ISO 27001 for AI-SaaS

With the launch of COGNAiO® Cloud Extract, it quickly became clear: in the context of AI-powered SaaS solutions, security is not a secondary requirement, it is a fundamental prerequisite. The demand for verifiable security was there, the timing was obvious.

What had previously been a mid-term item on the roadmap moved to the top of the list. The positive impact was immediate: expanded market access, strengthened customer trust and the ability to give companies in security-critical industries the confidence they need when adopting a new solution.

ISO 27001 is not new. The framework has existed for decades, and many organisations have implemented it as a documentation exercise, an audit preparation or a box-ticking requirement.

COGNAiO® Cloud Extract processes sensitive business documents. It is integrated into enterprise systems, runs on hyperscaler infrastructures, and is developed and operated by international teams across locations in Switzerland, Germany and Italy. In this environment, information security means more than a policy on the intranet.

The decisive question was therefore not: do we implement ISO 27001? But rather: 𝘏𝘰𝘸 𝘥𝘰 𝘸𝘦 𝘪𝘮𝘱𝘭𝘦𝘮𝘦𝘯𝘵 𝘪𝘵 𝘪𝘯 𝘢 𝘸𝘢𝘺 𝘵𝘩𝘢𝘵 𝘵𝘳𝘶𝘭𝘺 𝘩𝘰𝘭𝘥𝘴 𝘶𝘱?

We had a solid starting point, as ISO 9001 certification had been in place for years. That was a genuine foundation. Rather than building a parallel system, we expanded existing process structures, consolidated responsibilities and integrated the new requirements organically.

That sounds simpler than it was. Three countries mean different levels of maturity, different security cultures, different day-to-day realities. Finding common ground without reducing everything to the lowest common denominator – that was the real work.

What emerged is not a compliance construct gathering dust on a shelf. It is an ISMS that lives within our development processes: security as an integral part of the development lifecycle, risk management with concrete measures rather than abstract documentation, access concepts that genuinely reflect our international teams, and cloud security controls tailored to our Azure environment.

On top of that: COGNAiO® Cloud Extract is not only certified to ISO/IEC 27001:2022. The solution also meets ISO 27017 for cloud security and ISO 27018 for the protection of personal data in the cloud, the logical evolution of a cloud-native security model.

The certification was completed in eight months. For an international ISMS spanning three countries, that is fast – faster than many national projects. Looking back, it was possible because we treated it as a genuine initiative, not a side project.

The immediate effects were tangible: customers who had been holding back were finally able to deploy COGNAiO® in full. New customers came on board for whom the certification was a decisive factor in their selection process. Supplier audits passed without friction. Questions about our security standards turned into a verifiable argument.

What genuinely surprised us was the internal effect. Processes became cleaner. Decision-making paths became more transparent. Teams work with clearer responsibilities. That is perhaps the most lasting value of a well-implemented ISO 27001.

The certificate itself is available for download on our website transparent, with full scope and a clearly named certification body.

ISO 27001 did not only make us auditable. It made our organisation clearer, faster and more internationally connected.