There was a time when ISO 27001 felt completely out of reach. The initial push for certification came not from within the company, but from clients. As business with larger organizations began to grow, questions about security practices and formal standards started to appear more frequently. It became clear that ISO 27001, the internationally recognized standard for information security management, was becoming a commercial necessity.
But the standard looked intimidating. Everything about it seemed formal, rigid, “suit and tie.” And that just wasn’t the culture. Prograils had always operated in a pragmatic, flexible way, lightweight on process, strong on trust, with a deep belief that common sense beats corporate theater every time. At first glance, ISO seemed like the opposite of all that. The initial reaction? A mix of confusion and a fair amount of “what are we getting into?”
Starting the Journey
With no in-house expertise, the company reached out to someone experienced in ISO 27001 implementations, someone who had guided other businesses through the process. Their role was to help make sense of the requirements, structure the documentation, and walk through the steps needed for certification.
At the time, bringing in an external ISO consultancy would have been incredibly expensive, tens of thousands in fees, not to mention the time cost of onboarding someone who didn’t know the team or how it operated. Working with someone close to the company, who already understood the culture and values, made it easier to keep things grounded. There was room to ask naïve questions, to rethink the standard in plain language, and to find solutions that fit the size and rhythm of the team.
Looking back, it’s clear how lucky that setup was. But it also highlighted a gap: not every company has a “friendly ISO expert” ready to jump in. Today, with more examples, better templates, and smarter tools, the same results can be achieved without relying on costly consulting, as long as there’s a structured, guided system in place. That is Humadroid, the system that acts like a practical, patient consultant would: showing the next step, offering just enough context, and never losing touch with how small companies actually work.
Building the System (Without Breaking the Culture)
Work began in late summer. Fridays were blocked off for ISO work, reviewing risks, writing policies, and gradually building the required documentation. Everything was written from scratch in plain language, using tools the team already knew. There was no heavy bureaucracy, no artificial processes. The goal was always clarity, simplicity, and relevance.
Care was taken to make the implementation feel natural. Everyone was informed, but no one was overwhelmed. The team was reassured regularly that this wasn’t a change to who they were, just a formalization of what they already did well. Most of the requirements weren’t new; they just needed names, documentation, and consistency.
Even serious topics like physical security were approached with a dose of humor and practicality. One of the company’s internal rules gained legendary status: the “donuts rule.” If someone left their laptop unlocked and unattended, a colleague could jump in, open Slack, and post the word “donuts” in the general channel. That was a clear signal that a security lapse had occurred, and the guilty party owed the team a round of donuts the next day.
This simple rule was more than a joke. It created a memorable, low-friction incentive to follow good security hygiene. More importantly, it worked. Laptops stayed locked. The external auditor, though initially surprised, accepted the practice without hesitation. It met the control requirement, encouraged awareness, and fit perfectly into the team’s culture. No unnecessary software. No patronizing emails. Just donuts.
Facing the First Audit
After months of preparation, the certification audit was scheduled. The chosen certification body was known for being formal and thorough, a deliberate choice meant to ensure that the process was credible in the eyes of enterprise clients.
The audit process was intense. The formal tone and style of the auditor clashed with the team’s laid-back, transparent culture. Every policy was challenged. Every detail was reviewed. It was a high-pressure few days, with little room for error. But in the end, the system held. Certification was granted, with a few recommendations for improvement to be addressed later.
Earning Trust, Year After Year
The following year brought a second audit. This time, the atmosphere was more constructive. The same system was still in place, but better understood. The auditor saw that the organization had matured in its approach, even if the culture remained refreshingly unorthodox. Instead of pushback, there was conversation. Feedback was welcome. Suggestions were implemented.
Then came the pandemic and the third audit, this time entirely remote. By then, the ISO management system had become second nature. The audit passed smoothly and without findings.
Was It Worth It?
Definitely. ISO 27001 didn’t change the culture, it clarified it. Also, helped with the business. It validated that many of the company’s instincts around security and transparency were already aligned with best practices. The process didn’t invent a new way of working; it gave structure to what was already there.
For clients, the certification became an easy trust signal. For the team, it provided shared language and ownership of security responsibilities. No one had to act differently. Just more deliberately.
Final Thoughts
Getting certified doesn’t mean turning a small, agile team into a miniature enterprise. The standard sets the what, but gives freedom in the how. It’s absolutely possible to meet ISO 27001 requirements without abandoning the principles that make a team effective.
The key is to approach it with clear intentions, structured guidance, and a willingness to adapt the rules to fit the company — not the other way around. Because the truth is: real security culture isn’t built on policies. It’s built on habits, ownership, and yes — sometimes even donuts.
