SaaS businesses and ISO 27001


October 13th, 2022


5 min read.

Cloud usage is (understandably) a source of concern for companies regarding information security. Software users expect the data they are uploading to be in safe hands. For SaaS companies to be viable therefore, it’s essential that they are able to demonstrate their commitment to the protection of the Confidentiality, Integrity and Availability of their solution. 

Remind me, what is SaaS?

SaaS: “Software as a Service - software is hosted by a third-party provider and delivered to customers over the internet as a service”. Simply put - it describes any online platform providing a service, with examples including:

  • Gmail (emails)

  • Zoom (video conferencing)

  • Notion (organisation)

  • Splitwise (finances)

...and so on.

The service provider (e.g. Google in the case of Gmail), can distribute various versions of the software from a single server. Each user is able to have their own version of said software, allowing them to fiddle with/configure it as they please (within reason). They all come from a shared code base that can be maintained and looked after from one place. This allows the software to be purchased and paid for like a subscription service, eradicating the need for upfront investments, long implementation processes and the hefty commitment that is maintenance, upgrades and extra bells and whistles needed for the programmes. 

How might ISO 27001 help SaaS companies?

Pinging things back and forth over the internet inevitably raises concerns regarding information security… There comes a point in every SaaS company when a decision must be made to decide which information security framework they should implement. This is because users will choose service providers who they trust to handle their information safely and securely, this is where ISO 27001 certification comes in. 

Because ISO 27001 is a widely recognised international standard, it assures clients that the SaaS company they’re considering, is taking information security seriously. It can also set your company apart from other providers, establishing trust in the first instance. 

The certification benefits SaaS companies in various other ways too, such as:

  1. It’s generally accepted to be the default information security standard and is recognised globally

  2. It supports the provision of dependable and highly secure systems and applications

  3. It is considered to be a primary security requirement for lots of companies who might be considering their SaaS provider

  4. It supports the identification of laws and information related regulations 

With ISO 27001 in place, the risk of something significant going wrong is reduced. This might even help you sleep a little better at night(!), knowing you’re doing what you can to keep your data safe. 

Certification requirements for SaaS companies

The ISO 27001 certification acknowledges that every SaaS company is different and has their own conditions when it comes to developing an ISMS. As such, the certification has surprisingly few ‘across the board’ requirements that companies must meet because it acknowledges company variations within any given industry. 

So, here’s a rough guide; first SaaS companies need to implement a security framework and safeguards, or ISMS. Which usually looks something like this:

  • Understanding the information you have, and where you have it

  • Identify your information and information processing assets

  • Work out your risks - what might compromise the confidentiality, integrity and/or availability of your information

  • Mitigate those risks

  • Definition of risk acceptance levels - and treatment objectives

  • Monitoring of the ISMS

  • Introduction of company information security training 

  • External audit

  • Continued updates for the ISMS via regular internal audits

Protecting customer data 

In order to achieve ISO 27001 your ISMS must be audited by an accredited external certification body (such as BSI, LRQA, Alcumus etc). The audit ensures your ISMS meets the requirements of the Standard, the organisation's data requirements and other legal necessities.

Forewarning, it's not a given your SaaS organisation will pass the audit on the first attempt. Auditors will often require companies to loop back with clarifications and edits based on their advice and view of your organisation's ISMS.

Sometimes it can be useful to get a good ISO 27001 consultant involved - these guys can help to guide you through the audit process, making it as smooth as possible.

To conclude this whistle stop tour - this is what we’ve touched on:

  • Why ISO 27001 gives you that competitive advantage and the benefits it can provide to you and your customers

  • The ability to compete in the global SaaS space

  • That you must complete an internal audit before seeking an external auditor

Is it actually worth it for your SaaS?

ISO 27001 provides a robust, fine toothed comb approach to information security, risk management and continued system improvement to ensure the risk mitigation approach stands the test of time.

We think it’s the creme de la creme of information security, but don’t just take our word for it: see what Upscaler think “ISO 27001 is the better choice for a growing  SaaS company” and “given the choice (which you always have) we would choose ISO 27001”.

If we’ve convinced you and you’d like to know more - from implementation to audits - contact our team. We love talking about this stuff and would love to tell you all you need to know.

Registered Office: 6 Hinckley Road, Ibstock, Leicestershire, LE676PB, UK

Company Registration No: 06684621

VAT No: 140 0539 56

© ADL Consulting Ltd 2023. All rights reserved.