TAGGRS is a rapidly growing platform that helps organizations collect and manage marketing data and tracking in a privacy-friendly way. The company operates at the intersection of data, marketing technology, and privacy, where careful handling of personal data is essential. Because TAGGRS works with sensitive customer and user data, information security and privacy (GDPR) are not just prerequisites, but the most crucial component of its service. As the company grew, it became increasingly important not only to implement this well technically, but also to demonstrably and structurally secure it in accordance with ISO 27001.

‍

Growing pains, unwritten rules, and the call for structure

Due to TAGGRS's rapid growth, the need for structure and demonstrable information security also increased. While many processes were already running smoothly in practice, this wasn't always documented or consistently secured. Much knowledge resided within the organization itself, but not in systems or documentation. As a result, things often had to be re-explained or re-investigated, which became increasingly less scalable.

“There were many unwritten rules. Everything ran smoothly, but it wasn't documented anywhere,” says Edwin Remery, ISO Manager at TAGGRS.

At the same time, customers were increasingly asking questions about information security and privacy. Not just in the form of individual questions, but also extensive questionnaires that required demonstrable answers.

This created a clear need: not just to comply with ISO 27001, but to genuinely organize it in a demonstrable and structural way. An additional challenge was that the standard itself wasn't always easy to interpret. Translating requirements into concrete practical measures proved complex, especially in an organization that was rapidly evolving.

Creating structure and buy-in in a rapidly growing scale-up

It quickly became clear to TAGGRS that they needed more than just advice or audit preparation. The organization sought a partner who could not only explain ISO 27001, but, more importantly, practically translate it into the company's daily reality. The challenge wasn't just achieving certification, but rather structurally setting up and securing processes within a rapidly growing organization.

“An auditor is not allowed to give advice. That's why it's good to have a party that can help with interpretation and practical guidance,” says Edwin Remery.

Fendix was therefore chosen as the implementation partner. The collaboration began with a GAP analysis to clearly identify the organization's current position and what steps were needed towards mature information security. From there, work proceeded step-by-step on setting up the ISMS and preparing for audits. The focus was not just on paper compliance, but primarily on how processes actually work in practice and are applied by employees.

From interpretation to practical implementation

During the initial phase, weekly alignment sessions of approximately one hour were held. These frequent touchpoints ensured speed, direct coordination, and the swift resolution of open questions. As the project advanced, these shifted to bi-weekly, two-hour sessions. This allowed for more in-depth discussion, the development of specific measures, and the practical testing of implementations.

“Texts from the standard can be quite challenging to read. It's helpful when someone can explain what it concretely means for your organization,” Edwin notes.

Throughout the project, Fendix remained the dedicated point of contact for interpretation and clarification. Initially, TAGGRS used Word and Excel to structure actions and tasks. This process was further professionalized during the project with the transition to Notion, enabling information security and compliance to be managed more centrally and consistently.

Furthermore, there was a deliberate focus on internal communication. During monthly sessions, employees were informed about new measures and their underlying rationale. This fostered greater understanding, buy-in, and engagement within the organization. Throughout the entire project, the emphasis was not merely on implementing measures, but crucially on understanding, applying, and embedding them into the organizational culture.

TAGGRS showed great willingness, and deadlines were taken seriously. Moreover, the team consistently brought concrete questions to the sessions, enabling us to provide highly targeted feedback and make rapid progress. According to Ruben den Dulk, who had the privilege of guiding TAGGRS as a consultant, a successful ISO 27001 project isn't solely about documentation or compliance, but primarily about fostering buy-in and ensuring practical applicability within the organization.

“You can perfectly document processes, but if employees don't understand why certain measures exist or how to work with them, information security remains merely theoretical. It's precisely that practical application that makes all the difference.”

Therefore, throughout the project, the focus was not only on implementing measures but also on making them comprehensible to the organization itself.