

Ask HN: How to mutate a start-up into ISO 27001 compliance - gbog

How to keep start-up-like agility with all change controls, heavyweight security procedures and so on, implied by ISO 27001 compliance (requested by our main client)?
======
jdee
ISO 27001 is actually quite flexible. The implementation details can be as
'heavy' ( or not ) as you make them. For instance change controls implies all
kinds of non-agile processes that inhibit you from building software the way
you do today. Change control from an ISO 27001 point of view can be as simple
as stating 'when a request for a new feature comes in, we put it on a list,
and discuss the impact of it'. I'm sure you would recognize this process as a
SCRUM product backlog.

You can be 27001 and still be agile - we are. The biggest problem of all is
training your staff to be ISO-aware (data classification, password policies
etc) and making them stick to it so that you pass the audits.

------
devmonk
imo this sounds like one of those situations where you learn to say, "No."
Unless there is a compelling reason to be ISO-compliant with the majority of
your customers, you will end up wasting so much time on getting compliant, you
won't be able to do the things the rest of your customers need. That goes for
pretty much any kind of standards compliance. Only do what is required to be
legal to get and retain the business you _need_.

To answer the question at hand though, I think you'd need to grow enough where
you can take the risk at persuing certifications.

Good luck.

~~~
gbog
Well, we can not afford to loose our main client, and the renewal of their
contract is tied to ISO 27001 compliance. Moreover, a very big company just
bought a part of our shares and require us to comply to their own security
policies. Both go in the same direction, and we have to go this way, whatever
painful the process is. But we tech team still want to be happy go to work
every morning. So I'm wondering if there is a less painful way to go there.

~~~
brudgers
Is the big company going to require you to follow their existing procedures,
or are you free to develop your own?

~~~
gbog
We agreed we will "eventually" follow all their existing procedures, but it is
really annoying because we would have to switch many of our secure Linux
solutions to their required Windows environment, so this "eventually" may mean
"in a very far future" for some requirements. Some other procedures are very
interesting and we are happy to learn from them.

