All posts
Security April 22, 2026 7 min read

What ISO 27001 actually changes in your daily work

Six months after certification, the controls people actually feel are not the ones on the cover. Notes from the team that lived it.

J

Jonas Karlsson

Security Lead

When the certificate arrived we framed it, posted it, and braced for the bureaucracy to set in. Six months later the surprise is how little of the standard you feel — and how much the parts you do feel turned out to matter. These are the controls that actually changed our weeks, written by the people who live inside them.

The controls you actually feel

  • Access reviews became a calendar event, not an archaeology project. Quarterly, one hour, every system — and offboarding went from “did anyone revoke…?” to a checklist with a timestamp.
  • Change records turned “who deployed what” into a query instead of a Slack excavation.
  • The vendor register killed shadow SaaS: every new tool answers three questions before the credit card comes out.

None of these are sophisticated. That is the point — the standard mostly forces you to write down the things you believed you were already doing, and the writing-down is where the gaps appear.

The audit did not catch us doing things wrong. It caught us doing things differently every time.

What the cover promises and the floor delivers

The headline controls — encryption policies, incident response plans, business continuity — were already in place, as they are at most competent shops. What changed is they became verifiable: there is now a paper trail proving the backup restore was actually tested in March, not assumed to work since 2024. Clients in regulated industries do not ask whether you have a policy. They ask for the evidence, and now the evidence is one export away.

For teams considering it

Budget the real cost in engineering hours, not consultant fees. The certification is paperwork; the recurring controls are engineering work. If the controls do not run themselves — automated evidence collection, scheduled reviews — the second audit is the one that hurts.

Six months on

Nobody loves the access review hour. But twice now it has caught a contractor account that outlived its contract, and once it caught an API key with admin scope nobody could explain. The standard did not make us secure — it made our security *boring and repeatable*, which is the only kind that survives staff turnover.

J

Jonas Karlsson

Security Lead

Carried Synergi through ISO 27001 with zero theatre. Reads audit logs the way other people read morning news.