If you read our security content series, you will know that Hyperlex has been certified to ISO/IEC 27001:2013 Information Security Management System (ISMS) (ISMS), as well as its extension that specifies the requirements for privacy management system (PIMS) REQUIREMENTS ISO 27701. This certification issued by AFNOR attests to the high level of security provided by Hyperlex to its clients and partners.
Whether you are a user or publisher of B2B SaaSsoftware, the issue of security will become more and more central. This is why we have decided to offer you educational content to learn and understand everything about these standards. But also, to share with you the feedback of our teams so that you can understand the stakes, the benefits and the conditions of these certifications.
We asked around what questions everyone was asking about this certification. Here's one: "Tell us when the the right time to get started ISO/IEC 27001:2013?".
This is a big question, which we will answer in this article. Welcome to the behind the scenes of the certification of Hyperlex !
🛡️ You haven't read our articles that talk about safety, and you lack some knowledge to understand the content of this article?
👉 Visit our blog section dedicated to safety!
ISO/IEC 27001:2013 certification: is there a right time to start?
Spoiler alert There is no one right moment.
Why? Simply because it's always worthwhile to get certified, no matter what stage a company is at. Our team has weighed up the pros and cons for each stage of a company's growth.
Case 1: the company is in its early stages (early stage 🍅)
Although the company is in its first few months of existence, the team is rather small and the resources rather limited. In addition, few security processes have been put in place.
In this case, it may be worthwhile to focus the company on safety, and to go for certification! Indeed, there is little chance that processes already exist, and each newcomer can easily comply.
You can see the contradiction that emerges: when a company is in its infancy, it has strong growth objectives. So the following questions arise:
- Will the team choose to carry out the certification on its own, which means allocating a significant amount of work time, even if it means performing less well (e.g. signing fewer clients)?
- Will she hire a firm to support her? Will it recruit a Compliance Officer or a trainee? This would make certification simpler, but would increase the cost.
Read also: Hyperlex is ISO/IEC 27001:2013 certified!
Case 2: the company is in the mid-stage 🍊
If the company is at an intermediate stage (like Hyperlex at the beginning of the certification adventure), taking on the subject of security can be seen as a brake on hypergrowth.
Indeed, in this case, it is not necessarily easy to put in place new safety-related processes, and the financial resources and time allocated to obtaining certification may slow down its development.
On the other hand, the interest in obtaining ISO/IEC 27001:2013 certification is palpable! In particular if the company wishes to sign up large groups, which have strong requirements in terms of security. Certification will be a way of differentiating itself from the competition, so in that sense it will be a way of boosting its growth in the long term. This is what happened with Hyperlex!
Case 3: the company is well developed (late stage 🍏)
If the company is well developed, there are few constraints on the time and financial costs of certification. As the company is relatively well established in its market, there is little impact on growth. And certification can give the company a significant competitive advantage, especially with customers who have strong security needs.
But at the same time, the certification process is much more complicated to launch, because you have to change all the company's processes, train all the teams, change the mentality... Everything is much more complex than in case 1 or 2, but rest assured, it is not insurmountable either.
In conclusion, the right time will be when the cost of ISO/IEC 27001:2013 certification is less than the benefit it will bring you. This depends on the company's stage of development, its market, its customers, its business development strategy and the risks it is exposed to. It's up to you to make the trade-off before you take the plunge!
We have created a graphic to summarise this idea for you!
Feedback from Pierre-Alexis, Business Operations Analyst at Hyperlex, who successfully completed the ISO/IEC 27001:2013 project: "Roughly speaking, it costs less in absolute terms to embark on a certification process early on. On the other hand, it is more expensive in relative terms because the company has fewer resources, and the ROI of this operation may come late."
Did you like it? Here are our other articles about security:
- Data Privacy Week, dedicated to data security
- 7 good practices to control contractual risks
- Why protect your contractual data
- How to protect your contractual data in the age of the cloud?
- Securing corporate legal data in the cloud