ISO/IEC 27001 - from certification to business value

The decision to implement ISO/IEC 27001 at Soneta had been maturing for a long time and was the result of several parallel factors. On the one hand, there is a clear market trend – security, and particularly information security, has become one of the key areas of business operations in recent years. Increasing regulatory requirements, such as RODO and the National Cyber Security System Act, have significantly raised organizations’ awareness of data responsibility. Today, no one treats security as an add-on anymore – it is the foundation of a technology company’s operations.

In our case, the decision was both strategic and very pragmatic. First, as one of the leading ERP system manufacturers in Poland, we came to the conclusion that we needed to further structure and enhance the security of our internal processes. ISO 27001 proved to be an ideal starting point for this – it provides a clear structure, precise requirements and measurable criteria.

Secondly, we have seen very clearly that the expectations of customers – especially medium and large ones – are moving in the direction of formal confirmation that the software provider not only creates a secure product, but also functions in a secure manner itself. For an ERP vendor, this is a natural responsibility: we handle the sensitive business processes of thousands of companies, so protecting information must be written into our DNA.

Market pressure was also not insignificant. Increasingly, the requirement to have a certified information security management system appeared in tenders. Thus, obtaining the certificate became for us not only a confirmation of high standards, but also a real business factor – it opens the door for us to projects in which supplier security is one of the key selection criteria.

Hardly a “surprise" – rather a challenge that turned out to be much more multidimensional than we had initially anticipated. One of the key lessons was that ISO/IEC 27001 certification alone is not an end in itself. From the beginning, the most important thing for us was to create a unified, consistent and fully documented information security management system that realistically organizes the organization’s work. The certification is a natural consequence of a well-executed process – but not the core of it.

The scale of security-related processes proved to be a major challenge. Some of them had previously functioned as informal knowledge – people knew “how it was done in our company," but there was a lack of uniform documentation. ISO requires this area to be structured, so we had to turn unwritten practices into formal procedures, instructions and policies. This is when you can best see the importance of documentation as a tool for building a common standard of work.

Another element is risk analysis. Although in theory we all know what it consists of, it is only its systemic passage that makes one realize how many dependencies and potential risks are involved in everyday processes – not only those of IT. Understanding that security is not an incident, but continuous monitoring of risks and their control, was an important step in the maturity of our system.

The organizational dimension was also very important. There is often a perception that ISO 27001 is an “IT project" – implementing several systems and configurations that will solve the problem. This is a myth. It turned out that the success of the project requires the involvement of employees from very different areas: HR, accounting, marketing, administration, sales. Each department interacts with information, so each must be part of the security system.

That’s why we placed great importance on convincing employees why we are implementing a CMS in the first place. It is natural that information about new responsibilities, documents, procedures can be received with detachment – this is a normal reaction to change. So from the beginning, we tried to build a hands-on approach: video training, Q&A sessions, showing concrete examples of how ISO helps work, not hinders it. We tried to make ISO “human" and close to real needs.

As a result, the biggest “surprise" was not the complexity of the standard’s requirements – we were aware of them. Rather, it was the fact that the implementation of ISO 27001 has such a strong impact on the organizational culture, on the way we think about security and on the daily habits of employees. And it is this aspect – building a conscious, responsible organization – that we consider one of the most important values of the entire project.

The implementation of ISO 27001 was primarily an opportunity for us to organize and structure processes that were already working in the organization – often quite well, but not always in a fully formal and consistent way. It wasn’t that nothing worked before the implementation. We had a solid foundation, many areas were described, and some of the practices were the result of years of experience by the teams. ISO allowed us to bring this together, give structure and introduce uniform standards.

Importantly, the implementation of the system was not a revolution involving a 180-degree change in the way we work. On the contrary, our goal was to adapt existing good practices to the requirements of the standard in such a way as not to disrupt daily work, but to improve it. Of course, there were processes that we had to build from scratch, and there the scope of work was greater. Ultimately, however, we managed to create a coherent system that realistically supports the organization.

One of the key areas that has benefited from implementation is formalization and clear assignment of responsibilities. ISO 27001 requires precise definition of roles, responsibilities and decision points. This has greatly improved the transparency of operations, predictability of processes and communication between departments.

We have also placed much more emphasis on security incident management. We have created a dedicated system for reporting any irregularities, which allows us to respond faster, more efficiently and more predictably. This gives us a more complete picture of what’s happening in the organization, allowing us to track trends, analyze causes and eliminate problems at the source.

Another major effect is better access control and increased security awareness among employees. The system has forced the sorting out of many areas related to authorizations, cyclical reviews and assessing the legitimacy of accesses. This translates into greater security, but also less organizational chaos.

ISO has also had a positive impact on communication between departments. The implementation of the system has shown that information security is not an “IT-only" topic. It’s an area that affects HR, accounting, marketing, sales, service – all processes where information is processed. Thanks to the joint project and cyclical meetings, the teams began to talk to each other about security in a more practical way, and cooperation clearly improved.

Bottom line: the implementation of ISO 27001 has given us greater predictability of operations, better control over processes, formal incident management, a clear division of responsibilities and a more informed organization. It’s an investment that has cleaned up our processes and increased security in real terms, rather than just meeting the requirements of the standard.

From the perspective of our customers, ISO 27001 certification is of great importance, because ERP systems – such as enova365 – are among the most critical information resources in companies. These are tools that process financial, HR, accounting, operational data – often sensitive data, the loss or breach of which can have very serious business, legal and image consequences. That’s why customers rightly expect a software vendor to make security an absolute priority.

Year after year, we see that both current and potential customers are increasingly aware of the risks, particularly those related to cyber attacks. Questions about security have become a regular part of sales conversations, vendor audits or risk assessments in organizations. An ERP vendor must be able to demonstrate that it not only creates a secure product, but also internally operates according to best practices. That’s why enova365 has been subjected to regular security testing for many years – both externally and internally. We proactively monitor vulnerabilities, respond to threats and continuously improve the level of protection.

The implementation and certification of an information security management system makes us even more credible. ISO 27001 certification sends a clear signal to customers that Soneta treats security strategically, process-wise and in a manner consistent with an internationally recognized standard. It’s not a declaration – it’s a confirmation that we meet very specific requirements, regularly verified by independent auditors.

What’s especially important, we see that the certification supports us in business development. It opens the door to new groups of customers – especially larger organizations and institutions that place a strong emphasis on security verification of their suppliers. We see an increase in confidence both in the enova365 system itself and in Soneta as a technology partner.

ISO 27001 is not a symbol for our customers – it is practical proof that we take security seriously. In the ERP industry, it’s a key competitive advantage and a foundation for long-term trust.

Definitely yes – the awareness of employees in the area of information security has clearly increased, although, as I mentioned earlier, it was not an easy process. The natural reaction to change is resistance, especially when new responsibilities, procedures or the need to familiarize oneself with documentation are involved. That’s why we were keen from the beginning to translate the formal ISO requirements into language that was understandable and practical.

It was important for us to show employees why we actually do all this. Instead of talking about paragraphs and provisions of the standard, we showed concrete examples from their daily work:

– what comes from the rules for safe use of a company phone,
– why installing applications on a company laptop on your own can be risky,
– how simple user actions affect the entire organization.

This approach has worked brilliantly. Training, internal communication, question-and-answer sessions – but most importantly, a clear explanation of why we are implementing a CMS – were key to building individual accountability.

The role of organizational culture is also worth emphasizing. We have placed a strong emphasis on building a culture of reporting incidents and irregularities. Employees today know that reporting a potential problem is not a denunciation, but part of taking care of the security of the entire company. This is what our dedicated incident reporting system serves, among other things.

Top management also played a huge role. In many companies, it happens that management “tells you to implement ISO," but itself acts outside the rules – then employees immediately lose motivation, because they see that the requirements only apply “at the bottom." At Soneta it was different. Management was actively involved in the entire process of implementing the ISMS, and the example set from the top definitely made it easier for employees to adopt the new rules and understand the sense of the whole system.

Bottom line: employee awareness has increased not through documents or formalisms, but through a hands-on approach, consistent communication and real commitment from the entire organization – from operational teams to top management.

One of the pillars of Soneta’s strategy is information security – treated as an integral element of the quality of solutions offered, customer trust and stable development of the organization. The company ensures that data, processes and systems are protected in accordance with best practices and applicable standards. ISO/IEC 27001 certification is our commitment to our customers and a confirmation of our company’s organizational maturity.

Robert Czula, CEO of Soneta

Preparing for an ISO 27001 certification audit is a process that needs to be approached very methodically. In our case, a dedicated project team was established, of which I had the pleasure to be the leader. From the beginning, we also worked closely with All for One Poland, which supported us substantively and helped translate the requirements of the standard into the reality of our organization.

The project work consisted of regular meetings, during which, step by step, we identified the processes operating in Soneta and mapped them to the requirements of the ISO 27001 standard. The result of these activities was the creation of complete documentation – policies, procedures, instructions and records – but also the construction of processes, which in some areas had to be built from scratch.

The owners of assets and individual business processes played a key role in the preparations. They were the ones who best understood the specifics of their work, so together we analyzed risks, tested assumptions and developed adequate security measures. When we worked on HR processes, the HR Manager was involved; for financial areas, the accounting department; for technical processes, the IT and development teams. The implementation of the SMS required the cooperation of the entire organization, not just one department.

A very important stage of preparation was the internal audit we conducted in November 2025. Its purpose was to check how our assumptions work in practice – whether procedures are understood, whether processes work, whether documentation corresponds to the facts. The internal audit proved extremely valuable to us, because it showed us places that needed to be refined. It allowed us to make adjustments, re-test procedures and make sure the system functions consistently.

In the next step, we were already preparing directly for the certification audit, which took place in January 2026. At this stage, it was also important to cooperate with the certification body – to discuss the schedule, the scope of the audit, how to verify the processes or prepare the teams to be involved in the interviews with the auditors.

Thanks to very good preparation, extensive employee involvement and the support of All for One Poland, the audit went smoothly and the result was a success for our organization. Today we can say that professional preparation was one of the key factors in the success of the entire project.

My appointment as the project manager of the ISO 27001 implementation project, and later as a representative of the SMS, was a great honor for me, but also one of the greatest professional challenges of recent years. The Board of Directors entrusted me with responsibility for a project of great strategic importance for the company, and at the same time I was learning the standard and its practical application “on a living organism." This experience gave me some key lessons that I would call my lessons learned.

First – absolutely do not put off organizing the documentation. Documentation is the cornerstone of ISO 27001, and if it’s left “for later," the project starts to go awry. In our case, a systematic approach worked: regular team meetings, discussing statuses, reviewing what was done, what wasn’t and why. It can be said that the agile methodology we use every day in the organization played a big role in this project as well.

Second, the strong commitment of the board from the very beginning. In many organizations, ISO is implemented “top-down", but without real participation of top management. The effect is easy to predict: employees do not feel the sense of the activities, they treat them as an imposed duty, and motivation decreases. In our case it was different – the management was involved, participated in the process and set an example. This is crucial, because if the example comes from the top, employees engage in change much more easily.

Third – precisely define the scope (scope). ISO 27001 is a very broad standard and it is extremely important to clearly define what the system is supposed to address. With a well-defined scope, we avoided unnecessarily complicating the project and were able to focus on areas that are truly critical to our business.

Fourth – do not treat the ISO as an “IT-only" project. This is one of the most important lessons. Although one intuitively associates security with the IT department, the reality is that an ISMS affects the entire organization. HR, accounting, marketing, sales, administration – each of these areas works with information and each must be involved in the system. Without their involvement, implementation would not be possible.

And fifth – it is worth working with an experienced partner. We were fortunate to have such a partner. All for One Poland played a huge role in preparing us for the implementation and audit. We had no previous experience with projects of this type, and their knowledge and practical insight were invaluable. I am convinced that without this support, the process would have been much more difficult and drawn out over time.

Summary: ISO 27001 is not just an implementation project, but more importantly a change in the way an organization thinks about information security. The most important lessons are systematic, full management support, clear scope, broad employee involvement and cooperation with experts. These are the elements that determined the success of our implementation.

I rate the cooperation with All for One Poland very highly. As I mentioned earlier – without the support, the implementation of ISO 27001 would have been much more difficult for us. This is a partner who not only knows the standard, but above all is able to translate it into practical measures tailored to the realities of the company.

All for One brought a structured methodology to the project, which made the implementation process consistent and without chaos. From the very beginning it was clear what, when and how it should be created. We also strongly appreciated their experience in implementing similar projects. At many points we were able to benefit from their practical tips – not textbook ones, but those resulting from real implementations in other organizations.

There was great value in providing substantive support in risk analysis, which is one of the most important elements of ISO 27001. Together we went through the process of identifying threats, assessing risks and planning appropriate actions. This allowed us to take a more systemic view of our processes and to identify precisely what is actually critical from an information security perspective.

Collaboration in preparation for the certification audit was also an important step. All for One helped us go through the checklists, prepare the teams, make sure we understood the expectations of the auditors and were able to adequately present the operation of the system. This approach made the whole process very easy – and as the result showed, it was effective.

What is particularly valuable – All for One did not create excessive bureaucracy. A pragmatic approach was maintained: we focused on what realistically brings value, rather than generating documents “for the sake of documents." This has made the system not only compliant, but also practical and convenient for daily operations.

Summary: All for One was a substantive, organizational and advisory partner for us. The combination of structured methodology, extensive experience, pragmatic approach and excellent personal cooperation largely determined the success of our project.

For IT companies that are just thinking about implementing ISO 27001, I can recommend a few key principles from our experience. First and foremost – don’t treat it as a project “on paper." ISO 27001 is not documentation that can be put on the shelf, but a real information security management system. If a company treats it as a formal obligation from the beginning, the effect will be superficial and unsustainable.

It is worth focusing on system construction, not “document production." Documents are important, but only if they reflect actual processes. If something doesn’t work in practice, a record alone won’t fix it. In our case, the pragmatic approach and adaptation of the standard to the realities of the company, rather than the other way around, worked well.

The second important piece of advice is to involve people from the beginning. ISO 27001 is not an IT project – it is a project of the entire organization. HR, accounting, marketing, sales, administration, service – every department has a stake in information security. The earlier employees understand the meaning of the changes and their role in the system, the easier the implementation goes. Communication, education and clear explanation of “why" are absolutely key.

At the same time, you need to think about security in the long term. ISO 27001 doesn’t end with certification – it’s continuous improvement, monitoring, risk analysis, periodic reviews, audits. If a company is not ready to think of security as an ongoing process rather than a one-time initiative, the implementation will lose its value.

And finally – I encourage you to look at ISO 27001 as part of a strategy, not just compliance. For IT companies, security is the foundation of customer trust and competitive advantage. The certification is an acknowledgement of the organization’s maturity, but it is the way of working, employee awareness and structured processes that make up the real value of the system.

The bottom line: build the system, not the documents; involve people; think strategically; don’t put off the work; and if possible, work with an experienced partner. These elements were key to the success of our implementation.

Interviewed by: Miroslawa Huk, All for One Poland