[fareesh]

A lot of startups move fast with a small team.

You build something great and big corporation X wants to buy a subscription but you need to be certified.

Much of this is a good checklist but some of it is very european.

"Where is the risk register to track controls in your 7 person company?"

Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.

You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.

What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.

[jordigg]

SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.

For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.

That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.

Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.

[fareesh]

It ends up being a LARP

In reality the starting point itself is something absurd like "all vendors must be ISO certified no exceptions"

Nobody wants to be the person who says an exception is ok in this case, so you get lumped with having to certify.

Now your color palette generator startup is doing ISO certification. You are holding quarterly "information security governance meetings" and maintaining a risk register for... "blue vs slightly different blue".

Many such cases.

[IgorPartola]

Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?

[mushufasa]

Unfortunately in most cases the buyers have way more liability/risk using a small vendor than opportunity. Often this is coming from regulators in certain industries.

In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.

[bartman]

I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.

CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.

[1970-01-01]

The risk register is ISO 27001. The "I" in ISO doesn't stand for Internet, it stands for international. You shouldn't be doing business with international customers if you don't have a risk register, which is why they're requesting it.

[fareesh]

The D in Democratic People's Republic of Korea means it should be democratic so why is it a dictatorship?

The world doesn't work based on abbreviations. It's very normal for any company to ask you for ISO 27001 whether international or otherwise.

[SkinTaco]

Why is the line drawn at being international?

What is it about customers in Ethiopia that necessitates this? What is it about American (non-international) customers that doesn't require a register?

[hsbauauvhabzb]

Shouldn’t according to who? Who appointed ISO to say what should and shouldn’t be done?

[1970-01-01]

The majority of countries that do business today have backed it. You are welcome to ignore it and work against the 160 countries that are using it.

[hsbauauvhabzb]

who. Countries are not people.

[1970-01-01]

You can just Google this. https://www.iso.org/who-develops-standards.html

[phyzix5761]

What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.

[eikenberry]

That is "a" purpose of a business, but not the primary purpose. The primary purpose of business is to provide a service or product people want. You can want profits all day long but if you don't have something people want you don't have a business.

[bandrami]

If the purpose of every business were making profits every business would be a hedge fund (at which point there could be no hedge funds, but that's a separate issue). Profits are a necessary component of a businesses's activities, but not its purpose.

[throttlebody]

I would argue that profits are a result of what you do and not the purpose... Obviously intertwined but that's why its important to pick something you like

[ljm]

Maybe you suouldn't be hacking due diligence if your team isn't ready for it

[ceejayoz]

Isn't ready for, or doesn't need?

I had to have meetings with… myself, at times, for compliance reasons.

[kingjimmy]

"is very european." ... aa yes consumer protections. very european.

[fareesh]

This assumes that there is only 1 way to protect consumers

[Bombthecat]

Going through this with a medical startup... We have like 2 developer. But to get investment, put the app online etc. We need to fill out those paperwork... For things which just don't exist...

[sidewndr46]

Isn't the point of the paperwork to get you to make those things exist?

[troupo]

> We need to fill out those paperwork... For things which just don't exist...

Things like what? HIPAA?

[michaelt]

> Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.

Have you considered that the kind of companies that demand SOC2 compliance would be happy to pay extra for SOC2 compliance, if you offered it as an optional add-on costing $200k per year?

[bob778]

$200k is more for FedRAMP or PROTECTED+, but I think you’d be able to create a “compliance” addon for $20k quite successfully.

[bradfox2]

This is as designed to gatekeep these customers. Those in control of the checklists stand to benefit.

[troupo]

Translation: all your rules and regulations are crap, and we don't want to comply with any of them.

When in reality most rules and regulations are not crap, and you should care about them.

Especially when your startup advertises compliance with HIPAA (medical records), PCI-DSS (payments data) and a bunch of other data protection standards and regulations.

[fareesh]

Data protection is a tiny component of what certifications like ISO and SOC2 involve. The data protection stuff is welcome and often pre-existing, the other stuff is what annoys people.

[ozim]

Most rules and regulations are not crap.

But whole compliance industry is crap.

One way they inflate expectations to extract money the other way they cut corners to rubber stamp BS to make it as cheap as possible for themselves.