Why Start-Ups should embrace ISO 27001
Part of the fun of launching a start-up is the release from corporate red tape, throwing away the shackles of internal politics, pointless meetings and soul sapping processes. When you sit down dreaming of the launch and pull together the business plan, the focus is on the MVP, customers and cash flow, not what many perceive as a bloated security management system.
Having read numerous start-up books the general wisdom to launching and accelerating growth seems to be starting with a lean iterative model. Then working through several transition stages where you need to “cross the chasm” by looking for funding and growing in your maturity, especially when you are looking to scale up the business. Not one book I’ve read states you should start working with an ISO 27001 Management system, however, we did at N4Stack and I’m here to make the case.
Firstly it’s not for everyone, ask yourself the question if it’s on your wish list for the next 5 years, are you having internal conversations such as… in order to deal with larger clients, will the lack of ISO 27001 slow us down?
Here are my top 3 reasons start-ups should embrace ISO 27001:
1. It accelerates your growth: Why? think about how a start-up matures and what your end goal looks like. Part of “crossing the chasm” is by your own making. If you start with an organisation that lacks a level of governance from day one, your company drifts unless you pull it back. After your first year, you’ll have customers, proved the model and you then need to mature operationally and scale up. At some point you will hit a wall whereby customers or investors want evidence of your governance or you will hit a major issue that may cause damage. By using ISO 27001 and I mean really embracing it from the start really lowers the height of the walls you will inevitably hit.
For example if you look at the Greiner Growth Curve it warns of a number of crisis or common growing pains for a business.
If you embrace ISO 27001 in the first phase and build the ISMS in a way that the founders are heavily involved with a focus on lean, automated process you will end up with a more aligned and slicker implementation. As the business grows this hard work at the start will provide a future proofed approach. If you don’t man (or lady) up until a customer is holding an ISO 27001 gun to your head you are more likely as a business owner to delegate to a hire that struggles to engage the company and aggressively tailor it to your organisation. It’s so much harder to retro fit processes at a later date than make them incumbent from the start.
2. It helps you to run your business: ISO 27001 isn’t about technical security, it’s about looking at the risks to your business (good and bad) and pushing for continual improvement. The risk of being undermined by a competitor, the risk of not investing in a new product feature, or not adapting to changing economic conditions, surely as a business owner these are the things you should be looking at. A good system provides the structure which you then tailor to your business.
3. It’s a great customer selling point and differentiator: No customer is going to prefer dealing with a less secure organisation. “Sorry Bob, I appreciate you are selling the exact same service as your competitor, the good news is as you are less secure I would like to buy from you!”…. ummm doesn’t happen. Having a well implemented ISMS will not only improve your organisation but it will build a strong level of trust with the customer. The other fabulous news when you are competing with bigger competitors is that start-ups can be a lot more secure than larger organisations. Why – well it’s a numbers game, you have less staff, less systems and as such your threat surface exposure is typically lower. If you think about a company of 10,000 staff any internal/ external audits or CMA’s barely scratch the surface. When we do an audit we check every system, building, process and staff member’s compliance… try doing that with 10,000 staff across 40 offices!
So what are you waiting for? If you run a business then get started today, the longer you leave it, the harder it will be to retro fit into your company.