Implementation of the highest cyber security standards (ISO 27001)

In an era of increasing data protection requirements, obtaining information security certification is one of the key steps for companies that want to build customer trust and demonstrate compliance with global standards. ISO/IEC 27001:2022 is a universal international standard that specifies requirements for an information security management system.

Successfully passing an audit and gaining certification not only confirms high standards of information protection, but also helps minimize and manage risks while meeting the expectations of large, corporate clients. In this case study, we describe how Toggl, a Software-as-a-Service application provider, carried out a successful implementation and achieved certification through cooperation with dotlaw.

1. Full compliance with ISO/IEC 27001:2022 and a solid foundation for the next certification – the SOC 2 Type 2 report.
2. Optimize the work of SecOps and Legal & Compliance teams, leading to more efficient security management and a reduction in manual activities.
3. Reduce operational risks associated with information security management.
4. Increased customer confidence, translating into higher retention, more contracts closed and faster negotiations.
5. Significant increase in information security awareness within the team.

Toggl is an Estonian company offering tools in a SaaS model, the best known of which is Toggl Track, a popular time tracking application. Toggl’s team operates 100% remotely, is spread across different countries, and serves thousands of customers worldwide.

In the SaaS industry, where data security and compliance with global regulations are of paramount importance, achieving ISO 27001 certification was a strategic step to enable further growth and win customers in the enterprise sector, regulated industries and companies with exacting standards for vendor verification of information security and data protection.

Prior to the implementation , Toggl faced several key challenges:

• Lack of sufficiently formalized risk and vendor management processes, which hindered effective control over data security.
• The lack of physical IT infrastructure and the dispersion of the team around the world, requiring the adaptation of security strategies to the specifics of an organization working fully remotely.
• Growing demands from corporate customers expecting auditable proof of compliance with global security standards.
• Cultivating a culture of security and data protection in an international team required intensive training and simple, unambiguous procedures.
• Team fears of excessive bureaucracy – ISO 27001 is associated with extensive documentation that could disrupt operational flexibility.

Thanks to the cooperation of dotlaw, it has succeeded:

• Conduct a preliminary audit, identifying key gaps and areas for improvement.
• Create an information security policy and accompanying documents, and implement them based on existing information-sharing tools (such as Notion), so that all materials are easily accessible to both auditors and the teams that use them on a daily basis.
• Gain greater clarity on security policies so that employees thoroughly understand their responsibilities, and train teams on their roles, which has translated into increased awareness.
• Create a centralized supplier management system for faster and more efficient verification of business partners.
• Adapt security processes to a 100% remote organization model, which allowed for effective information security management without the additional cost of physical infrastructure.

1. New sales opportunities – dotlaw has opened the door for Toggl to work with larger corporate clients, and the certification obtained has clearly accelerated the processes of negotiation, acquisition and verification of Toggl as a reliable supplier.
2. Integration of ISO 27001 – with existing processes, which has helped eliminate redundant procedures and optimize operations.
3. Raise awareness of information security – resulting in not just dry procedures, but actual involvement of all staff.
4. Opening up the possibility of getting more certifications – such as SOC 2 Type 2 or ISO 27701 – faster , thanks to a solid foundation.

Dotlaw’s team of experts are experienced lawyers specializing in data protection, compliance and information security management. We have extensive knowledge in ISO 27001, ISO 22301, ISO 42001, SOC 2 and similar regulatory audits for technology companies. With our international experience, we effectively support both dynamic startups and large organizations, helping them build solid foundations and counteract legal and regulatory debt.

Contact us to find out how we can help you achieve regulatory compliance with international standards or acts!