Data security in crop innovation: What is ISO 27001?

Context

Doriane empowers agronomy departments in their digital shift since 1984. Our software deals with research data from the agronomic industry and our customers rely on these solutions to make innovation on crops (create new varieties, new biosolutions & practices).  But this process takes time, 8 years in average for example to create a new variety. It is easy to understand how sensitive this data is in a context of innovation that takes many years and of global competition.. Hence it is our duty to implement the security best practices and ensure the safety of our customers’ data. In 2023 our first SaaS solution was released: Bloomeo. Sending sensitive data to a SaaS is of course considered a high risk by our customers, and we needed a way to build a trust relationship with them.

Being compliant with an international security standard seemed like the right way to go!

What is ISO 27001?

There are many security standards, the main ones being SOC2, ISO 27001 and NIST. These standards have a large overlap and of course some specificities. But if we take a bit of altitude, they were all created for the same purpose: structure the way a company manages its risks. That’s really their cornerstone, identifying risks and managing them. ISO 27001 being well known in Europe, and our customers having experience with it, it was an obvious decision. ISO 27001 offers a framework to identify all our risks and ensures the most common ones are covered. Here is a sneak peek of what a company must prove when passing ISO 27001:

• Commitment of the leadership team toward security
• Risk assessment performed
• Risk treatment plan defined
• Resources are budgeted
• Employee and contractors follow a security training
• Security objectives and KPIs are monitored
• Security policies in place, including : Data Protection, Encryption, Privacy, Access Control,  Vulnerability Management, Business Continuity & Disaster Recovery, Physical Security
• Procedures are documented
• Controls are monitored
• Continuous improvement
• Audit performed by an independent auditor
• And sooooo much more!

How to comply with ISO 27001?

Security has always been at the heart of Doriane.

And even though we have experience with ISO standards (Doriane is ISO 9001 certified), ISO 27001 felt like a different beast. So, like most young and successful SaaS company these days, the target was defined but the path towards certification...not so much : ) As a SaaS company, it was obvious to look for a SaaS solution to help us. After evaluating several solutions, Drata felt like the right choice. Relying on Drata has many advantages, for our customers :

• It ensures Continuous Compliance : 100 security controls are continuously monitored by Drata, and the related KPIs are accessible  
• It offers a Trust Center where all our security documentation is available to our prospects and customers
• It ensures compliance with regulations related to Data Privacy

Even though compliance with privacy-related regulations (e.g. GDPR, HIPAA, CCPA) is an obligation, most companies don’t get audited for this. Drata allows us to prove we are compliant with them. For Doriane, Drata supported us in project management, clearly listing all the requirements of the standard and the controls to put in place. Our progress towards compliance was clear all along the journey and was communicated to the top management. Drata also helps us in automation. As it is connected to our ecosystem (e.g. Identity Provider, Cloud Provider, Code repository, Ticketing System, MDM, ...) it continuously monitors the status of each control. Additionally, any task that require our attention (like a policy to review or a vulnerability scan to perform) will trigger a notification, so we are confident nothing is missed. On top of the platform, Drata provides a list of partners to support their customer in their compliance journey. Doriane worked with Lyvoc, Drata’s partner for Europe, to put us on the right tracks and lead us toward the certification.

Our journey toward ISO 27001

In case you are also thinking about passing ISO 27001, you are most likely wondering what’s the typical timeline. Here are the milestones of our journey:

• May 2023 : Based on the requirements of a prospect, the executive committee decides to meet all ISO 27001 requirements. We can’t harm to be prepared
• October 2023 : We realized it was such a big work for a SME with strong ambitions and strict deadlines to do everything by our own. So we Subscribe to Drata and Lyvoc service to simplify the work
• November 2023 :We have the agreement for a large project with global access.,The decision is taken, we need to pass the ISO 27001 certification before the production activation (September 2024)
• December 2023 : Re-definition of the scope, perform risk assessment and create Statement of Applicability
• December 2023 – February 2024 : Close the remaining gaps to be compliant
• February 2024: Internal Audit
• Mars 2024 : Executive Committee to review the outcome of the audit and plan the certification audit
• April 2024: Certification audit passed

Budget to implement ISO 27001

Preparing a certification takes time... and money : ) In addition to additional software subscription to align our architecture with ISO 27001 standards we also needed to run Penetration tests. Finally building a ISO 27001 required a strong manpower mobilization (as well as internal as external consultancy) for a total of 1 FTE during 6 month before certification and less than 0,5 FTE/year resource after certification to maintain it. It is significant, plan this properly in your budget! But it's worthy for long term relationship with our customers.

Conclusion

ISO 27001 is one hell of a ride! But it is worthy at every level. We strongly believe our compliance with this security standard is key to building a trust relationship with our customers. But beyond this aspect, these security standards force companies like us to regularly re-evaluate their risks, face them and manage them. This is an intense exercise, but we see it as personal hygiene: not super fun but necessary to stay healthy!

Let me conclude this article with a couple of tips based on our experience:

• Risk assessment is the heart of your security posture. Start with it and take the time to do it properly!
• Anticipate well the certification audit and get prepared with a preparation audit
• If budget is a concern for you, SOC2 seems more affordable and ensures a strong security posture as well
• Fun fact : we had to put many locks on several closets. We made it by our own with our muscular arms 😉