How GObugfree achieved ISO 27001 certification – and what we learned along the way
For a vulnerability management platform like GObugfree, trust is everything. Customer data, reports, and internal systems must be protected at all times — and demonstrably so. By achieving ISO 27001 certification, we’ve aligned our organisation with an international standard that demands not just documentation, but truly lived security practices. We spoke with GObugfree CISO Rolf Wagner about the motivation behind this step, his experience working with SQS, and what other startups can learn from the process.
Security is in GObugfree’s DNA — and ISO 27001 was the logical next step to make that visible to the outside world. After months of preparation, process refinement, and audits, we are proud to be officially ISO 27001 certified — by the Swiss certification body SQS. At the official certificate handover, we took the opportunity to ask Rolf a few questions — and to speak with the SQS auditors as well.
Why ISO 27001?
Rolf, what prompted this step — and why was certification particularly important for GObugfree as a platform?
The main driver was our desire to standardise and make our already well-established information security practices more transparent and verifiable to the outside world. GObugfree works with highly sensitive information such as vulnerability reports every day, so obtaining an internationally recognised information security management system was a natural next step.
ISO 27001 certification demonstrates to our customers and partners that information security at GObugfree is structured, measurable, and continuously improving. It builds trust and confirms that we meet the same high standards we expect from ourselves.
The Road to Certification
How did GObugfree approach the project, and how long did it take? Any moments that stand out?
We began building our ISMS in 2023 and have continuously refined it since — exactly as a functioning management system should evolve. We took our time; there was no rush job. A memorable moment came at the end of 2024 when our management team decided to take the next step and have the ISMS officially certified. That decision felt like putting the finishing touch on the system we had built.
Which teams were most involved — and how did you balance the effort with daily operations?
Our technology team played a key role, as they maintain and develop our platform and implement many of the technical controls directly. Because we built the system gradually over time, the effort was manageable and didn’t disrupt day-to-day operations. This approach allowed us to strengthen information security step by step without slowing down the business.
It’s great to see that GObugfree, as a tech company, is not only innovative from a technology perspective but also has strong control over the processes that ensure security.
Working with SQS
Why did GObugfree choose SQS, and what was the collaboration like?
As a Swiss platform that places a high value on trust, it was important for us to work with a Swiss-accredited and recognised certification body. SQS has an excellent reputation, which made it the obvious choice.
The audit process was professional and constructive throughout. We particularly appreciated the balance between a thorough assessment and a pragmatic understanding of how smaller organisations operate.
The SQS audit team was also present at the official certificate presentation in our office. We took the opportunity to ask SQS auditor Alex Maurer for his impression: “It's great to see that GObugfree, as a tech company, is not only innovative from a technology perspective but also has strong control over the processes that ensure security.”
Added value for our customers and team
What changes for our customers with certification — and was the effort worth it?
For our customers, certification simplifies the verification of our security practices. They no longer need to conduct their own audits or lengthy questionnaires, as they can rely on the ISO certificate and focus only on specific areas if needed. Because our ISMS was already established, the additional effort was limited. Certification was a logical and rewarding next step — the perfect finishing touch on the system we had built.
Security isn’t a state, it’s a process — and ISO 27001 helps us to further systematise, standardise, and make that process tangible for customers and partners.
Advice for Other Startups
What would you recommend to other companies considering ISO 27001 certification?
Implementing an ISMS is beneficial for any organisation. The level of maturity and the decision to pursue certification depend on the internal and external requirements placed on the company regarding information security. My advice: start early, but take small, steady steps — and involve all relevant teams and stakeholders from the beginning.
More than a certificate
ISO 27001 certification marks an important milestone — but it’s only one part of our broader commitment to security and trust. Learn more on our trust page