The Resilient Entrepreneur, Edition #120
Hi there
I hope you had a great week!
Here are the topics in today's edition:
- ISO 27001 Certification: Check. Maintenance: Good Luck
- The World Is Changing Faster Than Your Business Plan
Please reach out with comments, questions, or suggestions for articles!
Talk soon,
Tom
TACTICS FOR RESILIENT ENTREPRENEURS
ISO 27001 Certification: Check. Maintenance: Good Luck
The audit is one day. The maintenance is 365. Here’s what startups get wrong after their ISO 27001 certification, and how to fix it.
When we founded Yonder, a B2B SaaS company, we focused on winning enterprise contracts from early on. We succeeded for the first time in 2020, winning a few deals with some larger airlines in Europe.
Our customers requested proof of ISO 27001 certification within six months. We had no QMS. No ISMS. No process documentation to speak of. What we had was a product, a team of twelve, and a very full roadmap.
What options did we have? We can either spend 10–20k EUR on certification consultants, or we can handle the certification ourselves without external help.
That’s what we did. We got our company ISO 9001 certified in 2020, ISO 27001 certified in 2021, and migrated to ISO 27001:2022 during our 2024 recertification audit — without the help of any consultants.
I have written about the certification journey before. But the aspect almost nobody writes about is what happens after the auditor leaves. Let’s look at some challenges every startup and SME faces when they need to maintain their ISO 9001/27001 certification.
Challenge 1: Audit is one day per year, maintenance is all year round
Your auditor visits once a year for a maintenance audit. The auditor doesn’t just check whether your QMS and ISMS documentation exists, but whether it is alive: Has it changed since the last visit? Do your employees know what is in it? Can you prove that the processes documented match the processes actually followed?
Three years after the certification audit, the recertification audit comes due. If you have spent three years keeping your documentation just barely alive, your auditor will notice. But what does “keeping the QMS and ISMS alive” mean in practice? It means four things:
Update your documentation whenever things change. No matter if your team switches expense tools, your cloud provider changes their logging tool, or your remote working policy needs an update for a new customer in a new country, all of those changes need to be reflected in your QMS and ISMS — reviewed by the process owner, approved, and communicated to the relevant people.
Track and close non-conformities. Every audit produces findings. They need to be tracked, assigned to someone, and closed before the next audit. An open finding from two years ago makes you look like a beginner in a recertification audit.
Run internal audits. ISO 27001 requires you to run internal audits. You don’t run them to please your auditor in a recertification audit, but to see for yourself what works well within your team, and where you need to sharpen the processes and their communication.
Keep your risk and asset inventories up to date. Your risk landscape changes. You add new software components. Contracts expire. New employees join, and old ones leave. If you haven’t reviewed your risk and asset inventories for 18 months, they are worthless.
Challenge 2: Avoiding “Ghost Policies”
You have a beautifully written access control policy. It explains who can grant access to which systems, under what conditions, and how access is reviewed and revoked. You wrote it before the certification audit. The auditor approved it.
In the first maintenance audit, the auditor walks up to a developer on your team and asks: “Where can I find your access control policy, and what does it say?”
The developer has never read it. He might not even know it exists.
This is what I call a ghost policy: A document that satisfies the auditor on paper but has no connection to how people actually work. Ghost policies are not a sign of bad intentions. They are the natural result of building documentation for the audit rather than for the team.
The fix is less complicated than it sounds. The documentation has to reach the people it applies to, at the time it is updated, with proper change notifications.
Challenge 3: Startup teams have other priorities
In a twelve-person startup, the developer who needs to read your access control policy update is also fixing a production bug, preparing a demo for a prospect, and reviewing a merge request for another team member. The email about a changed internal policy gets buried under the daily grind activities.
The companies that maintain their ISO certifications well have two things in common. First, they made someone responsible: a Quality Manager, a CISO, or a founder who dedicates a few hours each month to keeping the documentation current and the open findings list short. Second, they use tools that surface compliance tasks in a way that the team can act on them quickly, and the Quality Manager or the CISO knows immediately who still has open compliance tasks.
Neither of those things requires a large compliance team or an expensive GRC platform. They require a deliberate decision about ownership and tooling, made once, before the certification audit.
Conclusion
I think it’s fair to say that no consultant and no auditor will honestly tell you about those post-certification challenges. You can avoid them by following a pragmatic, step-by-step process:
Get ISO 9001 certified before ISO 27001. This sounds counterintuitive if your customer is asking for ISO 27001. But the discipline of building a well-structured QMS — clear processes, controlled documentation, a working change request workflow — makes the ISMS significantly easier to build and maintain. The tooling, the habits, and the ownership model carry over.
Build the risk and asset inventories in JIRA from day one. Static spreadsheets become outdated the moment you close the file. Dynamic JIRA-based inventories let you assign ownership, set due dates, and track status without any additional tools. The auditor can see live progress rather than a snapshot.
Documentation should serve the team, not the auditor. If your team reads the process documentation only when the auditor visits, it is not serving its purpose. Good documentation is short, linked, searchable, and updated when things change. The auditor is a useful deadline, not the primary audience.
Interested in following my ISO 9001/27001 certification approach in your organization? I have written up the full approach and my 5+ years of experience in maintaining an ISO 9001/27001 certification in an eBook available on Gumroad — now in its 3rd edition!
STRATEGIES FOR RESILIENT ENTREPRENEURS
The World Is Changing Faster Than Your Business Plan
Geopolitics disrupts travel. Energy disrupts costs. AI disrupts jobs. Here’s how entrepreneurs turn all three into opportunity.
The world is changing, and it’s changing faster than ever. Geopolitics, energy, jobs: Everything is on the line.
Is this threatening? Yes and no. It’s threatening to people unwilling or unable to adapt. But it’s a huge opportunity for optimists and entrepreneurs — provided you are ready to question everything, let go of old habits, and build new business models.
Let’s get down to the details.
What Is Changing?
Geopolitics
10 years ago, I helped grow Xovis, a startup, out of Switzerland. We sold people counting solutions for airports and retail, consisting of stereo vision sensors that had to be installed in the ceiling and a software solution for analytics. For every proposal, we had to go on-site to plan the location of those sensors. In those days, the A380 was my main means of transportation, shuttling me between Zurich, Dubai, Singapore, and Sydney regularly.
Gone are the days when you could just board a flight to any country at short notice and be sure not to land at an airport that is threatened by Iranian missile attacks. Gone are the days when airlines could fly through any country’s airspace.
Energy
In the good old days, we debated migrating from fossil to renewable fuels to avoid even more CO2 emissions and to curb climate change.
Then came COVID-19 and the war in Ukraine, and climate change disappeared from news feeds. Nevertheless, climate change is still threatening our lives and our economies.
Then came the war against Hamas, and the Ukraine war disappeared from European news feeds.
And then came the war of Israel and the United States against Iran, and suddenly, energy was back in the news. With 20% of global oil and liquefied natural gas being trapped behind the Strait of Hormuz, oil prices rose sharply.
Oil and liquefied natural gas are one thing, but have you thought about all the ripple-on effects? Oil is the central resource for making plastics. Imagine what would happen to modern life if suddenly, we experienced a resource crunch in plastics.
Jobs
Everybody talks about AI. Opinions range from “it will destroy all office jobs” to “it’s the biggest tech bubble we have ever seen.”
No matter what job you have, and no matter whether you’re optimistic or pessimistic about AI, this technology will change our lives for good. It’s less about resisting AI and more about adapting to AI.
But AI is not the only thing that threatens your job. In dire economic times, many companies try to reduce costs, which often means job cuts. So maybe you need to rethink the concepts of a “safe job” or “employment for life.”
What Can You Do?
Scenario Planning
Irrespective of whether you’re an entrepreneur or a private person, the best thing to do in an uncertain world is scenario planning. Gone are the days of stable budgets, bright outlooks, and core assumptions that are valid for many years into the future.
For both entrepreneurs and private persons, scenario planning comes down to one thing: Money.
Will I still have a job by the end of this year? What do we do if half our aviation customers go bankrupt due to soaring fuel prices? What happens to our liquidity if energy prices or server costs double every 5 months? What if mortgage rates increase, or your bank decides not to renew your mortgage when it becomes due?
You need a good tool for scenario planning, not a static budget. If you’re interested in such a tool, I built a playbook with an Excel template to do just that. It’s inspired by my entrepreneurial finance tool, but adapted for private persons.
Adapt
People don’t like change. Not even those who claim to be innovative and open to new challenges. Now add organizational resistance to change to individual resistance to change, and things will move slower and slower whilst technological progress gets faster and faster:
This phenomenon is called Martec’s Law, and AI decisively fuels the gap between technological and organizational change. The disruption in energy markets has the same potential to change technology for good.
Now it’s your turn to decide if you want to adapt or resist — survival is optional.
Conclusion
It’s easy to get frustrated by all the bad news and the changes for the worse in today’s world. But every piece of bad news and every change also presents an opportunity.
Now it’s up to you if you want to complain or grab the bull by its horns.
About Me
I’m a tech entrepreneur, active reserve officer, and father of three — writing about entrepreneurship, leadership, and crisis management from hard-won experience. No AI, no fluff, no promos. Just plain-text insights for people building and leading under pressure.
When I’m not solving problems, I find clarity in the mountains around Zermatt.
If this was useful, here’s how to get more:
📌 All my articles, no paywall — read everything in one place. Visit the blog.
📌 Buy me a coffee—it keeps the writing going. Thank you.
