ISO is a holistic standard. And one of the mistakes I made originally was that I should consider it a security standard. I used to think all the work involved here would automatically be around code and vulnerabilities and security related to your infrastructure, AWS account, etc.
But the reality is that the standard encompasses all the departments of your company, and it looks at security a lot more holistically. That means there are a bunch of practices you need to start doing as an HR department, IT department, engineering department, etc.
For example, some of the things that take time is that you must institute policies in the company. You need to ensure that your employees know this policy and acknowledge these policies when they join periodically after that.
Your employees are going through a security training program periodically and stuff like that. So, there are a bunch of HR implications for this. And this takes a certain amount of time, depending on where you are as a company in that process already. You might be mature on that already, or you may not be.
You need to start having a process around access management, which means how you grant access to different company members to different systems. That has to be in a gated manner. Randomly people can’t get access to your database, AWS account, or other sensitive information. You need to think about how to grant change or remove access for people, ensuring that when people leave the company, their access is revoked safely, and so on.
Change management is how you make changes to your application. So, there’s a bunch of things that you need to do downstream.
Vulnerability & incident management is an important piece. Many companies haven’t thought about this until they start building a program like ISO 27001. Coming up with the vulnerability management program and looking for vulnerabilities, tracking their severities, and making sure that depending on the severity, you close these vulnerabilities in a certain amount of time and pen testing yourself, etc., becomes like a stream of work.
There are six or seven dimensions along which we need to do work, and I’ve seen that companies depending on where they are in the maturity cycle with that dimension, can take longer or shorter.
For example, tech-first companies have done some workaround like incident management, vulnerability management, or access management. Still, they are typically short on policies, training, change management, etc. Whereas there are other companies, who are not necessarily your normal technology startup. They tend to be a little bit more mature in terms of their HR practices at times, but they’re relatively green when it comes to other practices related to vulnerabilities, change management, access management, etc.
So you see both sides of the thing, but the fact is that it just depends on as a company, there are some strengths that you have and those things are usually that you’ll be okay and you’ll need relatively less work but in other places, you will need to do more work.