ISO 27001 and HDS compliance: a "certified" testimonial

January 04, 2023 - 10 min read

In September 2022, we officially announced that we had obtained our ISO 27001 and HDS (Health Data Hosting) certifications. We are very proud of this!

This news triggered a wave of congratulations and many questions about our approach to the compliance process.

I joined Scalingo as "Head of Information Security" in May 2020, and in this article, I propose to answer some of the questions that come up frequently. So if you want to get started... follow me behind the scenes of these two years of learning.

Management support you will get

I was recently talking to a CTO who said he wanted to embark on an ISO 27001 compliance process.

Surprisingly, he wanted to strengthen security measures on his own initiative, without discussing it with the CEO.

Strengthening security measures can have a significant impact on development times. So I warned him and immediately encouraged him to be well aligned with the management team.

This support is needed to:

Obtain the necessary resources, or even seeking new ones externally
Establish communication processes and collaboration between teams
Prioritize tasks to focus on the safety process
Change the culture of the company

Without this support, you won't get very far. Managers need to be convinced of the opportunities and benefits to the business.

There is no shortage of arguments:

Confronting a standard written by professionals in your field
Engaging the company in a common project, around a quality approach
To be evaluated by an external organisation, without the bias of an internal evaluation
Reaching new markets
Providing levers to reassure key accounts
Improving the overall level of security

But beware, the cost is not negligible. Hence the importance of thinking ahead to identify market opportunities and expectations.

Fortunately, at Scalingo, the co-founders and managers were aware of the security importance from the start. It was in line with this strategy that my job was created: to obtain certifications and maintain a high level of security. The "boss" told you about it in the article ISO 27001, HDS, and SecNumCloud: What does it mean for Scalingo?

To remember

Compliance and increased security measures are software quality improvement initiatives. As such, they have an impact on the famous "Quality-Cost-Delivery" triangle of production and must be implemented in accordance with the company's management and strategy.

With your colleagues, you will do pedagogy

Fictional conversation between a developper and a Chief Information Security Officer:

“ In the software industry, estimation is an elite sport where the best often miss their target. ”

In a startup, efficiency is the key word. Wasted time is a luxury you can't afford.

Telling a developer that he or she will have to add control measures to the development process is a sure way to have lively discussions (!).

In fact, the first interactions between colleagues were not easy when it came to talking about compliance.

Firstly, because the word “security” brings with it fears of austerity and control which can feed the concerns of your interlocutors even before you have opened your mouth.

Secondly, because your colleagues will potentially have a lot of ideas about what to do or not to do. And the most anxious people are likely to project themselves into disaster scenarios.

It took me a while to realize that part of my job was going to be what we call “change management”.

Any change in a company gives rise to “resistance” strategies. Your colleagues have something to gain, but also something to lose.

For a change in the way of working to be accepted by your colleagues, they must first understand the benefits.

Here are some fears that developers may have, objectively or subjectively, when starting to introduce additional security and control measures:

Loss of control: The company may force developers to follow certain rules and guidelines that they are not used to following. This can make some people feel that they are losing control of their work and become a source of stress and anxiety.
Reduced productivity: Development teams may fear that the new information security policy will make it more difficult for them to do their work. This may lead to reduced productivity and efficiency.
Increased workload: Implementing a new information security policy often requires developers to carry out additional tasks and responsibilities that they may not have had to manage before. This can increase their workload and make it more difficult to complete their work in the estimated time.
Conflicting priorities: Developers may fear that the new information security policy will conflict with other priorities or goals they have, such as meeting deadlines or implementing new features. This can create tension and conflict within the development team.
Loss of trust: Startups start with tight teams where everyone shares everything and has access to everything. The compartmentalization of access and information, if poorly explained and understood, can lead to feelings of rejection or loss of trust.

These fears need to be addressed while highlighting the benefits of certification:

Firstly, it can help protect the sensitive information and data you work with on a daily basis. And thus prevent data breaches and other security incidents that could damage the company's reputation and bottom line. Which in turn can help protect the work done and the professional reputation.
Improved overall security culture: Greater employee awareness and vigilance when it comes to protecting sensitive information (including their own) makes work easier and safer. All teams take the necessary precautions to protect the sensitive data they work with.
Another interesting side effect is this one: for many issues there will be likely to be a procedure to follow. Although at first sight one may feel like the main character in the film Brazil, it does increase people's peace of mind, because there is a benchmark I can trust. It will increase the overall quality delivered by the company.
Finally, all the positive effects put forward to management are obviously advantages that will ensure the company's long-term growth and perenniality.

To remember

In the process of compliance, your mission will be to provide constant visibility on the progress of your work and to make the final objective concrete and clear for the whole team.

If you do not have the support of the "core", who will apply the new measures on a daily basis? You will not succeed in transforming practices in the company in the long term.

Your own research you will do

Thanks to ChatGPT for this fictional but very real answering machine message.

“ Hello, this is the representative of the cybersecurity company XYZ. I'm calling to warn you about the risks of a cyber attack. If your business is not protected, you are vulnerable to hackers and data thieves. Don't risk being the next victim, call me back as soon as possible to find out more about our cyber security product. We have the best solutions to protect your business from online threats. Don't wait until it's too late, call me back now to find out more. ”

[The Chief Information Security Officer listens to his answering machine.]

When I took my job at Scalingo, I thought someone had posted my phone number on the DarkWeb. My LinkedIn account started to flood with notifications.

I regularly get calls or contact requests from sales people who have no idea what my company does, and don't know if the tool they offer is of any use to us.

To remember

In the field of cybersecurity, some salespeople play on fear and often promise a "magic" solution to problems that you don't have.

You will therefore need to read up on the different areas covered by security, or you will make the wrong choice.

Having a technical, project management or quality management background is certainly a prerequisite, but fortunately, there is a certain amount of content available online to train you or bring you up to date, such as

Help you should seek

“ Shoshin is a Japanese term meaning "beginner's mind", used in Zen Buddhism and in the martial arts. It is an attitude of humility that the practitioner must maintain throughout his or her progression, regardless of the level reached. ”

Wikipedia

When I started in this field, the first thing I did was to interview startups and players in our ecosystem who were already involved in a certification process: AR24, Synovo, Outscale, Kiwi Backup. Thanks to them!

These interviews were rich in lessons learned. I found common points, good and bad practices

Interviews are not the only way to find information:

Among other companies in your field: your partners, competitors, can they give you information?
Specialized blogs: the net is full of intelligent people who make their experience available to others. The InfoSec community is very open and made up of passionate people who love to share their knowledge.
Developer or CISO groups, Meetups: there is nothing like having an IRL conversation with people to share your findings. You don't have to reveal trade secrets to share your knowledge with others!
Consultants: through your network, you will discover that the world of security is very fragmented and everyone wears several hats: consultant, developer, auditor... Get help from the best! (Hello François and Matthieu!)

To remember

Cybersecurity is a field that evolves so quickly and is full of so much information that you can't be satisfied with your skills alone. Networking, leaning on others and sharing knowledge is essential.

A budget and a schedule you will establish

After studying the subject and doing a pre-audit, we had to face the fact that it was going to be expensive...

To have the means to match our ambitions, we had to set up a budget.

I got out my best spreadsheet, my memories of my life as an entrepreneur and I started to draw up the budget.

It was very interesting! Because to do it, you have to consider assumptions (number of tasks, task durations, company growth, number of tool licences). To refine it, it requires very enriching conversations with the teams.

At the same time, it allows you to think about the planning: what to do first? What is a prerequisite?

To remember

Getting involved in a certification or compliance process is going to cost you a lot. The cost will depend on a lot of factors. But you can be sure of one thing: getting started without having planned a budget, an objective and a timetable is a recipe for failure.

Intelligently you should outsource

“ The successful warrior is the average man, with laser-like focus. ”

Bruce Lee

At Scalingo, our mantra is to help tech teams focus on their added value, i.e. the code that will help the customers.

InfoSec is a field where you have to constantly juggle between two imperatives: outsource too easily and get locked into a proprietary solution, or persist in solving yourself a problem that others solve better than you.

The question of "build or buy" has often arisen and we have always taken the following approach: try to do it ourselves to understand the difficulties. Then, if we reach the limit of our capabilities, we find a trusted subcontractor that meets our security requirements.

For example, Scalingo relies on Outscale's IaaS services which are ISO 27001, HDS and SecNumCloud compliant.

To remember

Learn the difficulties of implementing different security measures in order to understand the constraints, and then outsource effectively.

Strengths of the company you should use

The 12 labours of Asterix (Goscinny, Uderzo), looking for the pass A38

As I counted the number of documents we were going to have to write and review, I was very afraid. Afraid of the complexity of document management, of versioning hell and of going back and forth. So I didn't want to go in the direction that some colleagues had chosen, based on Word documents, nor did I want to introduce a new tool. Notion, which we use internally, did not offer me the traceability and formalism I needed.

We therefore chose to use existing tools and build on them.

At the same time, it was also a way to put some code into my daily life, I love developing.

So we used a static blog engine (Gridsome) to write and collaborate with colleagues on Markdown files and build an intranet of security policies. Git gives us traceability and versioning, and we are free to generate a PDF and an HTML version while controlling the layout and still having a textual version.

Similarly, as far as development is concerned, there is no need to modify the current Pull Request-based processes, which provide sufficient traceability. Developers are already doing PR and code reviews, just make sure that this process is followed consistently.

To remember

There is no need to turn your company's operations upside down. You probably have good practices that need to be strengthened, tools that just need to be set up properly to bring you into better compliance.

Follow the adage "If it works, don't fix it". Only if your tools reach their limits should you consider changing them.

In short

The certification process is an undeniable asset for a company. It demonstrates a certain maturity and provides an objective assessment of the security process.

The human and financial effort is no less significant. It is necessary to be attentive to the relevance of the target standard and to be realistic about the deadlines and speed of compliance, while taking into account production requirements.

Communication throughout the project and constant dialogue with the teams, by calling on their skills and the tools already deployed, is the key factor in a smooth deployment.

Finally, it is important to be surrounded and to consult multiple sources of information, building up a personal background to form your own opinion.

These are some of the lessons learned on the road to certification. I wanted to share them both to answer the questions I've been asked and to help people who are hesitant to start.

Next Scalingo step on the certification road: SecNumCloud!

Share the article