As the founder of ISMS Copilot, I often get asked: "If you help others with ISO 27001, why aren't you certified yourselves?"

It's a fair question. After all, we build tools that make ISO 27001 implementation easier for others. Shouldn't we eat our own dog food?

The honest answer: we're working on it.

We're currently in the implementation phase of our own ISO 27001 certification journey. And yes, we're using our own tools to get there.

Why not sooner?

Like many startups, we had to make strategic decisions about where to focus our limited resources:

1. Product development came first : We prioritized building a robust platform that could genuinely help others with their compliance needs.
2. We're a very small team : As a bootstrapped startup with just a handful of people, formal certification would consume a disproportionate amount of our limited bandwidth.
3. Sustainable growth matters : To build a lasting business that can continue serving our customers, we need to be financially disciplined. Simply put, we don't spend more money than we make.
4. Risk-based approach : We implemented security controls based on our actual risk profile from day one, rather than rushing to get a certificate for marketing purposes.
5. Practicing what we preach : We've always advocated that ISO 27001 should be implemented thoughtfully, not rushed. We're following our own advice.

What we've done instead

While formal certification is still in progress, we haven't neglected security:

• We've implemented robust access controls with MFA across all systems
• Our development practices include security testing
• We conduct regular risk assessments
• We carefully vet our vendors and monitor their security practices
• We maintain comprehensive backup and recovery procedures
• We've documented our security policies and procedures

The certification journey