ISMS Copilot
Security

Why we're not ISO 27001 certified yet

At ISMS Copilot, we're committed to "practicing what we preach." As a tool built by and for information security professionals, we implement many of the controls we help our customers achieve—such as mandatory MFA, row-level security for data isolation, automated code scanning, and real-time monitoring. Our architecture already aligns with key requirements from ISO 27001:2022 Annex A and SOC 2 Trust Services Criteria.

That said, we're transparent: ISMS Copilot is not yet ISO 27001 certified or SOC 2 attested. Here's why, and our pragmatic plan forward.

Why we're not certified yet

We're a bootstrapped startup, without investors or external funding. Our small team is led by founder/CEO who handles many processes from product development to compliance, serving as CEO, CISO, DPO, compliance officer, product owner, and finance lead all at once.

This reality creates tangible challenges that make ISO 27001 certification difficult to achieve in our current management structure:

Management structure

ISO 27001 assumes organizational structures with segregation of duties and independent oversight. In our current setup:

  • I write and approve my own documentation – From security policies to risk assessments, there's no independent reviewer because I'm filling most of the roles. Even if engineering is a separate role, I would be the approver for most policies I write.

  • Management reviews = solo reflection – When "management review" means me reviewing my own work, it's self-assessment without the diverse perspectives auditors expect. Even if we can have external consultants perform internal audits to bring other pairs of eyes on the ISMS, management review cannot be outsourced.

  • Leadership and implementation overlap – I'm simultaneously committing to security as CEO and implementing it as CISO, which doesn't provide the separation of roles that ISO 27001 recommends to ensure distinct accountability layers (Clause 5.1 and 5.3). As founder, I hold full accountability for all aspects, but the standard's intent requires more structured division for formal certification.

We can outsource internal audits to address independence requirements, and we use our own tool to generate documentation efficiently. The challenge isn't capability, it's having the organizational structure that the intent behind ISO 27001 requirements iterally requires.

Resource prioritization

As a bootstrapped company, we grow by making our customers happy - cybersecurity consultants, auditors, and compliance teams who rely on us for their ISO 27001 implementations. We've prioritized:

  • Tangible security controls that directly protect users (encryption, access controls, monitoring) over formal certification processes

  • Product features that help our fellow ISO 27001 and GRC professionals succeed in their own compliance journeys

  • Customer value through AI-powered document generation, framework mapping, and compliance automation

We reinvest revenue from satisfied users into steady improvements rather than diverting significant resources to certification while we're still a tiny team.

We rely on certified subprocessors (Mistral AI's ISO 27001:2022, Stripe's PCI-DSS Level 1, AWS/Supabase ISO 27001 and SOC 2 Type II) to extend our security posture while maintaining transparency about our own certification status.

When we plan to certify

We'll pursue ISO 27001 certification and SOC 2 attestation as we expand our team - adding roles like a dedicated compliance specialist and additional engineers. This growth will come organically from customer success: by helping ISO 27001 and GRC professionals streamline their work, we build the revenue to scale responsibly.

Once the team is larger, we'll formalize the remaining organizational requirements:

  • Independent management reviews with multiple stakeholders

  • Documented risk treatment plans with separate approval workflows

  • Business continuity procedures with designated role assignments

  • Internal audit programs with true independence

We'll leverage our own product to accelerate this process - practicing what we preach by using ISMS Copilot to updated our policies, map controls, and maintain evidence.

In the meantime, we're implementing an ISO 27001-aligned ISMS: performing risk assessments and treatments, establishing business continuity and disaster recovery measures, conducting incident management and threat monitoring, and gathering evidence through tools like logs and dashboards. When team expansion happens, certification will enhance our existing strengths rather than starting from scratch.

Our current security posture

While we're not certified yet, we've implemented robust security controls that align with industry standards:

  • Mandatory multi-factor authentication

  • Row-level security for complete data isolation between workspaces

  • Automated code scanning with triaged findings

  • Point in time recovery for increased resilience

  • Real-time error tracking and monitoring

  • Encryption at rest and in transit

  • DDoS protection and rate limiting

  • GDPR compliance by design with user-controlled data retention

For more details on our implemented controls, see our Security & Data Protection Overview and Security Policies.

Questions about our security?

We're here to discuss how our current security posture supports your needs. If you're a customer or prospect with questions about our controls, compliance status, or certification roadmap, please reach out. Also, when we have enough resources to implement a control, we're happy to implement it, or at least plan for it, so don't hesitate to ask.

Was this helpful?