The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 167 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.
ISO/IEC 27001 is a standard that specifies security management best practices and comprehensive security controls. While not a legal requirement, it is considered "table stakes" for many companies and is valued by many Atlassian customers who look for this certification to signify a company's commitment to security.
At last month’s Developer Day, Tobias Viehweger, co-founder and tech lead at yasoon, shared their experience obtaining ISO 27001 compliance certification and leveraging Vanta to create a robust Trust Center. This allowed them to gain a competitive edge and demonstrate their unwavering commitment to protecting customer data.
You can find a recording and summary of the key takeaways from yasoon's presentation below.
What's a certification anyway?
A certification from a well-known third party like ISO serves as external proof that your company’s/app’s security posture, policies, and operations are in good order. They reassure customers that you follow industry best practices to protect against potential attacks or data loss. Standards such as ISO 27001, SOC 2, GDPR, FedRAMP, and HIPAA are commonly sought after by customers to ensure the highest level of security.
Why did yasoon decide to move forward with the certification process?
As an Atlassian Platinum Marketplace partner, yasoon saw the importance of securing their apps. One effective way to show their commitment to security is by obtaining certifications.
yasoon's apps are connected and have access to Microsoft 365, and Atlassian data. Investing in certification allowed yasoon to show enterprise customers their commitment to security in the cloud, making it easier for them to acquire and retain customers with stricter data protection requirements. Additionally, yasoon offers a shared offering with their Data Center apps, where customers are even more risk-averse than cloud customers.
yasoon also prioritized ISO27001 to gain a competitive advantage in the Atlassian Marketplace. As the Atlassian Marketplace continues to grow, there is even more competition. Obtaining these certifications provides a significant advantage over competitors who don't appear as invested in security.
Why ISO 27001?
During yasoon’s investigation into certifications, they analyzed their customer base and found that ISO 27001 was the most suitable choice, especially given their presence in Germany with many German clients. As they dug deeper, they also discovered that ISO 27001 is more widely accepted internationally, making the decision that much easier.
Why work with Vanta?
yasoon opted for Vanta as their trust management provider after consulting with another company that tried to create a solution from scratch. This other company had invested a significant amount of time and resources in getting certified and made it clear to yasoon just how much effort and time was involved.
They recommended that yasoon seek out a vendor in the space to support them. As a smaller company with around 20 employees, yasoon did not have the necessary resources to efficiently complete the task on its own. As they began to research all of the other vendors in this space, Vanta stood out as the right choice for them — being one of the first players in the space and having great ratings and reviews across the board.
Vanta provided a comprehensive solution that included tools, automation, support, and educational resources to aid in comprehension of the process. The compatibility of the stack and ongoing monitoring were also significant selling points for yasoon. If you plan on pursuing additional standards, using Vanta can give you a head start and help identify gaps in your security.
What did the timeline look like?
What changes did yasoon make to their infrastructure?
Thanks to Vanta’s monitoring of yasoon’s infrastructure, the team gained insights and identified areas for improvement. For example, utilizing AWS CloudWatch logs and alerts provided a clearer view of their infrastructure’s security, enabling them to respond quickly to potential threats.
Another security enhancement yasoon discovered through this process was the use of GitHub Advanced Security, which offers features like code scanning in pull requests and advanced repository policies to enhance code security during development and reports back to Vanta.
Lastly, Microsoft Intune (MDM) improved yasoon's security by enrolling employee hardware and implementing security and configuration policies, resulting in better protection, automatic updates, and easier management.
What are the benefits?
Certifications can improve the quality, security, and overall trust posture of your organization. Vanta encourages crucial security practices such as regular backups and access reviews. Obtaining certifications can help reduce blind spots and better prepare your organization for security challenges.
While pursuing certifications may demand a considerable investment of both time and money, yasoon found that the advantages for their company were significant. Certifications showcase your dedication to security, cultivate customer trust, and improve operational efficiency. Evaluating your business needs will help you decide which certification or attestation is the best fit for your organization.
While yasoon has made significant progress with ISO 27001, SOC2 is the next step on their roadmap.
Should you do it?
Companies should consider their app and business maturity before investing in security standards. According to an Atlassian customer survey, 72% of enterprise Atlassian Cloud customers say apps meeting compliance requirements is very or extremely important. Trust is often an important consideration for migrating customers when deciding whether to use the cloud version of your server or Data Center app.
If you've got cloud apps on the Atlassian Marketplace and hope to attract large customers or retain migrating customers, getting certifications like ISO27001 can help you stand out.
Ultimately, a solution like Vanta can save you a significant amount of time and money. The ability to close major customers and drive growth definitely outweighs any initial investment. Partners should consult with customers and support channels to determine which certification makes the most sense, whether that be ISO 27001 or SOC 2.