How to be ISO 27001 certified in a cloud-only and remote-first company?
Is it necessary to present what ISO 27001 standard is? As a Security expert, you must have already visited tons of websites and read dozens of articles on this very well-known certification.
Did you know that in France only, approximately 1000 certificates were valid at the end of 2022? (More details with annual ISO survey here). It’s definitely a topic of interest for many organizations, regardless their sector and size. Well… Actually, it’s more common to have big companies certified, because ISO 27001 requires at least an established security team and structured processes.
Is it an impossible mission to get ISO 27001 certification for startups and scaleups? And is it relevant for them?
Spoiler alert — at OpenClassrooms we got our first ISO 27001 certification in June 2023! 🥳
Yes, it is possible to get ISO 27001 certification with a small and newly created Security team.
We did not find many feedbacks on such an experience in a similar context as ours, and thought we might share a few key success factors to help you be more confident tackling this project!
Part 1 — Let’s set the scene
Our context
At first glance, OpenClassrooms does not seem to be the perfect company to start an ISO 27001 certification process:
- A remote-first company: our employees can work from pretty much wherever they want.
- A cloud-based information system: we only rely on the cloud. We have hundreds of SaaS applications, and our platform is hosted in the cloud.
- An agile and asynchronous culture, with with continuous roadmapping and multiple initiatives popping in every team all the time.
On the other hand, ISO 27001 is more about:
- Tons of documents
- Tons of meetings
- Complex changes to be performed.
How the hell can we match these two opposite worlds? 🤯
In the summer of 2021, we formed a new Security team. Initially, there were two members, growing to five in six months. Our main goal? To get the ISO 27001 certification, of course!
Of course at first the objective was to have the certification in 6 months 😅 If you know the ISO 27001 standard, you also know that this is quite an impossible objective when you start your security activities from scratch. Spoiler alert: we didn’t get certified in 6 months 😁
Our initial triggers
The Sales teams
Our Sales teams were struggling with security appendices to be filled for many clients, with hundreds of questions on our security maturity and a very short timing to do it. Some clients also asked (but not requested as a prerequisite) if we were ISO 27001 certified. Our Sales teams felt that this certification could dramatically ease and accelerate the sales process.
The C-team and the board
On top of the business requests, our C-team and investors really saw a great opportunity to have a dedicated Security team and obtain ISO 27001 certification. This showed from the start that there was a strong willingness to push towards this common goal. And this is precious in ISO 27001 mindset (leadership involvement). We were lucky enough not to have to convince these stakeholders: they were already convinced that ISO 27001 was relevant for us. This very healthy basis enabled us to launch ISO 27001 certification project!
A new Security team
Targeting ISO 27001 certification was also a great objective for our brand-new Security team and a way to structure our activities, prioritize our tasks and push forward. The rapidly growing OpenClassrooms’ team required a more organized approach to security. And contrary to what you may think, having to start security from a blank page was an advantage. As there was no legacy in terms of security, we could do what we wanted (and what ISO 27001 wanted, of course ;)).
Cherry on the cake, we also wanted to strengthen our legitimacy on the cybersecurity training market, as we were enriching our cybersecurity courses catalog. Being ISO 27001 certified was a way to show our credibility as a company to provide courses on these topics (and avoid being seen as the baker’s children who have no bread).
👉🏽 So, it is essential to analyze if ISO 27001 is relevant for the company and not do it for the pleasure of doing it (or you will have a hard time finding resources and motivating people to work with you). You could ask the following questions to assess the relevance:
This assessment should be shared with your top management: if your leadership is not convinced that ISO 27001 is relevant for the company, the certification will be very difficult to achieve.
Our timeline
We started seriously kicking off our ISO 27001 project at the end of 2021: we performed the first risk assessment on the company and provided the C-team with our very first security strategy.
Beginning of 2022, we started our ISO 27001 action plan (and all the tasks requested to plan-do-check-act before the certification audit).
Then we started writing our first policies and ISMS documents (user charter and access control policy in March, risk management framework in May, etc.), focusing on critical topics we wanted to address first. The ISMS risk assessment (performed by external consultants) took place in July 2022.
Our first internal audit (performed by external consultants) occurred in October 2022. The documentary audit (1.5 days) was in February 2023, while the certification audit took place during 7 days between end of March and beginning of April 2023.
We finally got the official certificate on June 7th, 2023!
So, as you can see, there were approximately 1.5 years between first bricks of the ISMS and the final certificate. No, 6 months were definitely not enough.
Part 2 — Our strategy to reach ISO 27001 certification
Our initial difficulties
- Asynchronous culture: our asynchronous work style clashed with the strict ISMS governance. Teams weren’t used to regular committees or frequent meetings.
- Reactive versus proactive: historically, we’ve been reactive, not proactive, about security. This made it challenging to develop and implement security policies.
- New Security team: the concept of a Security team was unfamiliar, leading to concerns about being seen as obstacles or an unnecessary department.
- Scaleup workload and roadmaps: as in many scaleups, our teams have busy schedules and agile roadmaps. This made it tricky to align with the risk-based approach and the annual roadmap mandated by ISO 27001.
In order to tackle these issues, we have made some game-changer choices.
Choices we have made
- Quality & relevance first: we preferred doing things our way rather than rushing and using already-made content. This impacted our timeline, of course. But it was a deliberate choice in order to use ISO 27001 to structure our teams and activities. We really wanted to take time to write policies that have value for the company and would drive changes, not policies for compliance. It took some time to think about our approach on each security topic, but it was well-invested time.
- Opportunistic approach: we chose to write the documentary frame when it was relevant for our activities. As an example, we needed to perform a review of accesses on various applications, so we wrote an access control policy.
- Focused on value & high risks: we used ISO 27001 as an opportunity to prioritize topics with a risk-based approach. For example, we quickly prioritized supply chain security topics, as we had to deal with many demands of new suppliers.
Our key success factors
Taking a step back, there are a few key success factors that made a difference in our project. Let’s see this in detail below.
But before, we need to thank our IT predecessors for creating a healthy basis: multi factor authentication, SSO, security onboarding for all newcomers, etc. There were already many elements on which we could rely.
The right stakeholders around us
We carefully onboarded many stakeholders in ISO 27001 project:
1) ISMS core team: invest
First, we deliberately invested in the ISMS core team. Our ISMS manager and our GRC specialist were trained respectively on ISO 27001 lead implementer and ISO 27001 auditor. This enabled them to feel confident and legitimate to lead the project.
2) External experts: choose carefully
We took some time to find the right external partner (Advens — https://www.advens.fr/) who helped us on three areas:
- Coaching on ISO 27001 / 27002: weekly Q&A sessions to demystify controls and help the ISMS manager implement them in real life + the consultant reviewed all the documents (policies and procedures) we wrote, in order to challenge them with a critical eye (as an auditor would do)
- The risk assessment — we wanted it to be well recognized by the auditor, as it is the cornerstone of the ISMS (so the consultant used EBIOS RM methodology)
- Internal audit (led by two other consultants that we had not previously met): as it was our first ISO audit ever, we wanted to get a top-quality report and some advice to help us progress
Benefiting from external expertise made us more confident and helped us avoid dumb nonconformities.
3) ISMS stakeholders: onboard with value
Their role was to take part in risk assessment and audit interviews, as well as to participate to ISMS committees and coordinate their teams on security topics. We chose one person per process defined in the ISMS scope. This person had to have the most transversal view possible on the process and to be a decision-maker if possible. We wanted these people to be voluntary and not appointed by default.
It was key to facilitate stakeholders’ work as much as we could and have a pedagogical approach (presentation of the risk-based approach during a steering committee, preparation of which questions could be asked by the auditor, demystification of what ISO 27001 is and is not, etc.). We tried to adapt to everyone’s constraints (preference for synchronous / asynchronous work for example). We also did our best to use ISO 27001 as an argument to prioritize some of their projects, which reinforced our relationships.
4) All OpenClassrooms’ employees: onboard with value (and fun)
As security was quite new for OpenClassrooms, we also had to explain to all employees what ISO 27001 was and why it was so important for the whole company. We did it during one of our weekly all-hands meeting. Of course we had to demystify what ISO 27001 meant (”no, it is not mandatory to have a VPN to get ISO 27001 certification”). It was also essential to communicate the benefits of ISO 27001 certification and the impacts on our employees’ daily life.
However, we tried to avoid boring style, and added many cat images and hearts in our communications to make employees think about security as something fun!
5) OpenClassrooms’ leadership: bring fresh eye & adapted method (risk management)
As stated in ISO 27001, involving the leadership is key because ISO 27001 should be a company project, not a security one. We first chose a sponsor in the C-team, our CTO. He was indeed our hierarchical representative in the leadership team and the ISMS scope was mostly under his accountability. He clearly helped us in many ways, to:
- Get necessary resources
- Make decisions and arbitrate resources / priorities if needed
- Approve all our documents (he carefully reviewed lots of security pages 😅)
- Show leadership involvement in this key project
- Prepare our interventions with the rest of the C-team
His involvement was only possible because we mobilized him on key topics only and provided adapted reporting (no need to get him lost in useless details).
This great sponsorship enabled us to get support from all C-team members and get their approval on key documents (risk assessment and risk treatment plan, information security policy, etc.).
6) Certification auditor: choose carefully
We explored several options and requested to see many auditors’ CV. Most of them did not match our criteria: we wanted to make sure that our auditor would understand our context (cloud and full remote), so that he would propose relevant actions to be implemented. We also wanted a certification organization that was well-recognized abroad. And so we chose SGS, after investigating 3 other organizations. It took several months but the effort was worth it: our auditor was familiar with cloud-based companies and really took our context into account in his assessment. His findings were relevant and made sense to us.
Standard flexibility as an advantage
The great advantage of ISO 27001 standard is its flexibility. Even though it seems very restrictive at first, it has areas that are open to interpretation and do not impose any format.
- Flexible continuous improvement: the basis of ISO 27001 mindset is a risk-based approach and continuous improvement. All ISO 27002 controls are not supposed to be perfectly implemented for the audit! It is quite normal to have nonconformities as long as there is no critical risk left aside. It is even easier to have some, as it helps prioritize topics ;)
- Flexible application of governance and controls: we chose to adapt the standard to OpenClassrooms’ context rather than adapting our context to the standard. For example, it is important to have a user charter communicating their responsibilities to all employees. We chose to formalize one in our internal wiki tool and add funny memes with cats. This funny tone helped raise awareness of users and make them want to read the document. Another example is that we chose to communicate mostly asynchronously with stakeholders (except for some regular committees). This enabled better communication, more integrated in our culture.
- Flexible frame: the greatest flexibility of ISO 27001 lies in the definition of the scope. Although the choice of the scope has to be justified and will be written on the certificate, you are absolutely free to focus on any scope you want. The ratio value / effort should be optimized, or you might spend 5 years getting prepared for your certification audit! We chose to certify our platform but to spread security practices on the whole company.
Key skills of an ISMS manager
It is of the utmost importance that your ISMS manager is a good project manager:
- Dividing the programme into small, actionable pieces
- Regularly reviewing the action plan to ensure improvements
- Identifying what is mandatory (basically ISO 27001 + your security policies) and what is not (having a SOC, etc.)
- Being realistic on timelines and not too ambitious (or your leadership team will not understand why the certification has been delayed again)
- Being people-oriented: understanding stakeholders’ constraints, coordinating people, communicating on a positive tone, etc.
- Managing well resources: raising alerts when resources might be missing
- Adapting the reporting to the target (we validated with our sponsor our first version of the reporting, to ensure that it was covering his needs and answering his questions)
- Being rigorous: reviewing the consistency of everything all the time. If one action is delayed, it should be made consistent in the various action plans, anticipating impacts on other actions, the risk treatment plan, etc. Every delay should be justified, and justifying everything takes time. Same for KPIs not reaching their target.
👉🏽 It is essential to be careful regarding the following elements of your ISO 27001 project:
Internal & external stakeholders: are they the most relevant people to help you with this project? (training, time, interest, experiences, skills…). Have you defined the best way to onboard each of them depending on their needs and constraints?
Standard flexibility: have you identified on which areas the standard can adapt to your context? The mandatory elements and the ones that are optional?
ISMS manager skills: are you sure that your ISMS manager is a good project manager for ISO 27001?
Part 3 — ISO 27001 certification, what’s next?
Being ISO 27001 certified is of course a great achievement, and we were eager to communicate it to the world, as in our below LinkedIn post published in July 2023:
However we were even prouder of the path we took to get this certification:
- We wrote 50+ documents that were relevant and adapted to our context
- We structured a new team and its activities with an organized approach
- We deployed or strengthened several tools (CASB, Enterprise password manager, etc.)
- We onboarded the whole company in a security compliance topic
- We worked with various teams in a great collaborative mode
- We also had fun 😻
Of course we have a few areas on which we should keep on working, but who doesn’t? We are now more confident than ever in our security practices and mindset to improve things gradually but surely!
If we had to do it again, there are some elements that we would do differently:
- We could have gone on a wider scope (integrate the full development lifecycle for example), as we worked on it anyway;
- We could have found the right external partner and auditor more quickly, by anticipating more delays to find an auditor for example;
- We could have explored GRC & compliance management tools to avoid multiple spreadsheets and ensure consistency by design.
ISO 27001 certification is only the beginning of OpenClassrooms’ security journey. We want to improve our students’ and customers’ trust (have our dedicated security page on OpenClassrooms’ website would be great!).
We might also want to target other certifications, such as SOC2 type 2 or ISO 27701. They would surely add many interesting elements to our existing ISMS.
Conclusion
We can only recommend that you onboard on this long journey (that is as long as the reading of this article ^^).
But only if you have good reasons, budget and resources for it! And if you are interested in it, you should also check out other experiences from companies that used automated tools to get certified. This was not our choice but it’s an interesting option to check.
Our new challenge now is to maintain this certification year after year, showing our clients that they are right to trust the security of our platform.
