[getoffmyyawn]

I'm currently working at a mid-size startup that is undergoing ISO27001 certification. A lot of the complaints we are getting from employees are similar to the contents of this article.

Part of my job is training our staff on the new requirements. They question everything from why each individual has to badge in one by one to why doors can no longer be propped open. Why can they no longer access company resources with personal gear? Why can't they install whatever they want on their company gear? It goes on and on.

My answer is always the same, in order to be certified we need to show that we have demonstrable, verifiable control over this (for example entry logging).

[dspillett]

Away from standards like that, we also sometimes have requirements from clients' compliance people, and "what they don't know won't hurt them" (which some would love to get away with) doesn't, can't, wash. We will directly loose work, or the chance to bid for it, if we don't comply or can't demonstrate compliance. People moan less about some inconveniences if it is explained as "because jobs or bonuses may be at risk of we don't comply".