SaaS (Software as a Service) systems are touted by their vendors as being the obvious choice when considering how best to implement an ISO management system based around a standard such as ISO27001 (information security), ISO9001 (quality) or ISO27701 (privacy). Here we lay out some questions you may like to ask yourself when considering this route, and some reasons why a document toolkit based around your existing Microsoft 365 environment may be a better solution.
How much does the ISO SaaS system cost?
This can be a surprisingly difficult question to answer. Many (in fact most, with the odd exception) SaaS vendors are very cagey when it comes to telling you how much it will cost for you to sign up. Often there isn’t a pricing page on their website and it’s compulsory for you to sit through a demo before they reveal the asking price. This can be frustrating because you don’t want to waste your time with a demo if the cost is way beyond your budget. When you do get to the facts, in many cases you’ll find that a figure of £5,000 to £10,000 a year is not uncommon. And that’s every year. It’s also often based on number of users, so if your company grows, the price will go up. Not to mention the general tendency of SaaS companies to change their pricing tiers regularly and impose seemingly random increases too.
A CertiKit toolkit ranges in price from £395 to £595. That’s it – nothing more to pay (maybe the odd Microsoft 365 licence, but you’ll use those for other things too).
How much content is included in the SaaS system?
When you get to the certification audit for your management system, your auditor will ask for lots of documented evidence to prove that you’re meeting the requirements of the standard. In many cases that evidence will be policies, processes, procedures and other types of written material that together show how your management system works. This is an area in which some SaaS systems may fall short. Their template content is sometimes written by external consultants and presented in a basic text editing window that has little of the functionality of a capable word processor such as Microsoft Word.
Our toolkit documents are professionally formatted and easy to edit, with extensive content that is written in a consistent style that reflects well on your company.
Can you change the way the SaaS system works if it doesn’t suit your company?
There are many ways to run an ISO management system, and the standards deliberately don’t mandate any particular way of working. Any SaaS system however, has to make decisions between alternatives, even if it tries its best to give the user options. This means that you will need to adopt the SaaS system’s way of working which in some cases has been heavily influenced by the organisations that were its first few customers. There may be a suggestions scheme for programming changes and perhaps even a voting system, but chances are you’ll need to accept that the degree of influence you will have over developments is almost certain to be limited.
A toolkit solution however, fits in with your existing ways of working and, if it doesn’t, you have complete control over changing it.
How intuitive is the interface of the SaaS system?
All SaaS systems work differently and although there are some basic principles of user interface design, chances are any one system will have some quirks that you’d need to get used to. Can you easily work out how to accomplish tasks like risk assessment, interested party identification and internal audit? Beware of systems where you spend more time trying to work out where to go next than in achieving your task.
In comparison, most of your users will already know how to use Microsoft software (which obviously has its own quirks too!)
How well will it integrate with your existing Microsoft 365 environment?
Integration is often claimed as a strength of SaaS systems, with a long list of “integrations” that have either been custom-written or achieved via middleware such as Zapier. Consider how many of these you would use, and compare the level of integration with Microsoft 365 (such as importing users) with the idea of actually running your management system in Microsoft 365, with full access to everything that your company already has. Taking this a little further, ask yourself whether using an external system to run your ISO management system is a reasonable thing to do – isn’t the point of the management system that it’s a key part of your company, not a separate add-on?
What security certifications and assurances do they offer?
Security is always a worry with any SaaS system and it would be reasonable to expect the vendors to have invested in multiple certifications such as ISO27001, since that is what their system is created to achieve anyway. Similarly, you will need to check where your data would be stored so you don’t fall foul of privacy legislation. How well does the SaaS system follow best practice in areas such as authentication and encryption? Remember that few SaaS vendors will have the budget of Microsoft when it comes to security, so again Microsoft 365 will be hard to beat here.
What will you do if you want to swap to another solution?
Using a SaaS system can be good until you decide to move your data, perhaps because you’re not happy with the functionality or the cost. How would your data be presented, for example in a series of csv files or some other format? Asking such questions up front can help to clarify how easy it would be to extract your ISO management system data and set up a functioning system elsewhere if the time were to come.
How easily can the functionality of the SaaS system be replicated in Microsoft 365?
If you’re going to invest in a SaaS system, then functionality has to be a key part of the decision. How much value does the system add beyond data storage and how much time might that save you compared to much cheaper alternatives? Consider how much of the SaaS system functionality can be replicated in Microsoft 365 using tools such as Teams, SharePoint, Planner, Loop, Lists and Power Automate. Consider also how valuable it may be to upskill your people in these Microsoft tools as they can use them in other areas of the business too.
How much of a future does SaaS have?
Lastly, we recommend you watch some of the recent strategic announcements from Microsoft, largely around Copilot. The Microsoft CEO talks at length about the “Open Agentic Web” and how, in his view, the traditional SaaS model has had its day, being replaced by AI agents that get things done through a natural language interface with the user (and by communicating with each other). The Microsoft mantra of “Copilot is the UI (user interface) for AI (artificial intelligence)” envisions a (not very distant) future where logging on to individual SaaS systems to accomplish a task will be a thing of the past. This may mean that having your ISO management system embedded into your Microsoft 365 environment already will be a big plus.
Last Words
When you are looking at the best way to implement your organisation’s management system, SaaS can be expensive, it may be hard to change your mind later, and Microsoft 365 is developing at such a rate that a combination of a Certikit toolkit and the Microsoft tools you’re already paying for has to be a cost-effective alternative. Factor into the decision the uncertainty around what the future may look like and you have cause to stop and think carefully before acting.
These are exciting times.
