← Back to context

Comment by mnahkies

5 days ago

There's a number of threads here about privacy/security concerns. I'm curious what should be the bar for grassroots/bootstrapped projects like this?

Having recently taken a company through ISO 27001:2022 it's a pretty expensive and time consuming process, that doesn't seem reasonable to do early on in a projects creation - you don't yet know if you have product market fit.

However, you're wanting people or companies to trust you with their data - so it starts to feel a little chicken/egg

What's the best middle ground here for building trust whilst acquiring your first users?

ISO 27001 implementation and certification doesn't have to be overly expensive if you have the right team to help you. It also doesn't have to be time consuming as you can outsource a good deal of the work. I work as ISO 27001 auditor and I help companies get ISO certified. For a small company the combined cost of certification and external provider support ranges from $5k to $8k. Of course if you are a larger organisation the cost will go up, but not drastically.

  • That makes sense, but simply isn't viable cost wise IMO if you're trying to bootstrap a side project - until you have your first users and a sense that you have something people are willing to pay for, spending thousands on compliance certifications seems pretty risky.

    I'm interested in what the best strategy to build/establish trust when you can't yet afford to pay for certification is.