Wednesday January 10th 2024

“Article 27001? You mean the Solidus lace-up shoe, extra wide design?”. But that was not what our client had in mind when they put this somewhat random number on the table. It turned out to be something ISO-like about systematically organizing and improving your information security. And then not only anti-leakage measures (confidentiality), but also anti-corruption (integrity) and anti-down (availability).

Okay, we were not against that. With more and more teams, clients and client data, a growth-proof structure was welcome. But optimally and preferably, integrated in our practice; dusty binders on SharePoint do not help anyone.

And so, with the fresh courage of young Hobbits, we embarked on what turned out to be a quest. Despite tips from experienced clients and guidance, we stubbornly visited an entertaining collection of pitfalls. (Enough bruising for a separate article.)

Our blind spot turned out to be management system-level thinking. As techies, we delightfully went about polishing information security itself. But the goal was primarily meta, a system and processes for continuous improvement of security, and meta-meta: continuously improving that system and those processes. Continuously, continuously...

In other words, stubbornly going forward, one step at a time. And when a paltry A4 sheet arrived a week or so ago, the sweat was quickly forgotten. Destination reached: all our processes and systems covered, thorough measures set up and all (meta(meta(meta))) controls via our daily GitLab environment. We have been reaping the benefits for some time already: tighter and consistent processes and configurations, systematic incident analysis, demonstrably in control. And continuous risk-driven improvement: the more often you do it, the more fun it becomes. Rumor has it that some of us use it at home now too.

The Hobbits sleep peacefully again at night. And, ..., they got a nice pair of extra-wide shoes out of it.