It's often framed as an enterprise-only exercise: long timelines, expensive tooling, consultants everywhere, and a lot of compliance work that exists mainly to survive an audit. As a ~40-person, engineering-driven SaaS company, we needed the same level of trust and rigor as much larger organizations — but we weren't willing to accept shelfware, parallel compliance infrastructure, or controls that only exist on paper.
We also didn't stop at ISO 27001.
We now hold ISO 27017 (cloud security) and ISO 27018 (data privacy for cloud service providers). These extensions matter because we're both a cloud service provider and a cloud customer, and we sit directly in the path of sensitive customer telemetry.
So the question we optimized for was simple:
"
Can we implement ISO controls in a way that's enforceable, observable, and auditable — but make the controls really matter?
The answer turned out to be: Yes.
We went from kickoff in August to certification in December, with a new security lead hire, a senior engineering org, and minimal net-new tooling. We didn't build a separate "compliance stack." We tightened the systems we already run in production and treated them as first-class security controls.
This post isn't about how we wrote policies. It's about how the controls actually work.
The answer turned out to be: Yes.
We went from kickoff in August to certification in December, with a new security lead hire, a senior engineering org, and minimal net-new tooling. We didn't build a separate "compliance stack." We tightened the systems we already run in production and treated them as first-class security controls.
This post isn't about how we wrote policies. It's about how the controls actually work.
Final Thoughts
ISO 27001 isn't hard because the controls are complex. It's hard because teams try to implement it around their systems instead of through them.
If your controls are real, enforced, and observable, ISO becomes an exercise in mapping — not theater. This mental model has continued to hold as our systems, data surface area, and customer expectations have scaled. And that's achievable in months, not years, without lighting a massive tooling budget on fire.
