In 2024, we lost a contract. Not because we weren't good enough – the client's business division wanted us. However, the Compliance Manager thought that we were not professional enough to work with them from a Compliance point of view. As a company whose self-image is to do everything as thoroughly as possible, this hit us hard. Not necessarily because of the lost revenue, but rather because of the realization that working thoroughly alone no longer seems sufficient.
Fewest possible rules vs. Compliance requirements
As a company, we hold the credo of having as few rules as possible (see our values). Every additional rule increases the effort required to enforce and control it. Every further rule exempts employees from thinking and making decisions in the interest of the overall system. What we wish for at a governmental level, we can at least implement in our Renuo microcosm.
That a Compliance Officer sees this differently is inherent: as the volume of data increases, data protection becomes ever more important. A certificate simplifies the work of a Compliance Officer because it represents a shortcut. The converse is not true: being without a certificate does not automatically mean being unlawful or unprofessional. The truism that companies must comply with laws is now simply called Compliance.
In the past, it was enough to work meticulously. Today, you have to prove that you are working meticulously. The responsibility is reversed – we are dealing with a reversal of the burden of proof. It is not the violation of the law that must be proven, but one's own correctness. Anyone who does not present formal proof is quickly considered a risk – even if the actual practice is impeccable. Compliance thus measures less the actual behaviour and more the ability to present it documented. This is bluntly apparent, especially in public tenders: no proof, no seat at the table.
The balancing act of staying true to yourself
In Switzerland, there are various providers of regulatory compliance certificates. The most obvious is ISO 27001 – the gold standard among certifications. What bothers us: access to the assessment criteria is chargeable (see, for example, here), the marketing is aggressive, and the process is heavily commercialized. As a company, we receive advertising emails weekly from ISO partners promising to achieve the certificate miracle in X weeks. External costs for a small SME, according to this source, range between CHF 15,000–50,000, plus ongoing costs of approximately CHF 5,000–15,000 per year. This pricing alone suggests that an entire industry lives off the pressure to certify rather than genuine security.
Furthermore, ISO 27001 is process-oriented, not results-oriented. This clashes with our conviction to have as few rules as possible. A defined process provides no security if it is not lived out. We experience that ultimately, no one is interested in the final setup – including the auditing Compliance Officer. Cover my ass, and that's that! This attitude feels like "security cosmetics" to us. And yet: sitting in an ivory tower and potentially having to forego further contracts cannot be a solution either. It is time to evaluate alternatives to ISO 27001.
Alternatives to ISO 27001 for SMEs
The start of our journey began with an assessment of existing certificates. And there are quite a few ISO 27001 alternatives:
- Target group: IT-focused SMEsProfile: Swiss label with a strong focus on practical applicabilityAssessment: Resembles an ISO 27001-light approach for SMEs. Comparable to Cyber-Safe, with an unclear distinction between the tow. Non-commercial.
- Target group: IT-focused SMEsProfile: Swiss security label with a strong awareness focusAssessment: Also an ISO 27001-light approach with a Swiss context. Low entry barrier, easy to understand, but conceptually very close to CyberSeal.
- Target group: SMEs at an early stageProfile: Self-assessment tool, no formal certificationAssessment: Primarily serves awareness and orientation purpose. No formal proof, no certification, no comparability.
- Digital Trust Label (by Swiss Digital Initiative)Target group: Digital products, platforms, and appsProfile: Trust and transparency labelAssessment: Strongly product- and platform-oriented. Structurally not well suited for agencies or IT service providers.
- Target group: Companies with a strong focus on data protectionProfile: Data protection and compliance sealAssessment: Very narrow focus on personal data. Appears commercially driven. Migros withdrawal in 2022 weakens its signalling effect.
- Target group: Cloud and SaaS providers, IT service providers with US customersProfile: Audit and reporting standardAssessment: High effort, strongly commercial, clearly designed for scalable services. Usually overkill for agencies.
- Target group: SMEs in the DACH regionProfile: Modular information security management systemAssessment: Strong focus on Germany, with very limited Swiss references or institutional anchoring.
Swiss Pragmatism in Certificate Form
From the entire list, both CyberSeal and Cyber-Safe convinced us the most. They are both Swiss labels, which are non-profit, aimed at Swiss SMEs, and work results-oriented. With both programs, we were able to easily set up a video call within a week to clarify open questions. Thanks to the fact that both programmes disclose their audit criteria (again: why would you not?!), these discussions were very efficient, as we could prepare accordingly.
Our decision ultimately fell on CyberSeal, as its focus is specifically directed at IT SMEs. The decisive factor for us was that CyberSeal not only queries processes but evaluates the lived reality – something that is significantly closer to our way of working. Why the National Cyber Security Centre NCSC supports two labels simultaneously (instead of merging them) remains unclear to me to this day.
CyberSeal Audit Review
Before the audit, we had two clarifying discussions to eliminate ambiguities. Often, these concerned requirements that we had to fulfil but which did not apply to us. For instance, apart from the office network, we do not operate any own infrastructure (our setup is zero-trust), meaning certain audit points are simply not applicable. Or responsibility-related questions arose: are we the ones who process sensitive data, is it our customers themselves, or the hosts? Other ambiguities concerned criteria whose fulfilment was unclear to us: How do we inform customers about the extent of our permissions when we operate everything and thus possess all rights? How do we ensure that immediate action can be taken in the event of major, known vulnerabilities?
All open questions were handled with great expertise and consideration for our specific situation as a software agency: no blind enforcement of criteria by theorists who have little or no knowledge, but rather a fair evaluation combined with professional, practice-oriented discussion. What we take away positively is that the person responsible for leading the audit was also the person who clarified our preparatory questions. This resulted in significant efficiency gains.
The most essential points that required improvement were:
- Due to historical circumstances, numerous client relationships – often dating back to 2013, 2014 – were undocumented. We have since been able to document these retroactively. This may have been purely documentation effort, but it also certainly provided helpful clarification regarding responsibilities and the division of tasks.
- We introduced an Acceptable Use Policy: In two pages, we explicitly describe what we were already living implicitly (tacit knowledge). This includes topics such as the use of a password manager, password requirements, the use of a privacy screen when working on the go, avoiding unsecured WLANs, the use of 2FA, and regulations regarding hardware and software. Valuable discussions arose, particularly concerning details like protection requirements for mobile devices when company emails are present on them. Turning implicit knowledge into tacit knowledge is good in any case!
- Access methods to company-wide systems (e.g., data storage, emails) from mobile devices were additionally secured.
- Our internal WLAN now has a whitelist of approved work devices. This increases the protection of connecting to it.
4.5 months elapsed between initial contact and the effective audit. A third-party agency to prepare us for the audit was not necessary. The entire auditing process, including internal research, audit preparation, and the audit itself, cost us 100 working hours (2.5 working weeks) and CHF 4,900 in external audit costs from the Allianz Digitale Sicherheit Schweiz. Compared to what we received in return – a more robust setup, clear responsibilities, and a shortcut for professional buyers – it is definitely worth it.
Conclusion
We are delighted to have successfully passed the CyberSeal audit. We are now officially good, too 😉. And much more importantly: we didn't have to compromise our values and can continue to stay true to ourselves! Whether we will ever need an ISO 27001 remains to be seen. Given the current political situation, it cannot be ruled out, though it is probably undesirable.
