What to Look for in a Custom Software Vendor — and What Should Disqualify Them Immediately

Picking the wrong custom software vendor is one of the most expensive mistakes a VP R&D can make. Not because the project fails outright — though it sometimes does — but because the failure mode is slow. Eighteen months in, with three million shekels spent, the system half-works, the original team has rotated off, and nobody wants to be the one who admits it. The whole disaster could have been avoided in the first two meetings if anyone had known what to look for. Here is the checklist.

Six Things a Serious Vendor Must Have

These are not nice-to-haves. If a vendor cannot demonstrate all six, find another vendor.

• Recognized certifications, specifically ISO 27001 and ISO 9001. ISO 27001 means they have a real information security management system, not a PDF policy in someone's drawer. ISO 9001 means their delivery process is audited, repeatable, and not held together by one heroic project manager. For Israeli enterprises handling sensitive data, this is the floor, not the ceiling.
• Relevant regulatory registrations. If you operate in defense, fintech, or healthcare, your vendor needs to clear the same bar. Israeli Ministry of Defense vendor registration, for example, is not something a company gets casually. It requires years of demonstrated process maturity and security posture.
• Fixed-scope, fixed-price contracts as the default. Time-and-materials has its place, but a vendor whose only business model is T&M has no incentive to scope tightly or finish on time. A vendor willing to commit to a fixed price after a proper discovery phase is a vendor who knows what they are doing.
• A structured discovery process with deliverables. Two to three weeks, ending in a written specification, an architecture sketch, and a fixed-price estimate. Not "let's just start and figure it out." Not a six-month discovery that produces a 200-page document and no code.
• Bilingual delivery — Hebrew and English, fluently. Your internal stakeholders speak Hebrew. Your product documentation, code comments, and probably your end users speak English. A vendor who can only operate in one language will create friction at every handoff.
• Track record with companies that look like yours. Seven years in business minimum. Thirty or more delivered projects. Reference clients in your industry who will take an unscheduled phone call and tell you the truth.