English

Skriba's ISO 27001 Journey

Skriba's ISO 27001 Journey

TLDR: At Skriba, we got our ISO 27001 certification in just four months as a 6-person startup. We did this to close deals with large enterprise customers and stand out from competitors in the DACH market. Instead of hiring traditional consultants and local auditors, we used an automated compliance platform (Kertos) along with a startup-friendly auditor (Tempo Audits). The implementation was broad rather than deep, requiring +250 hours from the internal lead and substantial team distraction across four months. This project takes a lot of time, money, and energy. It is only worth the investment if your deals strictly depend on compliance, if it gives you a clear edge over competitors, or if you have someone on the team who can handle the technical setup.

TLDR: At Skriba, we got our ISO 27001 certification in just four months as a 6-person startup. We did this to close deals with large enterprise customers and stand out from competitors in the DACH market. Instead of hiring traditional consultants and local auditors, we used an automated compliance platform (Kertos) along with a startup-friendly auditor (Tempo Audits). The implementation was broad rather than deep, requiring +250 hours from the internal lead and substantial team distraction across four months. This project takes a lot of time, money, and energy. It is only worth the investment if your deals strictly depend on compliance, if it gives you a clear edge over competitors, or if you have someone on the team who can handle the technical setup.

1. What is ISO 27001?

ISO 27001 is one of many ISO standards, but this one focuses specifically on information security. To achieve it, you have to follow a rulebook (93 controls) that dictates you have to have certain safeguards in place. 

But how you implement these 93 controls is almost entirely up to you. For example, one control requires you to identify new employees. It's up to you whether you ask for an ID and a CV, or perhaps an excerpt from the debt register. Your approach simply needs to be defensible. If you are a high-risk startup hiring for a high-risk position, an ID and CV might not be enough; you might need background checks, criminal records, or even a darknet sweep. ISO doesn't set a universal requirement. Instead, it forces you to determine what is adequate based on your specific situation, goals, and risks.

To get the certification, you need to find an auditor, who will audit your setup and write a report on you. That report is then sent to an accreditation body, which will give you a nice badge based on your evidence and the report. Oh, and for the next two years, you need to do a surveillance audit each year, and after three years, you have to apply for a full recertification. ¯\(ツ)

What ISO 27001 actually covers

The main topics include:

  • Information Security Policies: how you write, approve, and share your internal security guidelines

  • Human Resource Security: hiring, training, and offboarding employees safely

  • Asset Management: knowing what hardware, software, and data you own

  • Access Control: managing passwords, permissions, and who can see what

  • Physical and Environmental Security: keeping offices, server rooms, and laptops physically safe

  • Operations and Communications Security: handling network security, malware defenses, and system backups

  • System Acquisition and Maintenance: enforcing secure coding, code reviews, and deployment steps

  • Supplier Relationships: vetting software tools and defining security rules in vendor contracts

  • Incident Management: how you notice, log, and fix data breaches or downtime

  • Compliance and Business Continuity: meeting data privacy laws and planning how to recover from disasters

The ISMS: where everything lives

Everything lives in an ISMS. ISMS stands for Information Security Management System. At the beginning, it could well be an alien technology from Mars used to create protein popcorn. But in the end, you realize it is just a collection of documents, processes, and lists. It could be a Google Drive folder, a Notion page, a "vibe-coded" thing, or a platform.

If you are fancy, it is a SaaS platform which connects the risk register directly to the list of all controls. Without the software, those would just be two Excel lists. If you go the fancy route, you connect your cloud infrastructure and GitHub to the platform, it reads your settings, confirms compliance with the control, and gathers the evidence right there for you. If you are simple, you just take a screenshot that you enabled 2FA on all your Azure instances and put all the screenshots in a folder. Platform sounds nice, right? Well, just never forget KISS.

How the certification itself works

The certification process is separated into two stages. First, you have an initial rough assessment to check whether you are audit-ready (some core elements and documents will be required, but there will be no deep review). That is Stage I. A few days or weeks later, you'll have Stage II, where they will do a two-day full sweep of the ISMS (documents, evidence, controls, etc.) and check all evidence. You pass ISO 27001 if you don't have too many minor non-conformities, and you fail directly if you have a major non-conformity. Depending on the severity, a remediation plan can be established, but it means additional work and a delay to your certification.

So that's the lay of the land. Now, why would a 6-person startup voluntarily sign up for this?

2. The Reasons: Why We Pursued ISO 27001 at 6 People

No one dreams of achieving an ISO certification. Let's be honest: half the people don't even know what it is, and the other half have nightmares from some past compliance implementation project they had to work on. So why did we, as a startup, think we needed it? Well, money. Pretty simple.

There were three kinds of interactions where ISO came up:

  1. Hard blockers from large clients: Enterprise prospects stated clearly that they could only work with us if we held the certification. No ISO, no contract.

  2. Friction in enterprise onboarding: Our onboarding processes were tedious, slow, and difficult. We (wrongly) believed that flashing an ISO badge would make these hurdles disappear.

  3. "Security vibes" for SMEs: Even smaller companies had questions about data protection. While not a formal requirement for them, they wanted to know that choosing Skriba wouldn't be held against them later. They were looking for a signal that we were a safe bet.

Then there was the specific lost deal. We felt that they chose our competition for no other reason than that they were a "safe choice": a bigger, more established player. To compensate for that, we thought, let's be the only ISO 27001 certified work certificate tool in all of Germany, Switzerland, and Austria.

Also, hiring a CRO who studied law and worked in enterprise architecture on security and compliance made the next step easy: deciding who "the lucky guy" would be to lead the project.

What we hoped for, and what we got

So, mid-December we decided on doing it. We believed it would give us quicker, bigger, and more deals, and help our reputation and branding. And honestly, it kind of worked. SMEs are convinced more easily, large deals have been unstuck, and new opportunities have come up.

What did not change is vendor onboarding at enterprises: they insist on filling out tedious questionnaires, even though their questions are 80-90% the same as ISO requirements.

Plus, we seriously misjudged the effort it would take to become ISO certified. Read on to find out why.

3. The Architecture: How We Set Up Our ISO Journey

For ISO, you actually make two decisions.

  • The first is your implementation path: do you hire a consultant or use a compliance platform? 

  • The second is your auditor: do you go with a traditional auditor or a startup-native one?

Together, these two choices form the architecture of your ISO journey. Our thinking around each was the following. Maybe we are wrong, maybe you will find out more, but this is what we believed at the time.

The Core Dilemma: Consultant vs. Platform

Consultant

  • Price: Generally starts around 10,000 CHF for Swiss-based consultants, and 5-7k for international (remote) ones.

  • Approach: You meet them in workshop format, discuss a topic, then go back and work on it on your own. You iterate through it in generally 5-7 workshops.

  • Strengths: This approach ensures two things. The first is what's called "minimum viable compliance": ISO does not strictly require you to do things in a specific way, so given your specific risk profile and goals, you can comply by doing simple but defensible things. A consultant has the experience and ability to individually tailor specific elements to your needs. The second is a certain white-glove approach: it's your timing, your challenges, your setup, and they can follow it pretty well.

  • Downsides: You still need to set up the ISMS (your Information Security Management System, essentially the documented structure of how your company handles security: policies, risk assessments, controls, and evidence that you actually do what you say you do).

  • We felt it would be hard for us to set up an ISMS that would scale easily with us if we chose the consultant approach. It felt like they would have you deploy a Notion page, but in two to three years, when you've doubled your geography and team size, you would probably need someone to help upgrade the ISMS and maintain it. We hoped a platform would do that and scale better with us.

  • Time invested: Hard to say, we did not choose this path. My guess: less time invested upfront, but more time invested on maintaining and upgrading it once you scale.

  • Verdict: We did not choose a consultant. We didn't want to involve the whole team in the journey, we hoped a platform would scale better, and some of the quoted prices from consultants were really high. The cheaper ones we found on Reddit and Upwork did not fill us with confidence.

Platform

  • Price: Depends on who you work with. The offers we received ranged from 7k to 14k. But some include penetration testing and other tools, and they also differ on contract length, onboarding service, and discounts. So it's hard to compare on price alone.

  • Approach: Well, lots of AI obviously. And now even "fully agentic" (sarcasm). They promise a lot and deliver the basics. But it's hard to evaluate the full value proposition upfront.

  • Strengths: A fully fledged ISMS architecture out of the box. The possibility to have as many ISO elements as possible in one place. Automation capabilities. Asynchronous implementation with no dependencies on an external consultant.

  • Downsides: As usual with software, it's very hard to do the basics right and easy to promise the advanced features. And it's also hard to achieve "minimum viable compliance," since the platform's ICP is probably a somewhat larger and more sophisticated enterprise than you.

  • Verdict: Choose a platform if you have an ISO project lead with some IT security experience or compliance knowledge, who is confident in designing a minimum viable ISMS architecture, and if scaling in personnel, assets, and processes is a topic for you.

The Auditor Selection: Finding a Partner

The auditor reviews your setup (ISMS), creates a report, and sends it to the accreditation body, which then issues your certificate. This three-party system (your firm, the auditor, and the accreditation body) ensures there is no conflict of interest, since the auditor gets paid whether you pass or fail. You cannot choose the accreditation body, that is just the regional body where your auditor is located, but you can choose your auditor.

Here too, price and approach differ a lot. Some Swiss auditors wanted to meet in person just to give a quote (the inefficiency shocked me). Others sent a massive, outdated Word template that was a pain to fill out, and still refused to give a cost and time estimate. Some wanted 15,000 CHF for the Year 1 certification alone. Others expected us to lock ourselves in a coworking space for a 3-day audit.

We needed an auditor adapted to startup realities: limited time, fully remote, and cloud-first. We found that in Tempo Audits, a UK-based auditor specializing in startups. They actually understand our world, which became obvious in three specific ways:

  • Cloud-native understanding: They understand the capabilities of modern infrastructure like Azure, GitHub, and AI-based code development. They know what the default security thresholds are, which additional measures are actually needed to compensate, and what is already covered out of the box. This makes control implementation and evidence gathering very streamlined.

  • Fully remote, agile auditing: You do not have to sit in an 8-hour video call watching them click through your files. We met a few times a day, kept the conversation moving on Slack, and hopped on a quick call only when something specific came up. It caused far less disruption to our day-to-day operations.

  • Fair pricing: While traditional auditors quoted up to 15,000 CHF just for the first year, our total package with Tempo Audits across the entire three-year cycle did not even hit that mark.

4. Tool Reality: Compliance Software is hard

Compliance software often promises fully automated setup, but the actual implementation requires significant manual configuration. 

The Baseline: What to Expect from a Basic Platform

Standard GRC (Governance, Risk, and Compliance) software platforms should deliver several core features minimum:

  • Automated Asset Inventories: Built-in integrations with cloud infrastructure (such as Azure or AWS) and SSO providers (such as Okta or Google Workspace) to automatically discover your internal systems, hardware, and third-party vendors. These connections should populate a live hardware and software inventory without manual data entry. 

  • Structured Risk Registry: A centralized digital log where you can map specific company risks directly to their corresponding ISO controls. The system should provide a baseline vulnerability matrix to help you calculate risk likelihood and impact scores. This ensures that when an external auditor asks how you mitigate a specific threat, you can instantly trace it back to a live, documented control.

  • Basic Policy Frameworks: A text repository or editor to host your security policies, assign implementation tasks, and log progress. The system should support inline commenting and team tagging to allow collaborative draft reviews. It should also natively handle structural elements like tables and images to ensure your operational runbooks, checklists, and network diagrams do not have to be hosted in external drives.

  • Employee Training: Pre-built security awareness training modules that satisfy basic ISO 27001 requirements. The system must automatically track employee completion states and issue automated email reminders to anyone with outstanding modules. Ideally, look for platforms that do not rely on low-quality AI voiceovers.

  • High Core Interlinkage: Strict relational mapping across the backend of the platform. Your inventory, risks, controls, and policies must connect dynamically so that a change in one asset or risk automatically updates the associated compliance fields. For example, if you add a new database to your asset inventory, the system should instantly prompt you to map it to your active backup and access control policies.

The Next-Gen Checklist: What to Look For

When evaluating an ISO compliance platform, look past baseline and prioritize vendors that offer these specific technical capabilities:

  • Dynamic Document Collaboration: Look for a user interface that includes inline editing, track changes, paragraph-level commenting, and interactive tables. The platform should entirely replace external tools like Google Drive for policy development. 

  • Automated Gap Detection: The software should automatically generate alerts on a central health dashboard if a control lacks a review date, misses a responsible owner, or relies on expired or archived evidence.

  • Indexed RAG Chatbots: Every compliance platform includes generic chatbots. For example, the Kertos AI assistant, KAIA, handles basic questions but cannot locate specific internal controls or uploaded files. Look for a provider that indexes your entire documentation library, allowing Retrieval-Augmented Generation (RAG) searches across both the platform's compliance framework and your specific uploaded evidence.

The takeaway: our mix

The architecture you choose matters more than most founders realize.

We had an internal lead (me) who understood the basic legal and security concepts, so we paired a platform (Kertos) to provide the guidelines and evidence generation, gathering, and management, and looked for an agile auditor (Tempo Audits) who understood our context and setup.

  • Did everything go as planned? No.

  • Did we achieve our goal? Yes.

Maybe later I’ll add here a more indepth review about Kertos, but for now just this:
Could we have had more luck and less work with a lightweight setup and an external consultant? Maybe.

The architecture was set. Now came the work of actually living with it. The next section is what nobody tells you about platforms: how they really feel once you start using them.

5. The Journey: Four Months of Policies, Processes, and Uncomfortable Questions

The Core Challenge: Absolute Width

ISO 27001 is not necessarily deep, but it's super wide.

The standard requires you to address 93 controls, plus a bunch of additional elements. Each individual control isn't hugely complex; you can cover one in a single paragraph inside a policy. But you still have to justify all 93. Things like access controls, malware protection on every endpoint, onboarding and offboarding, labour law compliance, clock synchronisation, clear desk and clear screen. And so on, and so on, and so on.

The problem isn't that any one thing is hard. The problem is that until you've gone through all of them once, you don't see the patterns. You don't know what kind of implementation philosophy makes most sense for your setup. So you end up doing each control once or twice: first to scope it, then to implement it properly once you understand how it fits with everything else.

This is probably where an experienced external consultant has the most impact. They walk in with an opinionated pattern and roll it out across all 93 controls from day one. We didn't have that. We had to discover the pattern ourselves.

What we produced

By the end, our ISMS consisted of:

  • 30 policies in Kertos

  • 25 Google Drive artifacts (checklists, registers, procedures)

  • A handful of GitHub pages and diagrams documenting technical controls

  • Full IaC in Terraform on GitHub building the base infrastructure of CI/CD and Azure

  • Linear Kanban with all ISMS/ISO 27001 related goals, issues, non-conformities, etc.

  • A "Secure Coding Lifecycle" (how you deploy code) with automated security review by AI

  • Two quarterly meetings with topic templates allowing for coordinated tracking, reviewing, and action-taking across all ISMS and ISO topics

How the work was split

The bulk of it was a solo mission from my side as lead implementer. Kertos offered a Done4You approach where a third-party consultant they work with interviewed us for an hour, and then drafted the initial policies. That was helpful as a starting construct, but it was significantly over-engineered for our stage. It didn't meet the "minimum viable compliance" we were aiming for, so a lot of it had to be rewritten and adapted to fit our actual setup. I feel like this step is one where standard AI capabilities can draft a stronger initial policy framework.

From there, I worked through three broad areas: IT governance (including data protection), people controls, and management controls. For each section I drafted and reviewed the policies with AI and then had them challenged by the corresponding owner. They gave some insight and some pushback, and we searched for a compromise.

The rough split:

  • Lead implementer (me): around 250 hours over four months. Scoping, drafting, reviewing, follow-up, integration, coordination.

  • IT team: weekly 1-hour meetings for three months, plus a roughly 2-week effort to adapt our secure development lifecycle.

  • Management: roughly 2 weeks of effort to draw up, implement, and review the people, risk, and management controls.

  • Two Claude Max plans. Genuinely. The amount of policy text, control mapping, and review work made AI assistance non-negotiable.

The Problem: these things can't be pooled into a clean sequence, since there are interdependencies. So even if it's a 2-week effort, it's spread over several months, with decision gates in between.

Project milestones, in rough order

  1. Choose approach (consultant vs. platform), get quotes, compare, decide.

  2. Onboard on the platform: register users, integrate SSO, integrate cloud.

  3. Review the inventory: vendors, systems, assets.

  4. Draft and review risks and policies.

  5. Extract the artifacts and evidence each policy requires.

  6. Fill out the relevant artifacts, do exercises and walk throughs: backup procedures, disaster recovery, risk assessments, access reviews.

  7. Train the staff.

None of these steps are linear. You'll go back to step 3 from step 6. You'll discover at step 6 that your inventory in step 3 is incomplete. You'll realize at step 7 that a policy you wrote in step 4 doesn't match reality. That's normal. That's the work.

What was harder than expected

  • The Scope. I kept thinking I was 70% done and then discovering another adjacent topic I hadn't formally documented. 

  • The Complexity. You write a policy. You decide later to handle something differently. Now you need to go back and adapt the original policy, the artifact it points to, and probably one or two others.

  • Kertos, our platform. We had several misunderstandings and issues around what it could do and how it would perform. More on that maybe another time.

  • Uselessness: Writing policies you'll never use. You will absolutely write policies and artifacts on topics you'll never read again. Just one example: we now have an HR disciplinary process document. We have a table that tracks every time we use removable storage media (USB sticks) to handle customer data: which is never. But we need it documented somewhere.

What was easier than expected

  • Finding your style. Once you've found your style, philosophy, or approach, the actual policy, documentation, and artifact writing becomes pretty easy. By policy fifteen or so, I knew what shape a Skriba policy took, what level of detail mattered, and where I could keep things lean.

  • AI takes you extremely far. You can spin up specific chats with ISO, data protection, and cloud consultants that answer every possible question. You can feed them existing policies and artifacts, and they identify gaps, inconsistencies, and redundancies.

5. The Audit: What to Expect

The certification process happens in two parts. Stage I is a one-day readiness assessment to check core documentation, followed a few days or weeks later by Stage II, a full two-day audit of your evidence and controls.

Ideally, you should leave about 30 days between both stages to fix any early gaps. We only left 7 days, which was tight. If you realize your timeline is unrealistic, most modern auditors allow free rescheduling if you change the dates at least 28 days in advance. Before each session, the auditor will send over an exact hourly schedule outlining which topics and controls they plan to review.

I can tell you about our specific experience, but I assume it can be quite different from auditor to auditor. 

Audit day, hour by hour.

On the audit day itself, you join a call, add the auditor to a Slack channel, and give access to your Google Drive and GRC platform. You have an initial briefing, some light questions, and some coordination. This part is all surprisingly easy.

Then comes the hard part: you leave the call and work your “normal day”, and from time to time the auditor pings you with a question for clarification. Sometimes you hear nothing for quite some time, which theoretically is a good sign (they're probably finding everything and working through the controls), but practically it's unsettling, because you don't have a read on the situation.

Before noon and before the end of day, you have an additional call where the last questions and topics are resolved. That's the pattern for both days of Stage II.

So you see, it can be incredibly simple. It was for us. After two days, the auditor clearly said that everything looked good, they had found no bigger issues.

6. The Bill: What It Actually Cost

I can't fully disclose the exact prices for some of the services we used (contracts and all that), but if you ask ChatGPT or do some Googling, you'll get a reasonable ballpark. What I can give you is the shape of the spend

Money

  • ISMS SaaS platform (Kertos): A multi-year contract. Not at liberty to share the exact figure. Ask ChatGPT or compare quotes directly.

  • Auditor (Tempo Audits), Stage I + Stage II + surveillance audits: A three-year package, well under what traditional Swiss auditors quoted for Year 1 alone (their quotes went up to 15,000 CHF for just the first year).

  • Hidden infrastructure costs: Roughly 300 CHF/month in additional Github and Azure features for advanced security monitoring, logging, and reporting. Not huge individually, but it adds up.

  • AI tooling: Two Claude Max plans. Without AI assistance, the implementation would have taken twice as long or required a dedicated hire.

Other

  • Time spent on vendor evaluation before signing any contract (we lost a few weeks here just comparing platforms and auditors).

  • Internal team distraction during the four-month sprint. It becomes the second most important thing in a company really quickly and it stays like that for quite some time. 

Time

  • Lead implementer (me): around 250 hours. Scoping, drafting, reviewing, follow-up, integration, coordination.

  • IT team: weekly 1-hour meetings for three months, plus a roughly 2-week sprint to adapt our secure development lifecycle.

  • Management: roughly 2 weeks of effort spread across the four months, focused on people, risk, and management controls.

If you don't have someone internal who can dedicate this kind of time, the math changes completely. A consultant becomes the better path, or you delay the project until you do.

7. Was It Worth It?

On balance, it costs more time and money than we wanted. For our specific situation it was worth it. We needed it for deals and for differentiation. 

Specific benefit we got

  • Unstuck deals that were stalled on security review.

  • Shortened enterprise procurement conversations.

  • Given our SME prospects a clear, defensible answer to "is your data safe?"

Whether that ROI is worth it depends entirely on your context. Which brings us to the final question.

But here's the honest version: I don't see many startups in a similar situation.

If you don't have:

  • Concrete enterprise deals contingent on certification,

  • A market where ISO 27001 is a clear differentiator, or

  • An internal lead with the background to drive the project,

then the math probably doesn't work for you. ISO 27001 is not a "nice to have." For us, the bet was: pay the cost now, while the team is small enough that we can absorb it, and turn it into a moat as we grow. 

If you're considering the same path, my hope is that this blog gives you a clearer picture of what you're signing up for: the architecture choices, the implementation reality, the audit mechanics, and the costs. 

If you'd like to compare notes, I'm always happy to chat with others going through this. Reach out.

1. What is ISO 27001?

ISO 27001 is one of many ISO standards, but this one focuses specifically on information security. To achieve it, you have to follow a rulebook (93 controls) that dictates you have to have certain safeguards in place. 

But how you implement these 93 controls is almost entirely up to you. For example, one control requires you to identify new employees. It's up to you whether you ask for an ID and a CV, or perhaps an excerpt from the debt register. Your approach simply needs to be defensible. If you are a high-risk startup hiring for a high-risk position, an ID and CV might not be enough; you might need background checks, criminal records, or even a darknet sweep. ISO doesn't set a universal requirement. Instead, it forces you to determine what is adequate based on your specific situation, goals, and risks.

To get the certification, you need to find an auditor, who will audit your setup and write a report on you. That report is then sent to an accreditation body, which will give you a nice badge based on your evidence and the report. Oh, and for the next two years, you need to do a surveillance audit each year, and after three years, you have to apply for a full recertification. ¯\(ツ)

What ISO 27001 actually covers

The main topics include:

  • Information Security Policies: how you write, approve, and share your internal security guidelines

  • Human Resource Security: hiring, training, and offboarding employees safely

  • Asset Management: knowing what hardware, software, and data you own

  • Access Control: managing passwords, permissions, and who can see what

  • Physical and Environmental Security: keeping offices, server rooms, and laptops physically safe

  • Operations and Communications Security: handling network security, malware defenses, and system backups

  • System Acquisition and Maintenance: enforcing secure coding, code reviews, and deployment steps

  • Supplier Relationships: vetting software tools and defining security rules in vendor contracts

  • Incident Management: how you notice, log, and fix data breaches or downtime

  • Compliance and Business Continuity: meeting data privacy laws and planning how to recover from disasters

The ISMS: where everything lives

Everything lives in an ISMS. ISMS stands for Information Security Management System. At the beginning, it could well be an alien technology from Mars used to create protein popcorn. But in the end, you realize it is just a collection of documents, processes, and lists. It could be a Google Drive folder, a Notion page, a "vibe-coded" thing, or a platform.

If you are fancy, it is a SaaS platform which connects the risk register directly to the list of all controls. Without the software, those would just be two Excel lists. If you go the fancy route, you connect your cloud infrastructure and GitHub to the platform, it reads your settings, confirms compliance with the control, and gathers the evidence right there for you. If you are simple, you just take a screenshot that you enabled 2FA on all your Azure instances and put all the screenshots in a folder. Platform sounds nice, right? Well, just never forget KISS.

How the certification itself works

The certification process is separated into two stages. First, you have an initial rough assessment to check whether you are audit-ready (some core elements and documents will be required, but there will be no deep review). That is Stage I. A few days or weeks later, you'll have Stage II, where they will do a two-day full sweep of the ISMS (documents, evidence, controls, etc.) and check all evidence. You pass ISO 27001 if you don't have too many minor non-conformities, and you fail directly if you have a major non-conformity. Depending on the severity, a remediation plan can be established, but it means additional work and a delay to your certification.

So that's the lay of the land. Now, why would a 6-person startup voluntarily sign up for this?

2. The Reasons: Why We Pursued ISO 27001 at 6 People

No one dreams of achieving an ISO certification. Let's be honest: half the people don't even know what it is, and the other half have nightmares from some past compliance implementation project they had to work on. So why did we, as a startup, think we needed it? Well, money. Pretty simple.

There were three kinds of interactions where ISO came up:

  1. Hard blockers from large clients: Enterprise prospects stated clearly that they could only work with us if we held the certification. No ISO, no contract.

  2. Friction in enterprise onboarding: Our onboarding processes were tedious, slow, and difficult. We (wrongly) believed that flashing an ISO badge would make these hurdles disappear.

  3. "Security vibes" for SMEs: Even smaller companies had questions about data protection. While not a formal requirement for them, they wanted to know that choosing Skriba wouldn't be held against them later. They were looking for a signal that we were a safe bet.

Then there was the specific lost deal. We felt that they chose our competition for no other reason than that they were a "safe choice": a bigger, more established player. To compensate for that, we thought, let's be the only ISO 27001 certified work certificate tool in all of Germany, Switzerland, and Austria.

Also, hiring a CRO who studied law and worked in enterprise architecture on security and compliance made the next step easy: deciding who "the lucky guy" would be to lead the project.

What we hoped for, and what we got

So, mid-December we decided on doing it. We believed it would give us quicker, bigger, and more deals, and help our reputation and branding. And honestly, it kind of worked. SMEs are convinced more easily, large deals have been unstuck, and new opportunities have come up.

What did not change is vendor onboarding at enterprises: they insist on filling out tedious questionnaires, even though their questions are 80-90% the same as ISO requirements.

Plus, we seriously misjudged the effort it would take to become ISO certified. Read on to find out why.

3. The Architecture: How We Set Up Our ISO Journey

For ISO, you actually make two decisions.

  • The first is your implementation path: do you hire a consultant or use a compliance platform? 

  • The second is your auditor: do you go with a traditional auditor or a startup-native one?

Together, these two choices form the architecture of your ISO journey. Our thinking around each was the following. Maybe we are wrong, maybe you will find out more, but this is what we believed at the time.

The Core Dilemma: Consultant vs. Platform

Consultant

  • Price: Generally starts around 10,000 CHF for Swiss-based consultants, and 5-7k for international (remote) ones.

  • Approach: You meet them in workshop format, discuss a topic, then go back and work on it on your own. You iterate through it in generally 5-7 workshops.

  • Strengths: This approach ensures two things. The first is what's called "minimum viable compliance": ISO does not strictly require you to do things in a specific way, so given your specific risk profile and goals, you can comply by doing simple but defensible things. A consultant has the experience and ability to individually tailor specific elements to your needs. The second is a certain white-glove approach: it's your timing, your challenges, your setup, and they can follow it pretty well.

  • Downsides: You still need to set up the ISMS (your Information Security Management System, essentially the documented structure of how your company handles security: policies, risk assessments, controls, and evidence that you actually do what you say you do).

  • We felt it would be hard for us to set up an ISMS that would scale easily with us if we chose the consultant approach. It felt like they would have you deploy a Notion page, but in two to three years, when you've doubled your geography and team size, you would probably need someone to help upgrade the ISMS and maintain it. We hoped a platform would do that and scale better with us.

  • Time invested: Hard to say, we did not choose this path. My guess: less time invested upfront, but more time invested on maintaining and upgrading it once you scale.

  • Verdict: We did not choose a consultant. We didn't want to involve the whole team in the journey, we hoped a platform would scale better, and some of the quoted prices from consultants were really high. The cheaper ones we found on Reddit and Upwork did not fill us with confidence.

Platform

  • Price: Depends on who you work with. The offers we received ranged from 7k to 14k. But some include penetration testing and other tools, and they also differ on contract length, onboarding service, and discounts. So it's hard to compare on price alone.

  • Approach: Well, lots of AI obviously. And now even "fully agentic" (sarcasm). They promise a lot and deliver the basics. But it's hard to evaluate the full value proposition upfront.

  • Strengths: A fully fledged ISMS architecture out of the box. The possibility to have as many ISO elements as possible in one place. Automation capabilities. Asynchronous implementation with no dependencies on an external consultant.

  • Downsides: As usual with software, it's very hard to do the basics right and easy to promise the advanced features. And it's also hard to achieve "minimum viable compliance," since the platform's ICP is probably a somewhat larger and more sophisticated enterprise than you.

  • Verdict: Choose a platform if you have an ISO project lead with some IT security experience or compliance knowledge, who is confident in designing a minimum viable ISMS architecture, and if scaling in personnel, assets, and processes is a topic for you.

The Auditor Selection: Finding a Partner

The auditor reviews your setup (ISMS), creates a report, and sends it to the accreditation body, which then issues your certificate. This three-party system (your firm, the auditor, and the accreditation body) ensures there is no conflict of interest, since the auditor gets paid whether you pass or fail. You cannot choose the accreditation body, that is just the regional body where your auditor is located, but you can choose your auditor.

Here too, price and approach differ a lot. Some Swiss auditors wanted to meet in person just to give a quote (the inefficiency shocked me). Others sent a massive, outdated Word template that was a pain to fill out, and still refused to give a cost and time estimate. Some wanted 15,000 CHF for the Year 1 certification alone. Others expected us to lock ourselves in a coworking space for a 3-day audit.

We needed an auditor adapted to startup realities: limited time, fully remote, and cloud-first. We found that in Tempo Audits, a UK-based auditor specializing in startups. They actually understand our world, which became obvious in three specific ways:

  • Cloud-native understanding: They understand the capabilities of modern infrastructure like Azure, GitHub, and AI-based code development. They know what the default security thresholds are, which additional measures are actually needed to compensate, and what is already covered out of the box. This makes control implementation and evidence gathering very streamlined.

  • Fully remote, agile auditing: You do not have to sit in an 8-hour video call watching them click through your files. We met a few times a day, kept the conversation moving on Slack, and hopped on a quick call only when something specific came up. It caused far less disruption to our day-to-day operations.

  • Fair pricing: While traditional auditors quoted up to 15,000 CHF just for the first year, our total package with Tempo Audits across the entire three-year cycle did not even hit that mark.

4. Tool Reality: Compliance Software is hard

Compliance software often promises fully automated setup, but the actual implementation requires significant manual configuration. 

The Baseline: What to Expect from a Basic Platform

Standard GRC (Governance, Risk, and Compliance) software platforms should deliver several core features minimum:

  • Automated Asset Inventories: Built-in integrations with cloud infrastructure (such as Azure or AWS) and SSO providers (such as Okta or Google Workspace) to automatically discover your internal systems, hardware, and third-party vendors. These connections should populate a live hardware and software inventory without manual data entry. 

  • Structured Risk Registry: A centralized digital log where you can map specific company risks directly to their corresponding ISO controls. The system should provide a baseline vulnerability matrix to help you calculate risk likelihood and impact scores. This ensures that when an external auditor asks how you mitigate a specific threat, you can instantly trace it back to a live, documented control.

  • Basic Policy Frameworks: A text repository or editor to host your security policies, assign implementation tasks, and log progress. The system should support inline commenting and team tagging to allow collaborative draft reviews. It should also natively handle structural elements like tables and images to ensure your operational runbooks, checklists, and network diagrams do not have to be hosted in external drives.

  • Employee Training: Pre-built security awareness training modules that satisfy basic ISO 27001 requirements. The system must automatically track employee completion states and issue automated email reminders to anyone with outstanding modules. Ideally, look for platforms that do not rely on low-quality AI voiceovers.

  • High Core Interlinkage: Strict relational mapping across the backend of the platform. Your inventory, risks, controls, and policies must connect dynamically so that a change in one asset or risk automatically updates the associated compliance fields. For example, if you add a new database to your asset inventory, the system should instantly prompt you to map it to your active backup and access control policies.

The Next-Gen Checklist: What to Look For

When evaluating an ISO compliance platform, look past baseline and prioritize vendors that offer these specific technical capabilities:

  • Dynamic Document Collaboration: Look for a user interface that includes inline editing, track changes, paragraph-level commenting, and interactive tables. The platform should entirely replace external tools like Google Drive for policy development. 

  • Automated Gap Detection: The software should automatically generate alerts on a central health dashboard if a control lacks a review date, misses a responsible owner, or relies on expired or archived evidence.

  • Indexed RAG Chatbots: Every compliance platform includes generic chatbots. For example, the Kertos AI assistant, KAIA, handles basic questions but cannot locate specific internal controls or uploaded files. Look for a provider that indexes your entire documentation library, allowing Retrieval-Augmented Generation (RAG) searches across both the platform's compliance framework and your specific uploaded evidence.

The takeaway: our mix

The architecture you choose matters more than most founders realize.

We had an internal lead (me) who understood the basic legal and security concepts, so we paired a platform (Kertos) to provide the guidelines and evidence generation, gathering, and management, and looked for an agile auditor (Tempo Audits) who understood our context and setup.

  • Did everything go as planned? No.

  • Did we achieve our goal? Yes.

Maybe later I’ll add here a more indepth review about Kertos, but for now just this:
Could we have had more luck and less work with a lightweight setup and an external consultant? Maybe.

The architecture was set. Now came the work of actually living with it. The next section is what nobody tells you about platforms: how they really feel once you start using them.

5. The Journey: Four Months of Policies, Processes, and Uncomfortable Questions

The Core Challenge: Absolute Width

ISO 27001 is not necessarily deep, but it's super wide.

The standard requires you to address 93 controls, plus a bunch of additional elements. Each individual control isn't hugely complex; you can cover one in a single paragraph inside a policy. But you still have to justify all 93. Things like access controls, malware protection on every endpoint, onboarding and offboarding, labour law compliance, clock synchronisation, clear desk and clear screen. And so on, and so on, and so on.

The problem isn't that any one thing is hard. The problem is that until you've gone through all of them once, you don't see the patterns. You don't know what kind of implementation philosophy makes most sense for your setup. So you end up doing each control once or twice: first to scope it, then to implement it properly once you understand how it fits with everything else.

This is probably where an experienced external consultant has the most impact. They walk in with an opinionated pattern and roll it out across all 93 controls from day one. We didn't have that. We had to discover the pattern ourselves.

What we produced

By the end, our ISMS consisted of:

  • 30 policies in Kertos

  • 25 Google Drive artifacts (checklists, registers, procedures)

  • A handful of GitHub pages and diagrams documenting technical controls

  • Full IaC in Terraform on GitHub building the base infrastructure of CI/CD and Azure

  • Linear Kanban with all ISMS/ISO 27001 related goals, issues, non-conformities, etc.

  • A "Secure Coding Lifecycle" (how you deploy code) with automated security review by AI

  • Two quarterly meetings with topic templates allowing for coordinated tracking, reviewing, and action-taking across all ISMS and ISO topics

How the work was split

The bulk of it was a solo mission from my side as lead implementer. Kertos offered a Done4You approach where a third-party consultant they work with interviewed us for an hour, and then drafted the initial policies. That was helpful as a starting construct, but it was significantly over-engineered for our stage. It didn't meet the "minimum viable compliance" we were aiming for, so a lot of it had to be rewritten and adapted to fit our actual setup. I feel like this step is one where standard AI capabilities can draft a stronger initial policy framework.

From there, I worked through three broad areas: IT governance (including data protection), people controls, and management controls. For each section I drafted and reviewed the policies with AI and then had them challenged by the corresponding owner. They gave some insight and some pushback, and we searched for a compromise.

The rough split:

  • Lead implementer (me): around 250 hours over four months. Scoping, drafting, reviewing, follow-up, integration, coordination.

  • IT team: weekly 1-hour meetings for three months, plus a roughly 2-week effort to adapt our secure development lifecycle.

  • Management: roughly 2 weeks of effort to draw up, implement, and review the people, risk, and management controls.

  • Two Claude Max plans. Genuinely. The amount of policy text, control mapping, and review work made AI assistance non-negotiable.

The Problem: these things can't be pooled into a clean sequence, since there are interdependencies. So even if it's a 2-week effort, it's spread over several months, with decision gates in between.

Project milestones, in rough order

  1. Choose approach (consultant vs. platform), get quotes, compare, decide.

  2. Onboard on the platform: register users, integrate SSO, integrate cloud.

  3. Review the inventory: vendors, systems, assets.

  4. Draft and review risks and policies.

  5. Extract the artifacts and evidence each policy requires.

  6. Fill out the relevant artifacts, do exercises and walk throughs: backup procedures, disaster recovery, risk assessments, access reviews.

  7. Train the staff.

None of these steps are linear. You'll go back to step 3 from step 6. You'll discover at step 6 that your inventory in step 3 is incomplete. You'll realize at step 7 that a policy you wrote in step 4 doesn't match reality. That's normal. That's the work.

What was harder than expected

  • The Scope. I kept thinking I was 70% done and then discovering another adjacent topic I hadn't formally documented. 

  • The Complexity. You write a policy. You decide later to handle something differently. Now you need to go back and adapt the original policy, the artifact it points to, and probably one or two others.

  • Kertos, our platform. We had several misunderstandings and issues around what it could do and how it would perform. More on that maybe another time.

  • Uselessness: Writing policies you'll never use. You will absolutely write policies and artifacts on topics you'll never read again. Just one example: we now have an HR disciplinary process document. We have a table that tracks every time we use removable storage media (USB sticks) to handle customer data: which is never. But we need it documented somewhere.

What was easier than expected

  • Finding your style. Once you've found your style, philosophy, or approach, the actual policy, documentation, and artifact writing becomes pretty easy. By policy fifteen or so, I knew what shape a Skriba policy took, what level of detail mattered, and where I could keep things lean.

  • AI takes you extremely far. You can spin up specific chats with ISO, data protection, and cloud consultants that answer every possible question. You can feed them existing policies and artifacts, and they identify gaps, inconsistencies, and redundancies.

5. The Audit: What to Expect

The certification process happens in two parts. Stage I is a one-day readiness assessment to check core documentation, followed a few days or weeks later by Stage II, a full two-day audit of your evidence and controls.

Ideally, you should leave about 30 days between both stages to fix any early gaps. We only left 7 days, which was tight. If you realize your timeline is unrealistic, most modern auditors allow free rescheduling if you change the dates at least 28 days in advance. Before each session, the auditor will send over an exact hourly schedule outlining which topics and controls they plan to review.

I can tell you about our specific experience, but I assume it can be quite different from auditor to auditor. 

Audit day, hour by hour.

On the audit day itself, you join a call, add the auditor to a Slack channel, and give access to your Google Drive and GRC platform. You have an initial briefing, some light questions, and some coordination. This part is all surprisingly easy.

Then comes the hard part: you leave the call and work your “normal day”, and from time to time the auditor pings you with a question for clarification. Sometimes you hear nothing for quite some time, which theoretically is a good sign (they're probably finding everything and working through the controls), but practically it's unsettling, because you don't have a read on the situation.

Before noon and before the end of day, you have an additional call where the last questions and topics are resolved. That's the pattern for both days of Stage II.

So you see, it can be incredibly simple. It was for us. After two days, the auditor clearly said that everything looked good, they had found no bigger issues.

6. The Bill: What It Actually Cost

I can't fully disclose the exact prices for some of the services we used (contracts and all that), but if you ask ChatGPT or do some Googling, you'll get a reasonable ballpark. What I can give you is the shape of the spend

Money

  • ISMS SaaS platform (Kertos): A multi-year contract. Not at liberty to share the exact figure. Ask ChatGPT or compare quotes directly.

  • Auditor (Tempo Audits), Stage I + Stage II + surveillance audits: A three-year package, well under what traditional Swiss auditors quoted for Year 1 alone (their quotes went up to 15,000 CHF for just the first year).

  • Hidden infrastructure costs: Roughly 300 CHF/month in additional Github and Azure features for advanced security monitoring, logging, and reporting. Not huge individually, but it adds up.

  • AI tooling: Two Claude Max plans. Without AI assistance, the implementation would have taken twice as long or required a dedicated hire.

Other

  • Time spent on vendor evaluation before signing any contract (we lost a few weeks here just comparing platforms and auditors).

  • Internal team distraction during the four-month sprint. It becomes the second most important thing in a company really quickly and it stays like that for quite some time. 

Time

  • Lead implementer (me): around 250 hours. Scoping, drafting, reviewing, follow-up, integration, coordination.

  • IT team: weekly 1-hour meetings for three months, plus a roughly 2-week sprint to adapt our secure development lifecycle.

  • Management: roughly 2 weeks of effort spread across the four months, focused on people, risk, and management controls.

If you don't have someone internal who can dedicate this kind of time, the math changes completely. A consultant becomes the better path, or you delay the project until you do.

7. Was It Worth It?

On balance, it costs more time and money than we wanted. For our specific situation it was worth it. We needed it for deals and for differentiation. 

Specific benefit we got

  • Unstuck deals that were stalled on security review.

  • Shortened enterprise procurement conversations.

  • Given our SME prospects a clear, defensible answer to "is your data safe?"

Whether that ROI is worth it depends entirely on your context. Which brings us to the final question.

But here's the honest version: I don't see many startups in a similar situation.

If you don't have:

  • Concrete enterprise deals contingent on certification,

  • A market where ISO 27001 is a clear differentiator, or

  • An internal lead with the background to drive the project,

then the math probably doesn't work for you. ISO 27001 is not a "nice to have." For us, the bet was: pay the cost now, while the team is small enough that we can absorb it, and turn it into a moat as we grow. 

If you're considering the same path, my hope is that this blog gives you a clearer picture of what you're signing up for: the architecture choices, the implementation reality, the audit mechanics, and the costs. 

If you'd like to compare notes, I'm always happy to chat with others going through this. Reach out.