ISO27001 and SOC2 is a great standard and is becoming a requirement for more and more organisations. Achieving certification is however a big task, requiring organisation-wide changes and expert knowledge. There are many pieces of software (Vanta, Drata, TugBoat Logic, Conformio, ISO Manager, and 6clicks, to name a few) that claim to automate a lot of the process and help expedite certification, but are they as beneficial as they claim?
Firstly, what exactly do these software do? Their history starts with a spreadsheet, a list of controls that need to be met. Each piece of software is of course different, but they typically do things like clarify controls (ISO27001 can be quite ambiguous around what exactly needs to be done – which is of course necessary as it can be applied to a wide range of businesses), automate gathering of evidence (be careful as we have seen some hard sales promising high levels of automation and in the end providing less than 5% of automation), track progress, and map which evidence can be applied to other frameworks (i.e., a lot of the evidence required for ISO27001 is the same for other frameworks, and the software will show these correlations). These are all useful things, but how much do they help to achieve certification?
The thing is, each company’s ISO27001 journey will be different. Companies have different capacities and levels of technical expertise, and there is no one-size-fits-all approach. Some companies require education of their team about how to implement ISO27001, and then go on to do most of it themselves. Others require help developing a roadmap that allows slow implementation of ISO27001 controls in small bite size pieces, fitting the resources, timing and budget of the company. This is where expert advice and guidance really pays off – and this tailored advice, expertise, and implementation cannot be automated.
Our recommendation is to be wary of any company pushing the hard sell and offering large discounts for such products, and to first understand your ISO27001 or SOC2 requirements based on your resources and timing. These platforms are not a complete solution, and any company wanting to pursue ISO27001 or SOC2 needs to be aware of the commitment it requires. There is a reason companies contact us for help after paying to use these platforms. So our tip would be to contact us before paying so you have the full information to understand how it will and wont benefit you. If you are thinking of going for ISO27001 or SOC2, contact us today and talk to one of our cyber security experts.
