[crote]

I'm currently at a small startup trying to do ISO 27001. A big issue we run into is that there simply aren't enough people. For example, the processes are built around having one person who writes code, and another person who reviews the written code. That's obviously impossible as a solo dev. You also need an internal auditor, who obviously needs to be separate from the operations team.

If I recall correctly the minimum in a standard setup is 9 roles which cannot overlap. You're going to have a very hard time doing that as a solo entrepreneur, so you'll probably need to find someone who is experienced in making unusual setups like these compliant - which isn't going to be cheap. Even after that there's a pretty decent chance you'll end up needing to hire 3rd-party services in order to be compliant: our "internal" auditor is just some big firm doing it for us.

[maximilianburke]

We've been ISO 27k certified for years now. ISO 27001 relies heavily on risk documentation and mitigation; you can get around the separation-of-roles by calling them out as individual risks and making sure the appropriate authority signs off on them (ie: have an email from the CEO saying "I delegate Bob to create policies and sign off on them, and also perform our internal audits. I recognize the risks this creates but due to our size we accept them at this time.")

[xyzzy123]

Right but at n=1 you are writing the policies, reviewing them, signing off on them yourself, raising risks, then ducking out the back and running out again with a fake mustache so you can accept the risks you raised... regarding yourself... lol.

Audits rely on a _certain_ amount of ceremony and theatre.

However, since you typically pay for audits / certifications yourself you might find someone who is willing to entertain the charade if you shop around enough. Probably a solo auditing firm :)

[ownagefool]

I offered self-hosting to bypass this. It did the trick and I was able to convert the enterprise customers where compliance was a red line.

[frenkel]

We are a team of 1 developer and 1 sales/marketing and are fully certified. You can hire an external auditor for the internal audit. We have AI code reviews, so we don’t need an extra developer.

[_se]

Anyone who certified you with AI code reviews is a moron.

[awesomeusername]

Ironic

[bdangubic]

> We have AI code reviews, so we don’t need an extra developer.

You can streamline this and remove the developer as well and then of course you can streamline this even further and remove the sales/marketing person and just have AI run it all :)

[Lalabadie]

Let me guess: certified by Sprinto?

[frenkel]

No, we are EU based and used a local certifier.

[teeklp]

lol