Overview

As a blockchain infrastructure provider in scale-up mode, expanding globally and attracting institutional investors, suddenly had to conform to the most stringent security and governance requirements. But, complying with arcane standards such as ISO 27001, NIST, and SOC2 posed a significant challenges.

Key Challenges

Establishing an ISMS and quickly achieving ISO 27001 certification faced a few challenges for this innovative company:

• compliance requests for a new market from old players
• defining the ISMS scope for a technical innovation
• a globally distributed, remote-first workforce

Outcome

To overcome these challenges, we:

• developed a multi-year ISMS strategy
• balanced the organisation’s and customers’ immediate needs
• established processes for addressing risks in the long-term

This allowed us to maintain a culture of innovation while balancing institutional-grade security and governance.

Key to success was establishing an ISO 27001-compliant ISMS. Globally recognized, it allowed us to satisfy the broadest set of requirements while achieving certification in just a few months.

---

Challenges in depth

Compliance demands from institutional customers

A key challenge that organisations face with innovation is that customers themselves are often working from static or outdated information security requirements. Requests come in as thousand-question spreadsheets or other versions of SIG CORE online.

This creates a situation that pits sales & marketing people against security and engineering teams. It slows down sales cycles and sucks up precious time from engineers and tech leads. They should be writing code, not filling out compliance forms and going to meetings.

Responses can get locked up in endless interpretations about things that are often in flux and in-progress.

Information security compliance shouldn’t slow innovation and sales cycles.

Solutions

Key to overcoming this problem is taking the perspective that infosec is part of the overall product development lifecycle. Deciding which security compliance requests are valid means understanding both businesses. This is the essence of an ISMS – agreeing on what’s valuable and where the risks are within a specific business context.

Rather than a hindrance to sales and innovation, customer compliance requests should be taken head-on and considered as an expression of customer needs, even if they’re sometimes misguided.

Working with customers to interpret their requests into the language and perspective of new technology is important. It’s also important to understand that as customer compliance requests evolve then you have to prepare your organisation to respond.

By working out information security requirements along with all other client requirements, rather than an absolute, scary thing that happens on its own off the the side, you’re able to rationalise and prioritise the requirements to everyone’s agreement, and move forward using normal product development strategies:

• agree a baseline MVP processes, even if they’re manual and basic
• develop prioritised backlogs, with eyes toward automation, APIs, and dashboards

Finally, where needs are urgent, or limited to a small customer, develop bespoke service agreements. Sometimes customer requirement can be very high to service relative to your overall service and business models. Everything doesn’t have to be systematised, but every risk must be managed.

Security requirements don’t have to be a cost centre. When treated correctly, they can be an asset to your business.

Defining ISMS Scope, Assets, and Risk for Blockchain Platforming

One of the first exercises that many organisations go through when embarking on the ISO 27001 certification journey – or developing any ISMS - is called a “gap analysis” where experts query the organisation to determine what the scope of the ISMS is. Too often the biggest gap is between the team that’s developed the innovation and compliance experts who are neither experts in the business nor technical experts. Often, this is the source of problems or even failure for ISMS efforts.

For an organisation selling an innovative product or service into a banking organisation, the questions can be pretty big:

• how do you define an asset in this context?
• what’s in / what’s out?
• what are the risks & how do we measure them?
• whose responsibility is it and when?

In an environment where valuable encryption keys are required at various stages, server downtime accompanied by financial or other penalties for slashing, and global legal compliance requirements are emerging on a day-by-day basis, these questions can take on new weight.

Solutions

The ability to bridge the gap between various parts of the organisation requires a wide-and varied skill set.

First, working with the legal and sales teams to understand the nature of the service is key. It helps to have a background in providing enterprise services, to understand how compliance requirements are first manifested, then negotiated, and finally set in the legal agreements that are a foundation of an ISMS scope.

For this effort, it was also important to have a deep understanding of providing cloud services and especially with multi-tenancy platforming.

Finally, it’s not possible to be an expert at everything. However, with years of start-up and enterprise technology development and delivery, along with strategic analysis and consulting, getting up to speed with and identifying the key factors within this blockchain technology vertical didn’t take long.

Finally, knowing how to define an asset – a thing of value – is about combining all of the above into components of measurable risk to the whole endeavour.

The scope is what you, your customers, the law, and your context say it is. Understanding all of them to develop a solid scope requires the ability to work across all areas in depth.

A Globally Distributed, Remote-first Workforce

As an organisation that took off during the COVID epidemic, and one that required the best talent available anywhere in the world – thriving required looking to the future of working. A globally distributed workforce has many advantages, but governance processes can be difficult to establish. Many enterprise practices are still predicated on everything being on-site. However, no location doesn’t mean no risks.

Beyond the location-less and home working risk, ISO 27001 compliance issues extend to HR & Legal – data privacy and retention requirements vary globally.

Finally, asset management for device lifecycles presents new and interesting risks and challenges. Global supply chain challenges combined with international trade restrictions can make the simple act of getting a laptop in someone’s hands a challenge. Doing so securely is another thing altogether.

Solutions

The key to managing an organisation that’s not always in the same place at the same time is capturing risks and best practices quickly and communicating them across the organisation as procedures and policies.

A clear information security policy for home & remote work addressed risks such as working in cafes and shared spaces, as well as home networks. Operational practices such as use of VPNs and hotspots were also enacted.

Finally, special attention was given to global distribution and management of devices. This included mobile device management that balanced cyber security risks with the reality that developers require open access.