This blog post was written by Deany Jaghdour, Retrospect Labs' Customer Success and Information Security Manager
At Retrospect Labs, we believe that information security is not just a requirement but a commitment to our customers and ourselves. Achieving the ISO 27001:2022 certification was a significant milestone for us, and it reflects our dedication to maintaining the highest standards of information security.
Here’s a glimpse into our Information Security Management System (ISMS) implementation experience, shared from my perspective as Retrospect Labs' Information Security Manager (Deany), along with insights from our CEO (Jason), and Lead Cloud Security Architect (Emanuel).
The starting point
A few months prior to me joining the team, Retrospect Labs had external auditors conduct a thorough gap analysis to identify what we needed to do to gain ISO 27001 certification. The audit involved mapping out our existing processes and pinpointing areas for improvement. Emanuel played a crucial role in this phase, being the primary interview target of the auditors as our technology lead.
"Once the requirements were clear, it was about what I expected. There was a lot more depth to the certification than I initially expected, which was a pleasant surprise even though it meant more work for me."
Emanuel Paduraru, Lead Cloud Security Architect, Retrospect Labs
The feedback was promising, Retrospect Labs already had strong technical controls and processes in place. The major body of work required was primarily in documenting the processes and policies for information security.
The gaps surfaced weren’t failings, they were fuel for improvement. And having a clear framework made it easier to align everyone on the path forward.
It’s a marathon, not a sprint
Let’s be real, of course it wasn’t easy. We faced several challenges, from aligning our processes with the ISO standards to managing the documentation requirements. However, our commitment to the goal kept us motivated. Jason observed that to implement ISO properly, you need to dedicate a lot of focus and attention. This isn't something you can do alongside your existing workload. This sentiment was shared by the entire team as we navigated the complexities of the certification process.
It was going to be a marathon, not a sprint.
For me, the sheer size of the job was daunting. Documenting all the processes, figuring out the best way to communicate policy, and operationalising the risk framework and access controls were significant challenges.
Security as culture, not just compliance
I spent a lot of time trying to figure out ways to bring the team along on our path to certification. A positive security culture is a two-way street. There’s no point documenting processes and policies as a box-tick activity, just for it to be gathering dust in the cloud so to speak. I wanted to make sure that every team member felt a sense of ownership and responsibility when it came to information security. After all, every team member will have to apply these policies and processes. So, whatever is written needs to be relevant and make sense to them, and the controls we apply will need to secure, but not hinder, our business processes.
To achieve this, we executed the following:
- We encouraged open communication, welcoming everyone’s feedback on published policies, using surveys to get everyone’s thoughts on information security challenges and risks
- We created a dedicated ISMS Teams channel, where everyone is free to voice their concerns and provide suggestions on the ISMS process and resulting policies and controls
- We communicated changes and updates in other engaging and interactive ways, like through blog posts with use cases, All-hands presentations, and quizzes
This collaborative approach not only improved our security posture but also strengthened our team spirit.
The key ingredient
But of course, implementing culture within an organisation is very much a top driven effort. One of the biggest things I was grateful for during the process was the support, and not just in principle. I had the autonomy to lead, make decisions, and move forward with the trust of Retrospect Labs' leadership.
Emanuel also shared this sentiment:
"Management's support and commitment to faithfully implementing the necessary uplift to actually meet the requirements in a meaningful way was essential. I'm glad it wasn't purely for compliance reasons and we could leverage this project to make valuable improvements to Retrospect Labs, and as a result, increase the value we provide our customers."
Emanuel Paduraru, Lead Cloud Security Architect, Retrospect Labs
The technical security controls were already in good shape, thanks to Emanuel. And working with him was the real definition of teamwork. The hours spent ruminating and discussing technical controls and security issues with Emanuel were memorable. We both really learnt a lot from each other. Our one-hour catch-up about risk frameworks that turned into a three-hour existential dialogue was definitely a highlight.
It really wasn’t just about security controls. It was about how we think and make decisions as a company. And in the end, that was the point.
Was it worth it?
Absolutely!
When I asked Jason if he thought the entire process was worth it, this was his reply:
"Yes worth it, although we are confident about our security practices and controls, having formal and independent recognition validates our own understanding and proves to others the significant investments we've made."
Jason Pang, Co-founder and CEO, Retrospect Labs
Emanuel also felt the same, seeing it as a good opportunity to improve and formalise a lot of what we were already doing, expand upon our existing capability and validate that our approach was consistent with industry expectations.
Reflecting on our experience, I realised how much we have grown as a team. The deep-dive discussions, the iterating on solutions and the shared little wins all contributed to a sense of unity and purpose. It was not just about achieving a certification, but also building a culture of security and trust that will continue to benefit us and our customers for years to come.
Tips for Success
From my experience, if you don't have full support from the very top, it's a lost cause. Aside from that, I recommend the following points:
- Understand your starting point. Having an external party conduct a thorough gap analysis was crucial to starting the whole implementation process. This is a worthwhile investment as it gives your organisation a clear roadmap on what lies ahead.
- Start with your Statement of Applicability and use ISO 27002 (a supplementary standard to ISO 27001) as a reference on how to implement the controls for each clause. Your scope will likely include everything.
- Don’t rush the rollout. Trying to formalise everything at once is a fast track to burnout.
- Make your policies real. If your team can’t use them or explain them, they’re not working.
- Be honest about gaps. You can’t fix what you won’t face. Gaps aren’t failures, they’re opportunities.
- Get everyone engaged. The policy is for everyone, not just the ISM.
- Use ISO as a tool to uplift, not just to comply. This is your chance to get better, not just get certified.
- Communication is key. Especially with your team. Policies need to be understood, not just written.
Another hot tip: attaining certification is not the destination
I'm sorry to break it to you, but attaining ISO 27001 certification won't be the end of the road. The reason why ISO 27001 is the “gold” standard for information security is because it is also heavily focused on continuous monitoring and improvement of the security controls across your organisational processes, people, physical facilities, and systems.
Being ISO 27001 certified means that you are committed to investing and maintaining information security throughout the company and into the future. It is not a set and forget endeavour.
Final Thoughts
Implementing ISO 27001 standards wasn’t just an information security project. It was a company culture project. And it is still ongoing.
If you're thinking about getting certified or just want to improve how your organisation handles information security: Start small, go deep, and bring your people with you.
.png)
