Hope you are keeping well. I have a question about how we approach ISO 27001 and 22301 in relation to our (potential) customers. As you may recall, we are a start-up company with no contractual arrangements with our current clients. Currently we have a number of customers using our AI product in Proof of Concept projects. The aim is, once they are happy with the PoC, to move on to a large project(s) where we will formalize the relationship by selling our products and services to the customers.
Now to ISO ... As we have no contracts with customers currently the plan for both ISO 27001 and 22301 is to cover just our company’s Security standards and Business Continuity needs, so that we obtain certification for ourselves. As and when we sign a Customer we will then modify all relevant ISO process to include the Customer’s security and Service availability requirements, and so on.
Is this the correct approach? Or do we need a customer. And if so, why?
Implementing ISO 27001 and ISO 22301 considering only internal needs is acceptable for certification purposes. In this case, the “customers” can be some of the organization’s own internal departments (e.g., Projects department as a customer of IT department, Accounting department as a customer of the Sales department, etc.).
Later, when and if you identify the need, you can expand the certification scope to cover the organization’s Customer’s security and Service availability requirements.
These articles will provide you a further explanation about the scoped definition and interested parties: