In this blog post, we explore why we decided to do this, what an audited security system actually delivers, why we chose ISO 27001:2022, and what we learned on our journey toward creating a transparent, effective, and culture-aligned Information Security Management System (ISMS).
The Why
Flexibility, autonomy, and trust are at the core of how we operate at balena. We don’t have layers of management wrapped around bureaucratic processes. Instead, we enable collaboration and context sharing at all levels, empowering our team to take ownership and make decisions about the things they work on. We don’t insist on team members taking a specific number of days off within a defined period. Instead, we encourage them to take as much leave as they need, when they need it. We don’t rely on rigid KPIs or performance reviews to measure success. Instead, we focus on intrinsic motivation and trust people to contribute in ways that further our mission, without the pressure of arbitrary targets.
As you can imagine, these types of approaches, and the systems that support them, don’t necessarily align well with regulatory frameworks like ISO 27001. Formal certification often requires strict adherence to traditional standardized procedures, layers of documentation, and people management, which is very much at odds with our aim to minimize bureaucracy. As such, we were always concerned that introducing a compliance-heavy framework like ISO would conflict with our core values and, as a result, have a damaging effect on our company culture.
So, why did we do it? In short, we did it because we wanted a reliable way to give external stakeholders a quick and easy way to verify our security credentials. But, the good news, and the reason we eventually pursued it, is that we found a way to meet the requirements without compromising our unique approach. In true balena style, rather than following the prescribed path, we took a deep dive into the certification requirements, analyzed and translated the standards using first principles, and successfully applied them in our own way.
Security isn’t just a feature, it’s a necessity
Gaining ISO certification isn’t just about ticking the latest compliance check boxes. The security of our organisation has always been a top priority for us, we follow rigorous engineering practices and carry out regular penetration testing to keep our platform safe, but security isn’t something that can be taken for granted, and while internally we have full confidence in our security posture, we’ve long known we needed a better way of sharing that confidence with customers and external stakeholders.
For companies like ours, which are deeply embedded in the technology sector, ensuring robust information security requires a holistic approach that encompasses everything from documented procedures to nurturing a security-aware team culture. This is where an audited security system comes into play.
What Does an Audited Security System Actually Provide?
In an ideal world, everything a company does in terms of information security would be transparent, with clear, visible practices and protocols. However, in reality, sharing all those details would result in an overwhelming amount of data.
Some companies use questionnaires or summaries to simplify things, but they only show a small part of the picture and not the actual evidence behind the claims. That’s where audits come in.
Having an audited security system means that a trusted, independent expert has completed a thorough review of documentation, procedures, and security controls, and has confirmed that the system meets industry standards. Auditors rely on standards like ISO 27001 or SOC, to ensure a structured and universally accepted method of auditing.
In simple terms, auditing removes the burden of compliance and security posture verification from customers and other stakeholders, and provides reassurance that security protocols are not only in place, but are also effective and reliable.
Why We Chose ISO 27001:2022
ISO 27001 is a globally recognised standard for managing information security. At its core, it helps companies implement clear rules, procedures, and processes to keep information secure across the organization
One aspect we particularly appreciated about the ISO standards is the self-monitoring mechanism, based on the PDCA (Plan, Do, Check, Act) cycle. This is essentially a built-in feedback loop, a concept we at balena are particularly fond of because it ensures continuous improvement and adaptability over time, ensuring that the system constantly evolves to meet emerging security challenges.
The Journey to ISO 27001 Certification, and the lessons learned
Building a robust, certified ISMS is no small feat, and this was in fact our third attempt! Each phase came with its own set of learnings:
Phase 1: Inside-Out Approach
Initially, we wanted to build our security posture from the inside out. We believed that our unique company culture alone could drive our approach to security, without the need for rigid external frameworks and certifications. However, this approach didn’t resonate well when we tried to demonstrate our security efforts publicly, it lacked structured documentation that stakeholders could easily understand, but most importantly it passed the burden of verification on to the stakeholder.
Phase 2: Hiring External Expertise
Our next step was to hire professionals who were knowledgeable about security standards. While they brought expertise, they were new to the unique way in which we operate at balena, and this lack of integration led to misalignment with our core culture. We realized that team alignment was critical.
Phase 3: Embracing Structure Without Compromise
Our third attempt was more successful because we found a way to adopt a structured approach to ISO standards without sacrificing our culture. We started by gaining a deep understanding of ISO 27001 and its complementary standard, ISO 27002, within our own team. We discovered that ISO 27001 doesn’t demand rigid adherence to one-size-fits-all templates. Instead, it provides a set of hard requirements that can be tailored to fit a company’s unique operational style.
While ISO 27001 defines the “must-have” aspects of an ISMS, ISO 27002 outlines controls that can be adapted to match an organization’s specific needs, so we were able to implement the standards in a specific way that aligned with balena values, culture and philosophies.
The Role of Auditors and the Path to Certification
Achieving ISO 27001 certification involved multiple stages of auditing:
- External Audit Stage 1: An accredited auditor, Johanson Group, reviewed our documentation and flagged six areas of concern.
- Internal Audit: Secure Partners helped us do a full internal review, finding eight minor nonconformities and four areas of concern.
- External Audit Stage 2: Johanson Group came back for a second review and found no nonconformities or concerns.
Our auditors commended us for our depth of understanding and adherence to first principles. We didn’t just implement controls; we ensured that they were embedded within our culture and processes, rather than being an external imposition.
Lessons Learned
Avoiding the Template Trap
Many ISO 27001 templates prescribe the use of OKRs, KPIs, or other metrics that might not align with every company’s workflow. At balena, we don’t use traditional performance metrics, so we created custom approaches that met the standard’s intent without compromising our operational ethos. This flexibility allowed us to stay true to our culture while still achieving compliance.
Leveraging Technology with Secureframe
To streamline our compliance journey, we evaluated several security compliance platforms before choosing Secureframe. While these platforms help simplify the process, we made sure to adapt the tools to our needs, rather than letting the tools dictate our processes.
Adapting for cultural non-negotiable’s
One of the more innovative elements we implemented was a team competence inventory. Standard ISO templates might rely on performance reviews to measure competency, but since we don’t follow that model, we created a self-assessment process. Every team member evaluates their own competency, ensuring transparency and trust without the need for traditional appraisals.
Our Commitment to Security Without Compromise
Balena’s ISO 27001 certification is a reflection of our ongoing commitment to both security and culture. By understanding the standards from first principles, aligning them with our unique ways of working, and incorporating valuable feedback loops, we’ve built a strong fully functional ISMS without sacrificing any team member’s contribution or our organizational ethos.
To download a copy of our ISO 27001 certificate, or to find out more about the work we’re doing around security, please visit the balena Trust Center.
The post Our Commitment to Security: Balena achieves ISO 27001 Certification appeared first on balena Blog.