Getting ISO 27001 certified. Want to know how – and why it was worth it?

Ever wondered how a company like ours tackles the process of achieving ISO 27001 certification? Well, grab a cup of coffee and let us walk you through our exciting experience with security compliance! 

👉 Check out the news post: We’re now ISO 27001 certified

Why do it?

Back in December 2024, we decided it was time to get formal, recognised validation for the security measures we had already put in place. 

International enterprises make up a considerable part of our customer base – and their focus is increasingly on compliant tech. They often need to certify their own products and opting for tried, tested, and certified tech alleviates that process for them. 

ISO 27001 offered a globally accepted, standards-based certification that perfectly demonstrates our commitment and accountability. We want to note, though, that the certification process was always more than “just” getting the badge; It was also a great opportunity for us to revisit and strengthen our security practices and – in line with our continual improvement mindset.

In this post, we’ll share how we chose between ISO 27001 and ISAE 3002, the tools and partners we used to supported us, the key activities required by the standard, and our reflections on the outcome.

Choosing the right framework

As part of our initial exploration, we compared ISO 27001 certification with an ISAE 3002 audit. ISAE 3002 is a well-recognised standard in Denmark and often the preferred approach for external audits. However, over a three-year period, ISO 27001 proved to be roughly 40% more cost-effective. The re-certification cycle is simpler and less resource-intensive than repeating a full audit, and the upfront costs were also lower.

But price wasn't the only advantage. The broader recognition of ISO 27001 certification stood out as a clear benefit. An ISO certification simply carries weight. While there are practical differences in how an Information Security Management System (ISMS) is implemented depending on the audit framework, the fundamental principles are very similar.

Platforms and partners

We considered both international and Danish compliance platforms to support our efforts. Ultimately, we chose to work with the UK-based security and GRC consultants at Cognisys and the Vanta compliance platform. They led us through a focused 6-week accelerator programme, helping us implement a working Information ISMS, build policy documentation tailored to our operations, and identify where our existing practices already aligned with the standard.

Starting from familiar ground

Since we’d already used ComplyCloud for GDPR compliance, we weren't starting from scratch. Many of the ISO 27001 controls – such as access management, vendor evaluations, and incident handling – were already in place in some form. The real work was formalising and extending those controls into a full, auditable system using Vanta, ensuring that all aspects of the ISO 27001 standard were covered.

Navigating new requirements

ISO 27001 introduced some new, structured elements to how we manage security:

Internal audit	One of the requirements is that the internal audit must be conducted independently of those who implement the ISMS. Our GRC consultants handled this for us, providing an objective review that both satisfied the standard and helped surface opportunities to tighten our approach.
Management review	Facilitated by the GRC consultants, this session helped us align on risks, priorities, and progress at a leadership level – an important checkpoint in the certification journey.
Incident response exercise	As part of preparing for real-world readiness, the GRC consultants ran a tabletop-style incident response test. This exercise gave us a chance to validate our process, roles, and communication flow in a controlled environment.

Having the GRC consultants facilitate and provide feedback throughout these essential ISO 27001 activities was excellent preparation for the external audits.

The evidence phase

Midway through the process – once the policies were drafted and controls defined – we entered the evidence-gathering phase. This part of the process took time. Understanding what kind of evidence auditors look for was a learning experience in itself. Items such as access logs, onboarding checklists, risk assessments, and asset inventories all needed to be documented and clearly linked back to the policies. This is where the platform (and the guidance from the GRC consultants) became absolutely invaluable.

Another key learning was the use of generative AI. AI models proved to be very effective for understanding the ISO 27001 standard and generating examples for various types of evidence. This helped us map each required evidence type to something concrete in our own organisation and processes.

Worth it?

Looking back, we’re really happy with the outcome. Now, we have formal, external proof of the work we've put into building a secure environment – and a system that supports continuous improvement. And no, it’s still not just a badge to us. It represents a clearer and more structured way of working that we’re confident will benefit the entire company. Our customers can now easily review our security environment – a significant win, as it allows us to spend more time focusing on making our beer taste better, rather than responding to security questionnaires.

And next up? Well, now we’re looking to get SOC 2 certified, too. Stay in the loop if you want to know more 😃

If you would like to learn more about how we approached our ISO 27001 certification or have any questions about our security practices, you're always welcome to reach out.