ISO 27001 or: How Menno Learned to Stop Worrying and Love Incidents

In 2023, Axini stepped into the world of ISO 27001. CTO Menno Jonkers looks back.

Thursday February 13 2025

For about two years now, we've been working within the ISO 27001 framework—the standard for systematically managing the confidentiality, integrity, and availability of your IT assets. With dozens of customer environments, some labeled with post-its saying "In case of a data breach, call the Data Protection Authority!", we figured it was no luxury.

Adjusting to such a framework/straitjacket/bureaucratic dream took some time for a team of around 25 highly intelligent—but also quite stubborn independent-minded individuals! Moving from simply fixing issues to documenting them, following set procedures, ticking boxes, verifying, and adjusting took some getting used to. And incidents—those are events where you call the police, right?

So, we had to adapt and find what worked best for us—no rituals for the sake of rituals. Our first audit was a bit bumpy: we had focused too much on factual information security and not enough on the (meta)process and system.

Two years and a re-audit (passed with flying colors!) later, we see some great shifts. Incidents are now eagerly identified and analyzed: How can we ensure this never happens again? Our answer, more often than not: automate, automate, automate. And that pays off in many ways: fewer errors, less time spent on routine work, and better scalability.

Of course, it's always about making choices and balancing what to tackle, when, and how deep (so many ideas, so little time...). The risk-based approach provides guidance. Despite our growing enthusiasm for incident reporting, we now see a steady quarter-over-quarter decline in the number of incidents (with zero major incidents) —all while the number of people, customers, and infrastructure keeps growing. That tells us we're doing something right.

In summary: ISO 27001 can be a useful framework for gaining—and demonstrably maintaining—control. We’ve deliberately and sweatily tailored it to our own situation, and it’s paying off in a structured and sustainable way.

Time to sit back and relax then... or wait, do I hear SOC 2 Type II certification calling?