person company, but we are confident that we can do it. And we are happy to have a process in place that ensures that we are doing our best to keep our customers’ data secure.
Staff & Access
While we are a 2-person company, we also hire freelancers to bring in expertise for specific tasks. Those freelancers need access to GitHub or some AWS resources. So far, we were going through the access management of our systems and removed freelancers who are currently not working for us. IS0 27001 requires a process to onboard and offboard employees and freelancers. And we are glad that we can automate those tasks with Sprinto. Now, we ensure that our freelancers have the same information security standards. For example, by ensuring encryption of data-at-rest is enabled on their devices. Also, when freelancers leave, the automated checks ensure that access to all systems is removed.
Summary
Thanks to a high level of automation, it took us only nine weeks to get ISO 27001 certified. We invested about 100 hours and had a four-digit budget. We learned a lot and improved vulnerability management as well as access management significantly. Furthermore, we hope the ISO 27001 certificate will help us to build trust with prospects and customers.
