4

I am working in a global startup. Recently we have undergone several InfoSec processes with potential large corporate customers.

All of them asked for:

  • SOC
  • ISO 27k

Which makes sense for large organizations.

What certificates are worth pursuing in terms of Privacy/Security for a smaller startup?

Thought about:

  • UKs Cybers Essentials Plus
  • EuroPrise
  • German BSI Grundschutz

Since we are a global startup, I am looking for the best global Certifications.

What else there is? What would you recommend? Also what approach?

Our company is European and our platform is on AWS. However, potential customers also ask about Company's certifications. Platform (AWS) is for them not enough.

dev
  • 937
  • 1
  • 8
  • 23
  • 1
    ***Note to all who might answer***: please do not supply a list of potential certification schemes. – schroeder Feb 24 '20 at 08:52
  • 2
    I presume UKs Cybersecurity Essentials Plus, is meant to be "Cyber Essentials (Plus)" – Alex Probert Feb 24 '20 at 10:29
  • @dev asking for lists of things is too open-ended for a Q&A site. The lists could go on forever. Asking for recommendations is the same problem. Instead, please refine your question to the "approach" part. – schroeder Feb 24 '20 at 10:58

2 Answers2

13

That's not how this works. You don't collect certificates.

  • being certified does not mean that you are secure
  • customers only care about the certificates they care about

The "best" certification is the one that serves your company's goals the best. If you pursue Cyber Essentials, but your customers want BSI Grundschutz, then you have wasted a lot of time and money. And neither guarantee that you are secure.

Company certificates help you view your company, its processes, people, and technology through different lenses. Choose the lens that will help you secure your company. Your goal is to be secure, not to be certified.

The "best" case? Look through them all and identify which lens highlights gaps that your company should be filling right now (no, you do not fill all gaps all at once at the start). Then use that lens to improve. Then maybe get certified in that scheme, but only if it serves your company's needs.

Here's the approach (for a non-regulated industry - for regulated industries, you swap items 1 and 2):

  1. Get basic competence in your people, processes, and technology for the obvious/common threats
  2. Get compliance with whatever 3rd party stakeholders want (customers, regulators, investors, etc.)
  3. Develop internal compliance to your own standards to ensure consistency
  4. Develop a risk-based approach to target the non-top-line threats to your business
  5. Develop a flexible, adaptive approach to security to be able to quickly address emerging risks

This is the ELITE approach:

  • Essential
  • Legal/Legislative (Lender/Ally)
  • Internal
  • Targetted
  • Emergent
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    Excellent response to what is ultimately a misguided question. Importance of certification differs based on business needs and other factors such as whether the certification is vendor specific etc. If the certification standards are insecure, then being certified is not really meaningful – Anthony Feb 24 '20 at 22:53
1

I agree with ‘schroeder’ response. However, I would suggest starting with ISO 27001, as this standard is referred to/consumed by other certifications like ISO 27017, ISO 27018, SOC 1, SOC 2, HIPAA, PCI-DSS, GDPR, PDPA, etc.

The ISO 27001 standard gives you the foundation to build security and privacy practices within your organization as it's based on a business risk approach.

Hence, go for the ISO 27001 certification.

schroeder
  • 123,438
  • 55
  • 284
  • 319