International standards: Which one is for me and how do I get started?

In the final post in this series about I'll do a recap, deliver some personal opinions and give you a little nudge in the right direction.

In this post

🪙 My two cents🫂 With a little help from my friends

reading time: 03:03

My two cents

I really like this metaphor, you know: "my two cents". In some currency two cents has value and in others it's worthless. Just like a personal opinion.I think people forget the most important part of that sentence sometimes. Personal.

So before reading this post, keep that in mind. It's my personal opinion.

And it's the best opinion out there! Nah, jk, jk.

Let's get back to the subject at hand though: international standards.I hope it's clear by now that each standard has it's own use.If that didn't stick, go through the previous post in this series (again).

In this last post I'll help you start your certification journey.

Two questions remain:

Should I? And if I do, which one?

For some companies it's easy. If you're working with payment cards, you're often forced by the payment card provider to follow the PCI DSS. Clear as a whistle.Companies working in healthcare are often forced to take up ISO27001 or NEN7501 etc. etc.But most companies don't have to, yet. But they should!Here's why:

• In time, you'll have to. I've seen an enormous rise in the "need to comply". So better start now so:

• You won't have to run off your feet. If time does eventually come that you'll be forced to do some sort of ISO or other, it will always hit you at a bad time. As stated in the previous post, these procedures can be quite lengthy and resource intensive. The more time you have, the better.

• It's worth it. As a start-up, no, but if you're company is maturing it's good to test your readiness and think about processes for information management. Independent whether you're at 25 or 2500 people.

So that tackles the should I question. So now, which one?

I wish it was this easy

Let me break it up into a few categories, that'll make things easier:

Your company has to comply with standard X. Easy, do standard X. D'uh?

Your company doesn't have to comply, but you want the full package certification. Depending on your industry, I'd go for ISO 27001. Time to put on your big boy pants. Makes you think out a lot of processes, but doesn't focus on specific tools and isn't IT heavy.If you ask me this is the standard of standards, so can't go wrong with that one.

Your company doesn't have to comply, but you want to do things properly. I'd go for something a bit more IT heavy.If you're more traditional go with PCI DSS. Although there is payment card in the name, the PCI DSS really is a good guidelines on how IT and infrastructure should be secured in the basics.When I first read the PCI guidelines I was surprised at how easy and genuine this is for most part. Basic stuff anyone can and should implement.If you're cloud heavy or think you got the basics sorted, check the Cloud Control Matrix, also very well written. Much more IT savy though.

With a little help from my friends

Last words of wisdom from this guy. Get help.No, not from a shrink this time.Help from a professional who knows how certifications work. Who knows what an auditor is looking for. Who can help you from start to finish.Yes, it'll probably cost some but it'll be worth it.

And after all, GOTTO SPEND SOME TO MAKE SOME RIGHT? hahaaa yeaaaah booooyyyyy

It's been a ride people, honestly. Since this newsletter started I've been focussing on making security stuff understandable. While the security weekly is random news, which translates easy. This was a whole new level.This was a test for me to see if I could make a rather difficult and - let's face it - boring subject compelling, interesting and understandable for all.I hope I've given you some stuff to think about.Let me know what you think about it, and what I can do to make it more kickass next time.

Like what you read? Make sure to subscribe!