ISO 27001 Compliance For Startups
ISO 27001 compliance seems to be the security certification of choice for large enterprise. Many startups that we deal with at Keep Secure are usually humming away on application development when they are faced with the ISO 27001 compliance conundrum. Big fish wants to buy their product/service, but the evil prudent security team at big fish has thrown in a road-block, the startup must be ISO 27001 compliant before data can be loaded.
ISO 27001 compliance can be a big hurdle for small startup companies. The people/process/technology that needs to be in place to satisfy these requirements can be daunting, and prohibitively expensive. So, what is a startup to do? Are there some techniques a startup can apply early on to help alleviate the pain of ISO 27001 compliance down the road?
We think startups can begin incorporating some of the underlying principles of ISO 27001, even if only informally, which will make for a smoother certification process. In some cases, being prepared to answer relevant questions can often sway a customer to drop hard legal requirements for compliance in exchange for direct assurances.
With that in mind, ISO 27000 (the document) states the following fundamental principles that contribute to successful implementations:
- Awareness of the need for information security
- Assignment of responsibility for information security
- Incorporating management commitment and the interests of stakeholders
- Enhancing societal values
- Risk assessments determining appropriate controls to reach acceptable levels of risk
- Security incorporated as an essential element of information networks and systems
- Ensuring a comprehensive approach to information security management
- Continual improvement of information security and making of modifications as appropriate
Here are some tangible steps startups can take today to get the process underway.
Have frequent security discussions
One of the fundamental principles of ISO 27001 is the awareness of the need for information security. Having frequent discussions with the build/ops teams for your product will help increase that awareness. An easy way to incorporate this is to have security as a checklist item in your definition of done (acceptance criteria). The team might not get every answer correct, but it spreads the awareness, and forces the team to look up security concerns early on in the process.
Discuss security early in the life cycle
Security discussions at the design phase of a product or feature can cost hours, but save tens/hundreds of hours later on. There are multiple frameworks such as the OWASP ASVS and the OSA Cloud Computing Pattern that can provide easy to follow reference architectures. Use these reference architectures to influence your design discussions. Ensure that management is part of these discussions to make quick decisions regarding risk tolerance of the organization.
Block features that have not considered security
From a management perspective, do not allow the release of new features that have not undergone some type of security review. Once again, this doesn’t have to be a super formal process, but someone needs to have acknowledged that security was considered during the design, development, and deployment of the feature or product. The easiest way to ensure that there is management commitment is to block features in to production that have not had their security reviewed.
Incorporate security into your lessons learned
Many startups run in an agile fashion. Some of these undergo sprint-review activities such as lessons learned. Incorporating security discussions (what we implemented, how hard was it, how could it be better) into these lessons learned can help continually improve how the product team deals with security.
Ask for rudimentary security training
Most languages and frameworks these days have a security section that discusses, in a general way, security concerns and explains how these concerns are addressed in the target language/framework. Enforce that all developers/testers read through appropriate documentation prior to starting on a new feature. This type of training will help ensure at least the basics are being done.
In conclusion, ISO 27001 compliance is a long road, but here are things that startups can start doing now to help compliance activities down the road. If all else fails, you can always engage Keep Secure to assist with your initiatives!
About Shamir Charania
Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.