InfoSec certifications for global startup

That's not how this works. You don't collect certificates.

  • being certified does not mean that you are secure
  • customers only care about the certificates they care about

The "best" certification is the one that serves your company's goals the best. If you pursue Cyber Essentials, but your customers want BSI Grundschutz, then you have wasted a lot of time and money. And neither guarantee that you are secure.

Company certificates help you view your company, its processes, people, and technology through different lenses. Choose the lens that will help you secure your company. Your goal is to be secure, not to be certified.

The "best" case? Look through them all and identify which lens highlights gaps that your company should be filling right now (no, you do not fill all gaps all at once at the start). Then use that lens to improve. Then maybe get certified in that scheme, but only if it serves your company's needs.

Here's the approach (for a non-regulated industry - for regulated industries, you swap items 1 and 2):

  1. Get basic competence in your people, processes, and technology for the obvious/common threats
  2. Get compliance with whatever 3rd party stakeholders want (customers, regulators, investors, etc.)
  3. Develop internal compliance to your own standards to ensure consistency
  4. Develop a risk-based approach to target the non-top-line threats to your business
  5. Develop a flexible, adaptive approach to security to be able to quickly address emerging risks

This is the ELITE approach:

  • Essential
  • Legal/Legislative (Lender/Ally)
  • Internal
  • Targetted
  • Emergent