A skier makes a huge jump off a sharp, vertical peak

Divio Method and Compliance Part 1: ISO Compliance

In this interview with Divio’s Jonathan Stoppani, read about how achieving an A+ ISO certification in 4 months exemplifies Divio's approach to problem solving.

Jonathan Stoppani

Jonathan Stoppani

CTO

Christina Harker, PhD

Christina Harker, PhD

Marketing

When it came to our ISO certification, we approached it in the way we approach all our work, using an iterative problem-solving approach. The result was a rigorous, technical implementation, and it included custom, tailored, and future-proofed tools that simplified the process.

This initially sounds like a lot of work. However, we spread it all out in a reasonable way, and in doing so, it helped us achieve an excellent result with surprisingly low time-investment. 

We interviewed Divio’s Jonathan Stoppani about the whole process. Find out how we did it, the challenges we faced, how organisations in a similar position can prepare and what worked best for us. This interview is Part 1 of 2; check out Part 2, on our in-house governance, risk and compliance tool here.

Here’s a breakdown of what we covered:

  • How Long Did the ISO Audit Process Take?

  • How Long Should it Take to Complete an ISO Audit?

  • What are the Advantages of ISO Certification?

  • Navigating a Change in Mindset

  • ISO Audit Process Challenges

  • Tools for the ISO Audit Process

  • ROI on In-House Tools

  • The Auditor’s Review

  • Takeaways

How Long Did the ISO 27001 Certification Process Take?

The reason we achieved an extremely good result for the ISO certification was because we looked at it as part of our ongoing cloud security compliance work. We considered it as a piece of work that could be rolled into future projects, and in the end, every bit of work in this project had payoffs in several different directions.

In terms of person-hours, we needed about 80 hours a week from October until late-January for the ISO-specific parts. This included the bulk of work on risk analysis, policy writing, asset management, and so forth. But it did exclude minor things, like having front-end engineers implement pieces of the project.

Going Beyond the Basics

We probably put in much more effort than what was required to get ISO 27001 certified. The reason for this, in part, was that we didn’t do the certification purely to get the title or the ISO certificate. Instead, we see ISO as just one stepping stone in our compliance journey, so we focused specifically on reducing work in the future. This ended up future-proofing the time we invested and functioned almost like a preventative measure.

We focused a lot on doing things in the correct way. We didn’t just want to just fulfil the criteria required for certification. So, we invested a lot of time on additional projects that standardised workflow and tools.

Saving Time in the Long Run

We invested almost a year in the whole compliance process. But the ISO process itself only took about four months. We only committed to the ISO process in October 2021, and we were happy to report our certification in early Spring 2022. 

This came about because we saw ISO as part of a larger process, and combining ISO into our larger compliance work had an incredible payoff. In a very short amount of time, we were able to capitalise on what we had done. In October, we were already able to set our goal to do the audit in January, and we were comfortably able to achieve this.

How Long Should it Take to Complete an ISO 27001 Certification?

There’s no clear cut answer on how quickly a business can reasonably complete an ISO certification.

It depends a lot on the size of your company, as well as the maturity of your internal processes, and the scope that you want your ISMS to cover. It is possible to complete an ISO certification in a short time, say two or three months. However, it would require a big focus to be purely on certification. This in turn would require the commitment of a lot of person-hours. 

Overall, the time commitment has to do with your own capacity and planning: the person-hours that go in each week have to come from somewhere. You can spread the project to be longer or shorter. But this depends on how many hours you are prepared to commit per week or per day. 

The reason we were able to complete our certification relatively quickly was because the expertise was already there. Our approach was also already ingrained in our problem-solving framework.

Consider the Reason Behind a Compliance Certification

It is important to ask yourself why you are going through a compliance certification process, or why you’re trying to go through the process so quickly. 

For example, this sort of approach is more feasible and reasonable if you already have a good set of processes in place. You’ll also need a good structure in your company. In this case, you already basically implement what ISO mandates, and certification would be relatively easy to achieve. 

However, on the other hand, you might do the whole ISO certification without actually realising the advantages that following the ISO standards brings. So it is certainly worth asking why you are pursuing certification. Are you doing it purely for the certificate, or to also gain the benefits of improving your system? 

What are the Advantages of ISO 27001 Certification? 

ISO 27001 is focused on information security and the advantage of following this ISO standard is that you will improve your security posture. This has both short-term and long-term benefits. In the short term, your current security posture is robust and fully functional. In the long term, it means you have a system that allows you to continually improve and capitalise on what you have already accomplished. 

There are also two related standards which Divio completed: ISO 27017, which deals with cloud computing and additional aspects of information security, and also ISO 27018, which is for PII or the protection of personally identifiable information.

Clearly, you could do your audits once a year. You can ensure that enough is ready for the auditor to approve. However, we wouldn’t recommend proceeding this way. 

It’s far better to actually embrace the system and make it part of your day-to-day job. Make it part of your normal business processes. If you do this, you’ll be able to capitalise on the work you’ve done. You can make sure that information security is not just an afterthought, but something that's built into the way that you do things. 

There are many different ways to achieve this goal. The aim is to have better, or even the best, processes hard-baked into your daily business activities. The ISO standard is just one way to achieve that goal, but it is certainly quite a complete one. ISO 27001 is a standard that a lot of people put a lot of thought into. As such, it gives you an excellent red line to follow.

Navigating a Change in Mindset

The most difficult aspect in this project was the necessary change in mindset. Particularly, when it came to how the standards actually operated and were enforced. 

We build our product for other developers and are developers ourselves. Therefore, we bring a lot of our own expertise and perspective as developers to any project. When it comes to a project like this, we always take a red team approach on certain questions. In this project, we had to ask ourselves: “What if someone internally doesn’t follow the process?” This could be out of negligence or forgetfulness, or because of a perceived need to get something done faster, and so on. This led onto bigger questions, specifically around security.

At Divio, security is a big focus for us. We spend a not inconsiderable amount of time focused on how to technically prevent certain scenarios. So we create systems that prevent people from not following the correct procedures. 

On the one hand, that is also why we invested so much time in our compliance work. But the nature of an ISO standard in itself means that they are preemptive and predictive, and having a policy that explicitly says what you are not allowed to do is often enough. For us, that felt a bit counterintuitive.

So we did take these things a little further. We invested a lot of time—partially spurred by our need to take things to that level of completion that we automatically gravitate towards—and this is why we achieved such good results. We really thought through the different processes. We returned to our roots and our ways of handling matters, and we focused on how we would enforce the standards and how to prove they were being upheld. We did this so we could actively show the auditor—or whomever we may want to in the future. 

This leads to a clear issue, though: not everything must be enforced technically to the same level. We were constantly doing risk analyses at a granular level, as well as establishing our plan of action on a multitude of topics.

But beyond this, on a macro-level, for ISO you mostly follow the process. And to be able to do this effectively, you need to learn about the process. And there will be people who will benefit from having a background in this sort of project. 

ISO 27001 Certification Process Challenges

The ISO certification process becomes more complex the larger an organisation is. But, many things that ISO 27001 mandates are also things that are easier for larger companies to implement. It all comes down to how large companies are managed.

Different Sized Companies Have Different Advantages

At Divio, we have a lot of verbal communication. This is because we have a small team, and we can quickly decide things in a call. In a system like that, everybody knows what is happening and is in agreement. Not all of these decisions need to be written down, recorded in meeting minutes, passed on to other teams for implementation and so on. 

If you're a larger company, though, having a different handle on internal communications is more common. Without more formal communication channels, the company simply would not work. You must document decisions, share them widely, centralise, organise and distribute the decisions to people who were not there when the decision was made. 

To some degree, the ISO certification process can take longer for larger companies. However, those companies have a different starting point. Larger companies are likely starting off with some of the necessary processes already implemented. Perhaps they are not implemented in the way that ISO mandates, for example, maybe you have to add some details to some documents. But people at large companies are used to working with very similar processes to what is mandated by ISO standards. So while it will change a bit, there is a process already in place. 

For us, as a smaller team, some people might be surprised that we also have well-built processes in place. However, for most of those processes, it's difficult to prove and show what we did and would do in the future. That’s because we move really fast. The communication lines are quite short at Divio. There aren't a lot of people to talk to, to get signed off with, and so on.

Our speed is a huge advantage and we value it. We would like to retain that, but it introduces a challenge. We respect all the requirements from ISO 27001, but we also want to maintain the agility that we currently have. And that was a fun challenge for us to solve.

In general, the process of getting our ISO certification has helped with us getting technical implementations in place. We have been able to model our current process and incorporate this into a special tool we built. This tool allows us to continue using our traditional process, while also recording and respecting all the ISO requirements. 

Tools for the ISO Certification Process

Tooling in general can help you in the ISO certification process. As a company we have heavily skewed towards tool development. This is because this is what we do: we develop a product. 

This means we have a higher percentage of developers in our employee population than most other companies. Naturally, developers are used to working with ticketing tools and following a given workflow to make a code change. There are certain processes that are hardwired into the profession, and that applies from the concept-stage all the way up to production. Our idea was to integrate that a bit, to use processes which were very well established in our company. We also do this for a lot of other less development-oriented processes.

With ISO, we tried to integrate as much as possible into our ticketing and code management tools. This is because we had them already, and people were used to using them. It was already part of the way we worked. Our developers were used to this particular process. And the fewer differences between a process people know and new processes, the easier it is to introduce new things. 

ROI on In-House Tools

One very big return on investment we saw—one which shouldn’t be underestimated—was in terms of what we avoided by building our own GRC tool. 

Ten months before we began the ISO process, we were working on compliance more generally. At that time, we would be moving ahead in a situation and learn, for example, that we needed to do a risk assessment. When we spoke with our consultant, he would then tell us that he would provide us with a template (his normal process for companies our size). The template was an Excel sheet that needed to be filled out. This really gave us pause.

We try to avoid idiosyncracy and repetition at Divio. So, in the end, every time we saw something like this, we said, “Yeah, but you know what? Let's create an application or a module for that in the tool we’re building.” And we built that into what we were creating, so, for example, we are now able to manage risks (define them, rate them, define treatment actions, etc.) fairly easily. Our tool gives us a streamlined workflow for what we want to achieve.

Fast-forward 10 months, and our tool was able to handle controls from different sources, cross link them to policies and risks, collect evidence, manage activities, assign responsibilities and much more. At this stage, we really saw a big payoff. In terms of ROI, we wouldn’t have been able to do the ISO certification in four months without this tool, especially at such a high quality level.

I doubt we’ve seen the full return of investment on the tool we built yet, either. But even at this point, it has proven to be well worth the effort. For any future expansion in compliance certification and reporting, the tool will help us capitalise on the work we’ve already done. It’ll allow us to keep doing that with every new process we undertake, especially in terms of time and energy.

Basically, every time we approached a problem by thinking, “How can we optimise this work?”. It was a step-by-step process. And once we decided on ISO, it was just a continuation of this process. We didn't change a lot. In that regard, we just focused on the ISO requirements for the ISO process. But we kept the tool generic. So there is nothing ISO specific, and that makes the tool extremely versatile.

The Auditor’s Review

The auditor was quite happy with the result. At the end of our ISO process, he made a list of positive observations and the tool definitely helped us expand that list. 

I also have to say he was not that exposed to the tool himself, but we used it a lot internally. 

For the audit, you move through each individual control. You have to provide the supporting documentation and your evidence, as well as describe the process, and so on. For us, we could just open that control in the tool and see all the references to the documentation. This included the risk analysis, the evidence we collected and so on. So we had quite a nice dashboard to work with.

Overall, our auditor was quite pleased with the organisation of the ISMS. And that I think comes from having an enforced way of doing things. We were able to do this because of the tool we had built and because of the general approach we always take when we set out to solve a problem.

Takeaways 

Divio’s quick and excellent ISO 27001 certification result demonstrates why our methodology is so successful. We never just build products for the sake of it—there’s always a reason, and this reason always has longevity. We look to develop processes and tools that have multiple functionalities, that deliver on ROI, and lay the groundwork for future projects.

Delve deeper into our way of doing things, and learn more about how the GRC tool we built for the ISO 27001 audit here.