Aftra achieves ISO/IEC 27001 certification through fully remote and asynchronous audits

At Aftra, we are proud to announce we are now ISO/IEC 27001 certified. ISO/IEC 270001 is the internationally recognized standard for Information Security Management Systems (ISMS).

Beyond becoming certified, we’re especially proud to have completed the entire process, from preparation to the final audit, 100% remotely. This makes Aftra one of the earliest Icelandic companies to receive the certification without any on-site auditor visits. This is a powerful and efficient alternative pathway to certification that we believe other Icelandic companies could emulate.

Here’s how we did it.

The remote route to compliance

The traditional model for securing ISO/IEC 27001 is often resource-intensive, which is not always feasible for smaller companies. Multi-day, on-site audits can result in significant costs for travel and accommodation and the time and effort required from internal teams disrupts daily operations. These hurdles can result in delaying critical security compliance. 

That’s why we wanted to highlight the alternative route of completing the certification remotely and share our experience with the process. The remote audit option better suited our agile philosophy and modern approach to business.

The process focused on leveraging technology and experts to make compliance continuous and non-disruptive:

• Automation: We utilized Vanta, a compliance automation platform, for continuous evidence collection. This tool managed nearly all the required data, ensuring we always had up-to-date proof of compliance.
• Expert oversight: We partnered with Syndis for specialized CISO expertise and documentation guidance, ensuring our policies met the rigorous ISO standards.

The audit: Four hours, not four days

The most significant change was the audit itself. By using automated tools to gather evidence, we eliminated the need for multi-day, on-site interviews. Instead, the auditor was able to review all documentation and evidence asynchronously making the final audit quick and efficient.

The final audit phase of the process required approximately four hours of auditor time.

“Achieving ISO/IEC 27001 is a non-negotiable step for a growing technology company, but the way we achieved it remotely is what sets us apart. We’ve demonstrated that world-class security doesn't need to require multi-day and expensive on-site audits. This is not just a cost saving; it’s a commitment to efficiency that reflects our modern operational philosophy.” -Björn Orri Guðmundsson, CEO Aftra

This remote, asynchronous method provided substantial practical benefits for Aftra:

• Cost efficiency: We eliminated significant costs associated with hosting an auditor, including travel and accommodation.
• Minimal disruption: Remote audits are far more representative of our actual, day-to-day operations, avoiding the 1-2 weeks of major interruption commonly experienced with traditional compliance processes.

Beyond compliance: Meaningful internal improvements made

While the ISO/IEC 27001 certification is essential for building business trust and establishing robust security for our clients, the process also resulted in internal benefits.

We found ourselves making meaningful and effective improvements to our internal processes. These new, formalized security practices were designed to integrate seamlessly, ensuring they create minimal limitations on our team's daily workflows and operational speed.

By choosing a modern, automated, and remote path, Aftra has proven that achieving world-class security compliance can be fast, cost-effective, and fully integrated into the operating rhythm of a forward-thinking company.