NorthGRC has just been recertified in ISO 27001. We're proud of that – but the interesting part isn't the certification itself. It's what it means for you as a customer.
It's tempting to treat a certification as little more than a rubber stamp. But a certification does something more fundamental: it removes assumptions. The process forces you to be specific about every part of your IT environment and internal policies – and to engage with the current threat landscape rather than the reality you operate in day to day.
For us, that means the certification is a process that gives us the opportunity to use our own platform, challenge our assumptions and learn something new. Every time we get certified, you benefit directly – through a better product, sharper advice and a vendor you can trust.
At NorthGRC, we help organisations with governance, risk and compliance, so it's only natural that we lead by example – and that's exactly what the certification demonstrates, according to Martin André Jønck, CEO of NorthGRC.
– We don't just sell a GRC platform – we run our business on it. The ISO 27001 certification confirms that our internal processes and controls are designed in accordance with the same guidelines we advise our customers on. It also means that our platform is shaped by real-world experience rather than theoretical frameworks.
But experience isn't something you acquire once. ISO 27001 is a discipline that requires sustained attention. Companies that treat certification as a one-year project often find that it quickly becomes a document describing a reality that no longer exists. That's why we treat certification as a multi-year commitment – and an annual opportunity to verify that we live up to our own standards.
– The ISO 27001 certification is also about verifying that our tool works 100% out of the box. By running the certification on our own platform, we put it to the test every year and confirm that it delivers exactly what's needed to meet the most demanding standards, says Martin André Jønck.
Maintaining certification doesn't require a large team. It comes down to how well the work is structured. At NorthGRC, five employees spend half a day each month on ISO 27001 – roughly one hour per person per week – and the certification proves that's enough.
Learn how the Swedish company DigitalRoute became ISO 27001-certified using NorthGRC here:
"If I was to help another company become ISO 27001 certified, I would definitely use NorthGRC"
A GRC platform is, at its core, a kind of trust machine: when we implement and document controls, manage threats and mitigate risks, we build internal confidence in our security – and, through that, the documentation to earn trust from the outside. A company can comply with ISO 27001 without being certified, but as a vendor, we find it both interesting and worthwhile to take it one step further.
– When we get certified year after year by an independent expert, we add an extra layer of trust on top. By reviewing and confirming our work, the external auditor provides assurance that we don't just say what we do – we do what we say, explains Martin André Jønck.
NorthGRC has been certified from the very beginning and was among the first on the Danish market to achieve certification. That means the NorthGRC platform has been shaped by the practical needs that arise during a certification process, and you, as a customer, can be confident that the platform has been tested and validated in practice – not just in a controlled test environment.
Testing can only take you so far. That applies to our GRC platform too. When you develop software, it's tempting to focus on the intended path from A to B, what's known as the 'happy path'. But customers don't always follow that path, and only real-world use reveals where the experience actually breaks down. Chief Product Owner at NorthGRC, Jakob Holm Hansen, explains:
– We need to be forced into situations where the process and the platform don't quite align. Using it for real tasks, not just tests, is where we learn the most – and that's exactly why the ISO 27001 certification is such a valuable exercise for us.
We gather a great deal of practical experience when our consultants implement at customer sites, and, combined with our own experience using the platform, things come to light that no controlled demo ever reveals. We find ways to make the user experience smarter, flows simpler, and features better.
New to ISO 27001? Learn the basics here: The ISO 27001 standard - how an ISMS works
The auditor contributes too, bringing an outside perspective and a fresh pair of eyes. A good auditor highlights connections and ways of structuring processes that are simpler and more logical. That feedback directly informs product development.
– In that way, there's a feedback loop into product development, especially around usability, where we get some really specific insights from the process. We find smarter ways to build the UI – and new, clever features, says Jakob Holm Hansen.
For you as a user, that means every certification round leaves the platform a little better than before. And the experience we build by using the platform ourselves strengthens our ability to help you get more out of it.
Many organisations are uncertain about what it means for their data and compliance when a vendor introduces new technology such as AI. That's a completely legitimate and important question.
Our experience is that when you do your groundwork, a great deal becomes possible, as our most recent recertification confirmed.
We are in the process of implementing AI support on our platform and have therefore conducted a detailed risk assessment, documented our processes, and ensured staff training – groundwork the auditor specifically highlighted. Lone Forland, Product Expert at NorthGRC, explains what that means for you:
– It means that when customers eventually gain access to AI in our platform, they can feel confident about it. With the ISO 27001 certification, we've shown that we've done the groundwork and have a firm grasp of the risks, processes and human oversight involved.
Read more: A Clear Path Through Healthcare Compliance - How Aidn Uses NorthGRC to Manage Risk at Scale
By approaching things systematically, implementing new technology doesn't feel so overwhelming, because potential obstacles along the way become visible and manageable.
The same applies to the certification work as a whole: everything is broken down into manageable tasks. That reduces pressure and supports the idea of continuous improvement, because that too is built into the effort.
– Working with ISO 27001 is not something you ever finish. That's why the entire platform is built around a continuous process, and every time the auditor could see that we had been making ongoing improvements, his face lit up. That acknowledgement confirms that our focus is in the right place, says Lone Forland.
The annual wheel was the very first thing we developed in the platform, because we knew that compliance work only works if it becomes a habit. When the auditor praises the continuous process, it confirms that the platform's very foundation is built correctly.
When you invest in a GRC platform, you're buying more than features and frameworks. You're buying into a vendor's approach to GRC processes – their discipline, experience, and ongoing development.
That's precisely why the certification matters to you. It documents that you have a vendor who practises what they preach – and can prove it. The platform you invest in gets better every time we work with it on real tasks. And when new technology like AI makes its way into your day-to-day work, we've already thought it through, so you don't have to start from scratch.
And you don't have to take our word for it. That's exactly what an independent auditor confirms every time we get recertified.
Want to learn how NorthGRC can help your organisation build compliance into everyday work?
Book a demo or have a no-obligation conversation with us here.