03/04/26

Why an event agency is going for ISO 27001 – and what it has cost us so far

Data security sounds like something for IT corporations. Not stage design and show acts. And yet, we’re right in the middle of a certification process that demands more from us than we expected.

There are sentences we wouldn’t have expected to hear at brandmood a year ago.

Like: “Have you updated the asset register?” Or: “We still need the risk treatment plans for mobile devices.”

Our project manager—who has built stages for 2,500 guests—is now explaining the difference between an information security policy and a statement of applicability. With the same level of seriousness he usually brings to run-throughs for large-scale events.

This is not a joke.
This is ISO 27001.

How it started

The honest answer: it wasn’t a strategic master plan.
It was a requirement that kept coming up more and more in client conversations.

Large companies—corporations, banks, public-sector clients—are increasingly asking how we protect their data. Not as a formality, but with detailed questionnaires. Vendor assessments. IT security checklists that run dozens of pages.

For a long time, we answered with common sense and solid processes. At some point, we realized that wasn’t enough anymore. Not because our processes were bad—but because we couldn’t prove them.

And in the world of large clients, the rule is simple:
If it’s not documented, it doesn’t exist.

ISO 27001 is the international standard for information security management. A certification means that an independent auditing body confirms: this organization has a functioning system to protect data. Systematically. Verifiably. Not because someone says so—but because it has been audited.

That’s what we wanted.
So we started.

What we underestimated

Kurze Antwort: Fast alles.

Short answer: almost everything.

ISO 27001 is not a checklist you tick off once. It’s a management system—which means it fundamentally changes how an organization thinks and operates. Permanently.

It starts with taking stock. What data do we even have? Where is it stored? Who has access?

For an event agency that manages client data, participant lists, contracts, technical plans, and subcontractor information—across multiple locations, with a team that often works on-site rather than in the office—that’s more complex than it sounds.

Then comes risk analysis. For every asset, every process, every external interface.
What could happen? How likely is it? What would it mean? And what do we do about it?

It takes time.
Honestly: significantly more time than we had planned.

It takes focus. It takes internal capacity that is then missing elsewhere. And yes—it also costs money. For external consulting, for the audit itself, for tools and documentation.

We’re not saying this to complain.
We’re saying it because we think other agencies or companies facing the same decision should know.

What it has already brought us—before certification

The interesting part is: the biggest value doesn’t come with the certificate.
It comes from the process.

We’ve identified things we needed to improve. Access rights that were never properly cleaned up. Processes that existed in someone’s head but nowhere else. Password practices no one had formally defined—because “it always worked anyway.”

Fixing that isn’t glamorous work.
But it’s good work.

And there’s something else we didn’t expect:
The conversation around data security has changed internally.

It’s no longer an IT topic that “someone else” takes care of.
It’s now part of how brandmood operates—from project management to accounting.

What this means for our clients

With every event brandmood delivers, clients trust us with their data.
Participant lists with names and contact details—sometimes dietary requirements and accessibility information. Contracts. Briefings with internal strategy. Budgets.

Most clients don’t explicitly think about data protection.
They simply trust us.

That’s a good thing.
And it’s a responsibility we don’t take lightly.

ISO 27001 is our way of not just earning that trust—but proving that it’s justified.
Not for us. For them.

Where we are now

We’re in the middle of the process.
We don’t have the certificate yet—and we’d be the last to pretend we do.

But the direction is right, the system is taking shape, and the audit is coming.

When we’re done, we’ll share what we learned.
Probably with a different title:

“What we learned from the ISO audit—and what the auditor told us to our face.”

We promise.

brandmood is a full-service event agency with offices in Salzburg, Linz, and Vienna—specializing in corporate events, meetings & conferences, anniversaries, and digital event solutions.

A desk with a laptop showing an event setup, a 'brandmood' tube, and blueprints, overseen by a glowing blue and orange brain graphic with a 'b' in a dark office.

20/03/26

One year of AI in planning: our honest perspective

Hype, help, or a hybrid approach? We've been using AI tools long enough to move beyond the excitement—and be honest about

Person holding smartphone displaying "brandmood" app.

15/12/25

EventSnap: The Selfie Platform

At every event, there are those special moments: people laughing, taking selfies with friends or colleagues on their smartphones. They capture emotions — yet more often than not, these moments disappear into private photo albums or vanish in personal story feeds. In short: events create great moments, but far too often, they’re lost once the event is over.