Last week, as I sat across from our ISO 27001 information security auditor, watching them strenuously work through our documentation, a thought struck me:
Here we are, a software company, with nearly all of our operations running in interconnected digital systems, yet the core of our business—our policies, procedures, and organisational structure—is a basic collection of documents.
It just felt ironic. We use advanced tools to automate compliance checks, store our code in version-controlled repositories, and manage our infrastructure as code. However, when describing and managing our company, we resort to digital paper and tidbits of info distributed across people in the building.
The disconnect became increasingly apparent as I reflected on our day-to-day process: 90% of our products, documents, communication, and decision-making live in digital channels. That’s data. It lives in the cloud, spread over SaaS solutions that specialise in handling individual work processes—all systems with robust APIs and programmatic access.
At the centre of it all sits a lonely island of documents: our ambitions, goals, policies and formal structures. And I think those are pretty important.
Our security posture was solid before we even considered ISO 27001 because we’d already worked hard to comply with our customer’s requirements. Between collecting evidence for controls, arguing about and updating policy wording, document review, and the actual audit, we spent hundreds of additional person-hours that could’ve otherwise been spent creating great products for our users.
A missing link
If we desire operational data to be so rich, why do we accept organisational data to be so sparse? We’ve revolutionised how we handle infrastructure with Infrastructure as Code (IaC), how we manage deployments with GitOps, and how we handle security with Policy as Code.
We see the benefit.
But when representing our organisation (the beating heart of our operations), we apply old-school methods.
... continue reading