Ketryx is now ISO 27001 certified.

A few days ago, our auditors handed us the result we'd been working toward for the better part of a year: Ketryx is now certified to ISO/IEC 27001:2022. 

I should say upfront that the goal of this post isn't to wave a badge around. Fanfare has never been my style. My quality mentors told me that if quality is in the spotlight, it's probably not a good thing, and in most cases they're right. The problem is that the same instinct can leave us too reserved. The people who trust us with their most sensitive work deserve to know whether the platform they depend on is actually held to a standard, even if a quality manager would normally rather not write the announcement.

Plenty of companies have this certification, and the ones that take it seriously will tell you the badge is the easy part. The point of 27001 is the system behind it, and the system is what changes how an organization actually behaves. So I wanted to share a few honest notes from the inside, for our customers and for anyone going through this themselves.

Why we did it

We didn't pursue 27001 because a customer demanded it. We pursued it because our customers operate in regulated industries where trust is the product. Teams hand us their requirements, their code, their risk files: the most sensitive parts of how a regulated product gets built. If we're going to ask them to trust us with that, we owe them a system that's externally verified.

This certification complements our existing UL certifications to IEC 62304, ISO 13485, and ISO 14971, and our SOC 2 Type 2 Report. We already had SOC 2 Type 2 in place, and these two frameworks overlap in many ways. But 27001 and SOC 2 are also meaningfully different. SOC 2 is akin to a binder, while 27001 requires a system: a living Information Security Management System with risk assessments, control owners, review cadences, internal audits, management reviews, and corrective actions that all have to connect to each other. You can fake a binder. You can't fake the system, because the auditor follows the threads.

What I didn't expect

A few things genuinely surprised me.

The first was how much of this is about people, not policies. Writing the policy is the easy day. The hard day is the one where you sit with a team and ask, Walk me through how you actually handle this. If the answer doesn't match the document, the document is the thing that has to change. I came out of this work with a much sharper instinct for when a control is real and when it's theater.

The second was how interconnected the controls are. They are a thread that runs through onboarding, offboarding, vendor management, change management, incident response, and asset inventory. Touch any one of those and you're pulling on six others. The third was that we ended up doing a lot of dogfooding. The same discipline we ask our customers to apply to their medical device software (connect the work to the evidence, keep traceability current, make documentation an artifact of the work rather than an additional workstream) turned out to be exactly the discipline we needed to apply to our own ISMS. The places we didn't spend time truly thinking deeply about internally were the places that took the longest to clean up for the audit. 

What this means for our customers

If you're a Ketryx customer, the short version is this: you've added a layer of independently verified assurance to the platform you're already using. Our security program is now reviewed by an accredited third-party auditor against an internationally recognized standard, on a continuous cycle. You can find the certificate on our Trust Center at trust.ketryx.com, which I feel no shame plugging!

The longer version, and the more honest one, is that the cert is the floor, not the ceiling. We treat it as a baseline that holds us accountable. The work doesn't end at certification. I'm already thinking about the internal audit coming up. There are also surveillance audits, corrective actions, and the regular, boring rhythm of a real ISMS. That's the whole point.

Some irony and advice

It's not lost on me that we spent a year building an evidence trail for an audit while working at a company whose entire product exists to help regulated teams build evidence trails. There's a version of this blog that's mostly a sales pitch. I don't want to write that one, and I'll leave it to someone else for now. I'll just say this: every shortcut our own platform helps customers avoid is one I felt very personally this year.

Now, for the advice. If you're in the middle of your own 27001 journey, stop treating the controls as a list of things to satisfy and start treating them as a description of how a healthy company operates. This goes double for 13485, 62304, and 14971, where the stakes are higher and the pull toward documentation theater is stronger. You'll do less work, and the work you do will mean more.

‍

Lee Chickering