About the author: Julia Wester is the co-founder and CEO of 55 Degrees, a Platinum Marketplace Partner located in Sweden. In addition to the CEO role, Julia often assumes many responsibilities ranging from UX designer to product manager to agile coach. An experienced trainer, she has a Lean Software Development course on LinkedIn Learning and she is often found speaking about flow, predictability, and forecasting at events around the world.
If you think achieving compliance with standards like ISO and SOC 2 requires deep pockets and large security teams, think again. My company, 55 Degrees, had neither of those things, but we did have a large, growing enterprise customer base with certain security expectations. With some persistence, access to the right tools, and a bit of expert guidance, we made it happen, and so can you!
As a European company, GDPR compliance has always been super important to us, and we have always considered customer data security as priority #1. The journey to ISO 27001 and SOC 2 Type II compliance began when we realized we were spending too much of our limited time filling out customer security questionnaires instead of building and maintaining our products. To make our commitment to protecting customer data publicly evident, we had to put our money where our mouth was, building more proof beyond what we had already done in complying with the GDPR.
Despite being a small company of less than 10 at the time, with zero security-specific roles, we embarked on this ambitious endeavor without the luxury of dropping any other initiatives. The outcome? Rather than falling flat on our faces, we emerged from this process more confident, more security-aware than before, and with invaluable insights to share with other businesses striving to achieve similar victories.
Plotting the Course to Compliance
We aimed for comprehensive compliance, involving our entire organization rather than a limited scope. But, we couldn't start everything at once – we had to choose which standard to begin with.
Our customers were largely looking for us to have either ISO 27001 or SOC 2. As a Swedish company with global customers, ISO 27001, the international standard for IT security, was a strategic move. Beyond geography and customer demand, working through building an Information Security Management System (ISMS) would help us ensure we have a solid foundation of secure business processes and pave the way for future standards.
With that decision made, we embarked on our ISO compliance efforts in September of 2022. We planned to follow up with SOC 2 Type II compliance quickly after achieving success with ISO 27001, as some US-based potential customers had a specific requirement for SOC 2.
Becoming audit-ready
Collectively, we had zero knowledge or practical experience in becoming compliant in any framework. My co-founder and CTO, Daniel Wester, proposed using a SaaS solution to make the process easier and faster. We chose Vanta, and I can't overstate how critical the adoption of this platform was to our efforts.
Vanta was not just a roadmap but a travel advisor and a traffic cop, all wrapped in one. It helped us know what was required, how to achieve it, and how to prove it to ourselves and future auditors. Specifically, Vanta provided us with the following:
- Dashboards to show the progress we'd made towards standards, what items needed attention, and when those items were due.
- Policy and document sections that served as a guide to which types of items we needed to generate and, just as importantly, templates we could use to get started! Oh, and let's not forget workflow approvals and audit trails.
- Integrations with key systems to help us identify areas we needed to get under control and gather evidence for those we'd already tackled.
In addition to the platform, we were able to leverage some help from their customer success department when we had questions. That expertise made things so much easier.
If you’ve ever wondered how people survived before the internet, you’ll understand my frame of mind when thinking about how people achieved compliance without tools like this. I am told that it takes hundreds of dedicated hours to work through and document all of the requirements. That's just not feasible for a business of our size!
Throughout the process of getting ready for an audit, it becomes clear that writing policies is just the start. You have a lot of work to do to ensure that the company actually abides by them. So, we adopted a cooperative approach to compliance, ensuring everyone on the team understood the policies and their significance. Compliance became a collective responsibility, with everyone understanding the consequences of failure to act.
When our dashboards were finally showing us nearing 100% compliance, we were ready to trigger the audit phase of the process.
Surviving the Audit
Although audits can be scary, we now regard auditors as partners, here to help us fine-tune our operations rather than as adversaries. A successful audit means we can proudly showcase our reports and certifications and continue earning the trust of our customers.
We began the audit process for ISO 27001 in December of 2022. It was a two-stage process with multi-hour Zoom calls with auditors at each stage. In the ISO 27001 audit process, findings are classified and listed in the report. However, you are given an opportunity to rectify certain non-conformities. Following a successful stage 2 audit, you receive your certificate and audit report.
Choosing an auditor is another thing Vanta helped us with. They had a network of auditing firms who were familiar with their platform, which allowed them to bundle the audit costs with the price of the software—often at preferred rates.
Publicizing Trust
After a short 4-month effort, we celebrated certification of compliance with ISO 27001 in January 2023! That’s rather quick, considering we were starting from scratch. My business partner and I mostly managed this project and did most of the work while keeping the rest of our business afloat.
This is the point where all of that hard work can start to pay off. Circling back to how we began this process, we needed to make our certification public and allow people to download the certificate. We leveraged Vanta's Trust Center feature to create our trust portal, which always shows a real-time view of our passing technical operational measures, information about the data we store and our sub-processors, key ISMS documents, and makes our ISO 27001 certificate and audit report available for download.
We also needed to have a wider message to tie all of the trust assets together so we created a trust page on our main marketing website. It serves as a place where we can ensure our security stance is effectively communicated, we can market all of our efforts and security partners, link to critical documents and push those who want more detail to the trust portal.
We are now starting to see the benefit of this, with sales to enterprises increasing and fewer security questionnaire requests. And, when we do get these requests they are often pre-filled using information provided in our materials.
Keeping the Promise – Staying Compliant
Once we achieved ISO 27001 initial certification we didn’t take our eye off the ball. Compliance is an ongoing commitment. We needed to think ahead to our year two ISO 27001 audit and begin preparations for SOC 2.
We used Vanta and the other tools that helped us achieve compliance to stay on track, significantly reducing recurring costs compared to traditional methods. We even managed to adopt additional capabilities to further streamline the work and costs required for key compliance elements such as quarterly access reviews, vulnerability management, and vendor security reviews.
We are happy to report that we received our SOC 2 Type II audit report in December 2023 and were re-certified for ISO 27001 in January 2024!
What’s Next
At 55 Degrees, trust and compliance are vital business differentiators. We are extremely confident that investment in this area will provide an exponential return. In 2024 we’re looking to migrate from ISO 27001:2013 to the update that came out in 2022 and achieve our year 3 compliance. We’re also going to extend the audit period for our next SOC 2 audit. Of course, we'll be relying on the tools and platforms, like Vanta, that have been instrumental in getting us this far.
An extra benefit of this entire process is that it has helped us streamline our compliance with GDPR and made it much easier to answer customer questions!
Our ultimate goal is perpetual compliance, ensuring we are always audit-ready and reassuring our customers about our commitment to security. I’m happy to say we are nearly there!
If you’re energized to begin, or if you’re already on the journey and seeking a sympathetic ear, feel free to connect with us. At 55 Degrees, we use our experiences and success to help other small businesses confidently and efficiently enhance their compliance stance.