Everything about ISO/IEC certificates and why they are a must-have for IT companies in times of war

Due to Russia’s full-scale invasion of Ukraine, IT companies have faced even greater competition for clients. Today, to survive, a business needs not only to retain those who already trust it but also to attract new partners. Meanwhile, Western clients, due to the war, have become even more demanding; cooperating with Ukrainian companies means not only high-quality services but also a risk factor, as cynical as it may sound.

In this article, we will explore how to make your company competitive in the IT services and consulting market, mitigate risks, and win the trust of clients at the introduction stage.

All these points can be summarized with one word – certification.

What is certification?

A client wants to see that, under war conditions, your company can continue to operate and fulfill its obligations. But not just in words – on paper. Certification is like a warranty card for the client, confirming that your business complies with international standards and is ready for any unforeseen events.

The development and publication of international standards are overseen by the International Organization for Standardization (ISO). They develop standards for various fields: medicine, cybersecurity, environmental management, energy consumption, and so on. According to these standards, certificates are developed which confirm companies’ compliance with international standards – and hence, that such companies can be trusted.

Different certificates are designed for each field. They are all distinct, and each covers a specific part of the processes. For the IT sector, the most common standards are ISO/IEC 27001 and ISO/IEC 27701. This article will discuss them in detail.

But first, let’s determine if they are really necessary?”

In my company, there’s no certificate – so what? 

Which ice cream would you rather buy? Any in beautiful packaging, or one with a mark of compliance with DSTU (Ukrainian State Standard)? The same goes for business. Of course, ISO certification is voluntary, you might not pursue it. But if you want to collaborate with major companies and globally recognized brands, certification is inevitable. Such clients are unlikely to trust their projects to just any company. Before negotiations commence, they will ask for certificates.

From our experience, IT companies suffer from a lack of certification already at the tender selection stage: European customers simply decline the possibility of participating in the tender if there are no ISO 9001 and ISO/IEC 27001 certificates. For large clients, having an ISO/IEC 27001 certificate from a supplier is a mandatory requirement.

Having ISO/IEC 27001 and ISO 9001 certificates for American and European IT companies is a given. Additional industry-specific and legislative standards, such as GDPR, SOC2, or PCI DCC, etc., follow. For Ukrainian companies that want to work with US and EU companies, such certificates are also a must-have. And here’s why.

Advantages of ISO/IEC 27001 for business:

  • Increasing trust from partners and clients: ISO/IEC 27001 confirms that the company’s information security management system operates in controlled conditions. At the very least, basic measures for crisis responses have been established, hence the business is in reliable hands.

Upon successful audit and receipt of the ISO/IEC 27001 certificate, the company gains a significant competitive advantage: clients and employees see that the management implements effective risk management, showcasing legality and transparency of operations.

The certificate is recognized globally, opening up opportunities for international markets and attracting foreign partners. In the EU and the US, having certificates is standard, while their absence becomes a risk factor.

  • Compliance with regulatory, tender committees, and legislative bodies: Having a standard is often a mandatory requirement for tenders, especially when it concerns government contracts. For legal operations in various countries, basic certification is required. In most cases, this is covered by ISO/IEC 27001, so companies don’t need secondary processes to comply with these requirements.
  • Reliability and stability of your business: The ISO/IEC 27001 standard recommends that companies conduct an assessment of information risks and prepare a risk minimization plan. ISO/IEC 27001 certification provides a foundation for information security management processes and key operational elements. This standard clearly defines practices such as:
    • Keeping IT systems up-to-date,
    • Antivirus protection,
    • Data storage and backup,
    • IT change management.

As a result, the processes necessary for compliance with ISO/IEC 27001 lead to improved documentation and clear instructions that all staff should follow, further ensuring the organization’s safety and resistance to cyber-attacks.

All this you will get and set up in your company during the preparation for certification.

How to Obtain ISO/IEC 27001

The certificate is issued by a certification body. There are many of them, and they differ in levels of accreditation. For instance, there is the German DAkkS accreditation, British UKAS, American IAS, and ASCB. Often, for the EU market, a local European accreditation is necessary, while in the USA, American accreditation might be preferred. However, all these accreditations are mutually recognized.

The process itself is not simple and can turn out to be expensive. It’s not merely a formality that can be completed in a couple of weeks since the result essentially represents an international quality standard for your business. In some cases, the certification can take years and cost thousands of euros. So, how does this happen?

During the certification, an independent certification body sends auditors to the company. The auditor’s goal is to confirm that your company meets the requirements of the chosen standard.

ISO/IEC 27001 certification is done in two stages:

  • Company preparation for certification. The preparation period depends on the level of alignment of processes within the company and can last from three months to two years. This stage includes:
    • Training staff;
    • Conducting a diagnostic audit (GAP analysis) to understand the company’s assets and information resources, preparing a roadmap;
    • Developing policies and procedures required by the standard (e.g., information security policies and objectives, asset register, company’s information risk assessment, personnel management policy, physical security assurance policy, IT management operational procedures, and many others);
    • Great attention during development and audit is given to the company’s information assets: how they are identified and protected. The standard requires risk assessments for these assets and, consequently, risk mitigation plans.
  • Conducting certification. This process takes about 1-2 months and includes several stages.
    • For ISO/IEC 27001, the first stage involves documentation analysis and an internal audit. If the first stage is successful, the second stage is planned.
    • In the second stage, the auditor conducts interviews with the staff and addresses the standard’s requirements.

Both stages, in terms of cost and duration, depend on the industry, staff size, and the number of the company’s physical locations. Consequently, the cost can vary greatly, ranging from 1,500 euros to infinity.

Therefore, the sooner a company obtains the certification, the better. When it’s smaller, it’s easier to develop and implement all processes. Later, it will require more time as the staff number increases, and with it, all company processes.

The certificate is issued for 3 years, and each year an oversight audit is conducted. The company has to prove that it continues to meet the standard’s requirements.

Can one obtain certification in Ukraine? 

Certainly, there are certification bodies in Ukraine, and the options are vast. It’s best to entrust this process to a company with a broad range of partners and a solid reputation in the market.

Baltum Büroo Group is one such company. Our main advantages are:

Baltum Büroo works with several certification bodies and is a partner of international companies such as UNICERT (German accreditation DAkkS), Swiss Approval (Switzerland, American accreditation IAS), Bureau Veritas, URS (UK Accreditation (UKAS)), and others. We have a broad network of certification bodies with whom we work directly in each local country. This allows us to offer our clients a choice of both the certification body and the preparation for the company’s certification. Consequently, the cost of our services will be minimal. We facilitate certifications globally, regardless of the company’s location or registration. Often, the operational IT business is based in Ukraine, but there may also be representatives in other countries. Baltum Büroo covers all these offices. Our extensive team with diverse expertise across various standards (ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 20000-1, ISO 9001) can address any client needs, including specific ones. We are highly adaptable to the client and their needs, from the selection of the certificate to payment method choices

What other certificates are there for IT companies? 

Due to the war, many companies relocated or opened offices in other countries. They face demands from partners to verify their management level in various aspects. Most often, our clients are required to:

  • Develop a BCP (Business Continuity Plan);
  • Assess risks and minimize them;
  • Have methods and tools for incident management.

All these are requirements of the ISO/IEC 27001 standard. But there are other standards typical for the IT sphere. Let’s briefly consider them.

  • ISO/IEC 27001: Involves supporting an information security management system, evaluating potential risks and identifying vulnerabilities, controlling and storing information, informing employees and third-party contractors about risks and incident reporting, system activity monitoring, and access control to systems.
  • ISO/IEC 27701 focuses on the personal data management system. Especially for organizations that already comply with GDPR (General Data Protection Regulation), most of the requirements and measures are already implemented, as ISO 27701 is largely based on GDPR rules.
  • ISO 9001 is the primary standard for all companies. It includes requirements such as document and personnel management, internal audits, corrective and preventive actions.
  • ISO/IEC 20000-1: This standard encompasses the requirements of ISO 9001 and ISO 27001. It defines IT service management as a system of interrelated processes and is based on ITIL. The standard examines processes such as Service Delivery Processes, Capacity Management, Service Reporting, Information Security Management, Budgeting and Accounting for IT service, etc.

Baltum Büroo consultants will help determine which standard is optimal for your company. So, don’t hesitate, invest in ISO – it’s a guarantee for your business’s bright future.

In this article, we tried to explain everything you need to know about IT certification comprehensively. If you have further questions, our consultant-auditor Kyrylo Proskurnya will analyze your business and gladly explain all the details. Kyrylo has years of experience in the field of ISO/IEC certification and has helped dozens of IT companies successfully navigate this complex process.

Submit your request now – Baltum Büroo specialists will make an offer and guide you until successful certification.