Skip to main content
Business StrategyDigital TransformationSecurity

ISO 27001 Certification: Our Journey to Enhanced Security Maturity

marcel.bausch14.05.20258 min read

From startup security practices to enterprise-grade assurance: how we transformed N47’s security posture while driving business growth.

Why We Pursued ISO 27001 Certification

Like many technology startups, we had a decent grasp on basic security hygiene – strong passwords, firewalls, antivirus, employee training – but it was informal, not measurable and inconsistent.

The tipping point came as we started to get into contact with bigger clients and entering more regulated markets when we noted a recurring theme: security assurance.

We needed more than ad-hoc policies and the occasional employee awareness training if we wanted to be seen as a more mature enterprise and shed the mantle of “startup enterprise”.

We needed to be systematic, auditable and creditable in our approach and prove we take information security seriously while also keeping the overhead at a reasonable level.

After quite some internal discussion and plenty of external research, ISO 27001 emerged as the right standard for us.

What appealed to us about ISO 27001 wasn’t just the badge. It was the fact that the framework is built around risk management and continuous improvement, which aligned with how we already think about quality and operations. It’s not just a checkbox exercise (make no mistake, there is that, too!); it’s a shift in mindset, leadership and culture.

Our strategic objectives were clear:

  • Differentiate N47 from non-certified competitors
  • Win enterprise clients and expand into new markets
  • Establish clear security ownership across the organization
  • Create a common risk management language
  • Align with EU regulations including GDPR and DORA

Therefore, a decision was made: this was going to enhance and mature our security posture – AND it was going to be a business enabler.

Our Smart Approach to Certification

Due to the size of our company and the utilization of our employees, we had to be smart with the resources we wanted to reserve for our certification. This meant:

  • Choose the right partners and tools
  • Automation over manual processes
  • Give everybody involved a sense of ownership
  • Rely on best practices given by the tools to streamline the process

Selecting the Right Partners and Tools

There are many approaches to managing security – some companies still rely on endless amounts of enormous spreadsheets, some adapt their internal tools and some choose a proper Information Security Management System (ISMS).

As we didn’t have any existing infrastructure to centrally manage our security information, we opted to go for an “all-inclusive” ISMS which would allow us to map our employees, policies, systems and assets to the requirements given in the ISO 27001:2022 framework and to keep track of the maturity of our security.

After evaluating several tools extensively, we settled for Drata as it gave us the best combination of price, ease-of-use, system integration via connectors and on top an excellent customer service. In fact, we were so contented with the overall security experience with Drata that we decided to strenghten our relationship and become a Drata partner ourselves.

Automation over manual processes

As mentioned earlier, we also had to be smart and efficient with the resources we used – since any employee involved in the ISMS also has commitments to client work; any involved employee has obligations with other clients so overburdening them to manually maintain spreadsheets regarding all the different aspects of information security just wasn’t an option. We had to find a way to:

  • Automate the access controls
  • Monitor the compliance of employees (e.g. policies and security trainings) and assets
  • Monitor the compliance of our products (e.g. firewalls, system updates, vulnerability scans)
  • Collect, storing and decommissioning of evidences
  • Utlize and lean on best practices already baked into existing tools

Using Drata, we were able to automate most of these tasks straight out of the box. Whenever Drata didn’t have the integrations or implementations yet, we could rely on our team of developers to quickly automate e.g. comparing the assignments and ordered permissions in various systems.

Distributing Security Ownership

Observing how other companies approached their certification, we noticed a common pattern: many externalize the process or hire someone new to “own” it.

While this certainly can work, it often creates a single point of failure – and it disconnects the rest of the team from the bigger picture.

With the automation and visibility Drata provided, team members could see the impact of their actions and they bacame meaningful.

  • HR owned secure onboarding and offboarding
  • Engineering owned secure development practices and vulnerability management
  • Operations owned vendor risk and asset inventories
  • Leadership was actively involved in risk management and setting the tone from the top
  • And of course, the security team members made sure everyone understoond their role and introcuded new security concepts into already existing processes.

HR could track policy acknowledgment. Leadership could view risk registers evolving over time…Ownership doesn’t have to be abstract: it was made visible.

This mindset shift from security being “someone else’s job” to “we all have a role” is what made our journey not only successful but sustainable.

Starting Your Certification Journey

ISO 27001 (or indeed any certificaion) can seem intimidating from the outside. There’s a mountain of controls, processes, and documentation to get through—and if you’re a mid-sized company juggling client work and product delivery, it’s natural to worry about the time and cost involved.

Begin with a Gap Analysis

Before charging forward and spending money on any tools. This will gave us important information to compare where we were vs where we needed to be for our certification.

In detail, doing the gap analysis gave us:

  • A clear picture and map of our IT landscape
  • A clear picture of our processes
  • A clear picture of what we actually needed to work on (Policies, Technologies, Processes)
  • A prioritized roadmap (because you can’t do everything at once)
  • A baseline for tracking our progress

Understanding this helped us align our ISMS scope with reality, and not build a parallel universe of policies that didn’t reflect how we actually work. It also helped identify opportunities to consolidate, simplify, and automate from day one.

If you want to get a head-start into those topics, feel free to reach out to us via:

Managing Certification Costs

It’s not free, but it doesn’t have to break the bank either.

We kept our costs manageable by:

  • Re-using / Investing in systems that you already have
  • Taking a risk based approach; what do you need to do first in order to improve your security posture in a meaningful way
  • Choosing a SaaS-based ISMS (like Drata) instead of building or stitching together tools
  • Automating evidence collection and compliance tracking
  • Assigning responsibilities to existing roles, instead of hiring a full-time ISO team

Bottom line: You don’t need a big budget—you need a smart plan. And it all starts with understanding where you are today.

How N47 Can Support Your Security Journey

If reading this has you nodding along (or quietly panicking): we get it as the requirements can be very overwhelming. Whether you’re pursuing ISO 27001, aiming to improve your overall security posture, or just tired of chasing spreadsheets and compliance chaos, we’ve been there.

Here’s how we can help:

  • We’ll help you run a practical gap analysis so you know exactly where you stand and what matters most.
  • We’ll work with your team to streamline what already works, automate what doesn’t, and cut out the busywork that slows you down.
  • We’ve learned how to embed security into existing roles and workflows: practical, team-based security that sticks.
  • We’ve done the research so you don’t have to. Whether you need an ISMS platform or just want to know what’s worth investing in, we’ve got you.

Partner with N47 to transform your security approach from a compliance burden into a business advantage. Contact us via:

Important Ducks

Related Posts

Automationnode.jsTesting Taiko, useful toy for automation testing

Taiko, useful toy for automation testing

Every day we are implementing new features/client requirements. On every release, we want those changes to be correct, previous features should still be working... with other words we want a stable application. That is why it's necessary for the BE and FE to write tests (unit and integration tests).
Miodrag Cvetkovic
Miodrag Cvetkovic22.10.2020
FrontendVue.js Vuejs Amsterdam 2022

Vuejs Amsterdam 2022

Amazing speakers, interesting topics, great venue and everything nice - this were the ingredients chosen to create the perfect conference - Vuejs Amsterdam.
Aleksandra Nikova
Aleksandra Nikova15.07.2022
Vue Composition Api FrontendJavaScriptTechnologyTypeScriptVue.js Using the Vue3’s composition API in Vue2

Using the Vue3’s composition API in Vue2

Bye-bye Options API! Composition API is the new way of coding in the fresh 3rd version of the Vuejs javascript framework (Vue3).
Sasho Fidanovski
Sasho Fidanovski20.10.2020

Leave a Reply


The reCAPTCHA verification period has expired. Please reload the page.