When should one embark on a certification process? 🍅🍊🍏

20 January 2022


If you read our security content series, you will know that Hyperlex has been certified to ISO/IEC 27001:2013 Information Security Management System (ISMS) (ISMS), as well as its extension that specifies the requirements for privacy management system (PIMS) REQUIREMENTS ISO 27701. This certification issued by AFNOR attests to the high level of security provided by Hyperlex to its clients and partners.

Whether you are a user or publisher of B2B SaaSsoftware, the issue of security will become more and more central. This is why we have decided to offer you educational content to learn and understand everything about these standards. But also, to share with you the feedback of our teams so that you can understand the stakes, the benefits and the conditions of these certifications.

We asked around what questions everyone was asking about this certification. Here's one: "Tell us when the the right time to get started ISO/IEC 27001:2013?".

This is a big question, which we will answer in this article. Welcome to the behind the scenes of the certification of Hyperlex !

🛡️ You don't know the pioneering certification in the field of IT security ? 👉 We explain everything on this page: All you need to know about ISO/IEC 27001:2013.

🛡️ You haven't read our articles that talk about safety, and you lack some knowledge to understand the content of this article?

👉 Visit our blog section dedicated to safety!

ISO/IEC 27001:2013 certification: is there a right time to start?

Spoiler alert There is no one right moment.

Why? Simply because it's always worthwhile to get certified, no matter what stage a company is at. Our team has weighed up the pros and cons for each stage of a company's growth.

 

Case 1: the company is in its early stages (early stage 🍅)

Although the company is in its first few months of existence, the team is rather small and the resources rather limited. In addition, few security processes have been put in place.

In this case, it may be worthwhile to focus the company on safety, and to go for certification! Indeed, there is little chance that processes already exist, and each newcomer can easily comply.

You can see the contradiction that emerges: when a company is in its infancy, it has strong growth objectives. So the following questions arise: 

  • Will the team choose to carry out the certification on its own, which means allocating a significant amount of work time, even if it means performing less well (e.g. signing fewer clients)? 
  • Will she hire a firm to support her? Will it recruit a Compliance Officer or a trainee? This would make certification simpler, but would increase the cost.

 

💡 Good to know: the cost of for the ISO/IEC 27001:2013 certification is around 30,000 euros.

Read also: Hyperlex is ISO/IEC 27001:2013 certified!

 

Case 2: the company is in the mid-stage 🍊

If the company is at an intermediate stage (like Hyperlex at the beginning of the certification adventure), taking on the subject of security can be seen as a brake on hypergrowth.  

Indeed, in this case, it is not necessarily easy to put in place new safety-related processes, and the financial resources and time allocated to obtaining certification may slow down its development.

On the other hand, the interest in obtaining ISO/IEC 27001:2013 certification is palpable! In particular if the company wishes to sign up large groups, which have strong requirements in terms of security. Certification will be a way of differentiating itself from the competition, so in that sense it will be a way of boosting its growth in the long term. This is what happened with Hyperlex! 

⌛ Good to know: The audit at the end of which certification may or may not be issued takes place approximately one year after the start of the preparation work. This temporality must be taken into account: the benefits of certification are felt over the long term!

 

Case 3: the company is well developed (late stage 🍏)

If the company is well developed, there are few constraints on the time and financial costs of certification. As the company is relatively well established in its market, there is little impact on growth. And certification can give the company a significant competitive advantage, especially with customers who have strong security needs.

But at the same time, the certification process is much more complicated to launch, because you have to change all the company's processes, train all the teams, change the mentality... Everything is much more complex than in case 1 or 2, but rest assured, it is not insurmountable either.

 

🏦 Good to know: If your customers are in the banking, insurance, finance sector, security is a key focus for the business, and ISO/IEC 27001:2013 certification will be more than appreciated! However, not all sectors are concerned, so ask yourself what value it will bring you. For example, if you work in B2C, will certification really help?

 

In conclusion, the right time will be when the cost of ISO/IEC 27001:2013 certification is less than the benefit it will bring you. This depends on the company's stage of development, its market, its customers, its business development strategy and the risks it is exposed to. It's up to you to make the trade-off before you take the plunge! 

We have created a graphic to summarise this idea for you!

 

 

 

Feedback from Pierre-Alexis, Business Operations Analyst at Hyperlex, who successfully completed the ISO/IEC 27001:2013 project: "Roughly speaking, it costs less in absolute terms to embark on a certification process early on. On the other hand, it is more expensive in relative terms because the company has fewer resources, and the ROI of this operation may come late."

 


Did you like it? Here are our other articles about security: