At ISMS Copilot, we're committed to "practicing what we preach." As a tool built by and for information security professionals, we implement many of the controls we help our customers achieve—such as mandatory MFA, row-level security for data isolation, automated code scanning, and real-time monitoring. Our architecture already aligns with key requirements from ISO 27001:2022 Annex A and SOC 2 Trust Services Criteria.
That said, we're transparent: ISMS Copilot is not yet ISO 27001 certified or SOC 2 attested. Here's why, and our pragmatic plan forward.
Why We're Not Certified Yet
We're a bootstrapped startup, founded in France without investors or external funding. Our small team is led by founder/CEO who handles everything from product development to compliance—serving as CEO, CISO, DPO, compliance officer, product owner, and finance lead all at once.
This reality creates tangible challenges that make ISO 27001 certification difficult to achieve in our current structure:
The Management Challenge
ISO 27001 assumes organizational structures with segregation of duties and independent oversight. In our current setup:
I write and approve my own documentation – From security policies to risk assessments, there's no independent reviewer because I'm filling all the roles
Management reviews = solo reflection – When "management review" means me reviewing my own work, it's self-assessment without the diverse perspectives auditors expect
Leadership and implementation overlap – I'm simultaneously committing to security as CEO and implementing it as CISO, which can create blind spots in accountability
We can outsource internal audits to address independence requirements, and we use our own tool to generate documentation efficiently. The challenge isn't capability—it's having the organizational structure that ISO 27001 literally requires.
Resource Prioritization
As a bootstrapped company, we grow by making our customers happy—cybersecurity consultants, auditors, and compliance teams who rely on us for their ISO 27001 implementations. We've prioritized:
Tangible security controls that directly protect users (encryption, access controls, monitoring) over formal certification processes
Product features that help our fellow ISO 27001 and GRC professionals succeed in their own compliance journeys
Customer value through AI-powered document generation, framework mapping, and compliance automation
We reinvest revenue from satisfied users into steady improvements rather than diverting significant resources to certification while we're still a tiny team.
We rely on certified subprocessors (OpenAI's SOC 2 Type 2, Stripe's PCI-DSS Level 1, AWS/Supabase ISO 27001 and SOC 2 Type II) to extend our security posture while maintaining transparency about our own certification status.
When We Plan to Certify
We'll pursue ISO 27001 certification and SOC 2 attestation as we expand our team—adding roles like a dedicated compliance specialist and additional engineers. This growth will come organically from customer success: by helping ISO 27001 and GRC professionals streamline their work, we build the revenue to scale responsibly.
Once the team is larger, we'll formalize the remaining organizational requirements:
Independent management reviews with multiple stakeholders
Documented risk treatment plans with separate approval workflows
Business continuity procedures with designated role assignments
Internal audit programs with true independence
We'll leverage our own product to accelerate this process—practicing what we preach by using ISMS Copilot to generate policies, map controls, and maintain evidence.
In the meantime, we're preparing actively: conducting gap analyses, documenting our roadmap, and implementing controls that align with ISO 27001 Annex A requirements. When team expansion happens, certification will enhance our existing strengths rather than starting from scratch.
Our Current Security Posture
While we're not certified yet, we've implemented robust security controls that align with industry standards:
Mandatory multi-factor authentication via Supabase Auth
Row-level security for complete data isolation between workspaces
Automated code scanning with triaged findings
Real-time error tracking and monitoring
Encryption at rest and in transit
DDoS protection and rate limiting
GDPR compliance by design with user-controlled data retention
For more details on our implemented controls, see our Security & Data Protection Overview and Security Policies.
Questions About Our Security?
We're here to discuss how our current security posture supports your needs. If you're a customer or prospect with questions about our controls, compliance status, or certification roadmap, please reach out—transparency is core to how we operate.