When you’re running a small startup, ISO 27001 certification can sound intimidating. It often feels like something only large enterprises can afford or have time for. But with the right approach, even a team of just a few people can achieve it and learn a lot in the process.
At Tolgee, we went through this journey recently. Here’s what we learned and how we had to learn some stuff the hard way. So I wrote this article so you don't have to. 🤠
Why Tolgee needed it
For us, the trigger was clear. Many enterprise customers either required ISO 27001 certification or required us to fill out long security questionnaires.
I believe many of them even excluded us from evaluation simply because we didn’t have it, but this hypothesis is soon to be validated.
Beyond customer requirements, we realized we also needed more structure. We discovered this when we started implementing the system.
Accept that it’s going to be hard but worth it
Our certification process took four months and circa 200 hours of work. We had to create dozens of guidelines and policies, set up new access controls, and define our risk management processes.
At first, it felt like endless bureaucracy. But as we progressed, it became a valuable experience, not only for meeting enterprise expectations but also for improving our internal processes and giving us better sleep.
Simplify everything
Once we had written all the required policies based on ITIL-like templates, we realized they were too complex to follow. So we simplified them. ISO 27001 doesn’t require over-engineering. It just asks you to prove that you manage information security in a consistent, measurable way.
Here are a few examples of how we simplified:
Password policies: Instead of enforcing rotation or 90-day changes, we require everyone to use a password manager and generate strong, unique passwords. We also recommend checking your accounts with pages like haveibeenpwned.com
Laptop safety: Instead of long documents about not leaving laptops unattended, we enforce full-disk encryption.
Network segmentation: If you don’t have on-prem servers, there’s no point in splitting internal and guest Wi-Fi. A fired employee connecting from the parking lot is a real problem.
Simplicity is the key to sustainability. Write only what makes sense for your team and what you can actually maintain.
Don't use Word or Excel, use Fibery, Notion or similar
We built our entire information security management system (ISMS) in Fibery. It became our single source of truth for everything: storing the guidelines so everyone has access, logging who has access to what, evaluating suppliers and risks, and tracking security incidents.
In the beginning, we tried to manage everything using the Word and Excel templates. It was painful. Searching through folders and versioning documents made everything worse. Once we moved to Fibery, it finally made sense. We could link directives, risks, and incidents, automate reviews, and actually work with our ISMS instead of fighting it.
Involve the whole team
In our case, I was wearing two hats: the CEO and the Security Manager. Our COO, Marketa, was responsible for HR things, and we had to bring the rest of the team into compliance with new policies such as password management, hard drive encryption, permission and access logging, and enforcing two-factor authentication everywhere.
It’s important to get the team on board so they don’t see it as useless bureaucracy but as something that prevents problems in the future.
Don’t aim for perfection
The goal is to get certified, not to build a textbook-perfect system. You’ll keep improving it over time. The first version is about building a foundation you can actually maintain. Once certified, you’ll have time to iterate and refine.
Choose a good auditor
A good certification partner will guide you rather than make your life harder. I don't want to say you should choose someone who will let you pass without any work. You just need someone who thinks practically without blindly following complex ITIL-like guidelines.
We worked with an auditor who hated the long directives, just like us, and who loved the tool-based approach. He appreciated that we created our own system in Fibery that we understand and that we are able to follow.
Celebrate and keep it alive
When we finally got certified, it was a huge relief. But the work doesn't end there. We need to keep the system alive. We need to continuously enforce the policies, evaluate the suppliers, identify risks and log incidents.
But I believe it's not going to slow us down that much as I thought at the beginning.
To achieve this, it's important not to tolerate any unnecessary bureaucracy and keep the guidelines simple, but working.
Final thoughts
ISO 27001 is challenging, but it’s absolutely achievable for small startups. It helps you build maturity, clarity, and trust not just for customers, but for your own peace of mind.
If you approach it pragmatically, keep things simple, and involve your whole team, it can become one of the most valuable processes your startup ever goes through.
