ISO 27001 compliance seems to be the security certification of choice for large enterprise. Many startups that we deal with at Keep Secure are usually humming away on application development when they are faced with the ISO 27001 compliance conundrum. Big fish wants to buy their product/service, but the evil prudent security team at big fish has thrown in a road-block, the startup must be ISO 27001 compliant before data can be loaded.
ISO 27001 compliance can be a big hurdle for small startup companies. The people/process/technology that needs to be in place to satisfy these requirements can be daunting, and prohibitively expensive. So, what is a startup to do? Are there some techniques a startup can apply early on to help alleviate the pain of ISO 27001 compliance down the road?
We think startups can begin incorporating some of the underlying principles of ISO 27001, even if only informally, which will make for a smoother certification process. In some cases, being prepared to answer relevant questions can often sway a customer to drop hard legal requirements for compliance in exchange for direct assurances.
With that in mind, ISO 27000 (the document) states the following fundamental principles that contribute to successful implementations:
Here are some tangible steps startups can take today to get the process underway.
One of the fundamental principles of ISO 27001 is the awareness of the need for information security. Having frequent discussions with the build/ops teams for your product will help increase that awareness. An easy way to incorporate this is to have security as a checklist item in your definition of done (acceptance criteria). The team might not get every answer correct, but it spreads the awareness, and forces the team to look up security concerns early on in the process.
Security discussions at the design phase of a product or feature can cost hours, but save tens/hundreds of hours later on. There are multiple frameworks such as the OWASP ASVS and the OSA Cloud Computing Pattern that can provide easy to follow reference architectures. Use these reference architectures to influence your design discussions. Ensure that management is part of these discussions to make quick decisions regarding risk tolerance of the organization.
From a management perspective, do not allow the release of new features that have not undergone some type of security review. Once again, this doesn’t have to be a super formal process, but someone needs to have acknowledged that security was considered during the design, development, and deployment of the feature or product. The easiest way to ensure that there is management commitment is to block features in to production that have not had their security reviewed.
Many startups run in an agile fashion. Some of these undergo sprint-review activities such as lessons learned. Incorporating security discussions (what we implemented, how hard was it, how could it be better) into these lessons learned can help continually improve how the product team deals with security.
Most languages and frameworks these days have a security section that discusses, in a general way, security concerns and explains how these concerns are addressed in the target language/framework. Enforce that all developers/testers read through appropriate documentation prior to starting on a new feature. This type of training will help ensure at least the basics are being done.
In conclusion, ISO 27001 compliance is a long road, but here are things that startups can start doing now to help compliance activities down the road. If all else fails, you can always engage Keep Secure to assist with your initiatives!
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation