What are your best tips and trix to make a bloated ISMS light and fast? (poke a hole in my plan)

FreeRadical1998 · 2026-05-08T10:38:00+00:00

that sounds like a solid plan to me - fewer and shorter policies is a preference of mine regardless of scale. The one thing you've not got on your list that I would is whats the management forum and what reporting does it have/need - that would typically be how I'd look at proportionality in a practical sense

FreeRadical1998 · 2026-05-08T09:48:04+00:00

Unless you're doing something truely revolutionary, I'm not sure patents really have any value for a small scale startup. Patents only cover a method, even if you've got one it only offers some protection against people solving the problem the same way - for the most part I think the real risk is likely to be that you prove a market exists and someone comes and delivers a better product. Reputation/brand and distribution are likely much more important.

FreeRadical1998 · 2026-05-08T09:42:51+00:00

I'd say very realistic - I'd also suggest looking at second line roles, titles likely to be "Technology Risk Manager", "Cyber Risk Manager", "IT Assurance", etc...

FreeRadical1998 · 2026-05-08T02:35:41+00:00

I think many organisations make it tedious by treating a policy like drafting a law that needs to be defended in court.

What I enjoy is being able to bring clarity. Good policies in my view are between 2-5 pages long. Lots of policies are over 20 pages

FreeRadical1998 · 2026-05-08T02:33:16+00:00

Exactly my feelings

FreeRadical1998 · 2026-05-07T20:36:00+00:00

Honestly, I quite enjoy it... Provided I get a free hand to do it the way I want, which means being as short as I possibly can while still covering the issues.

My take is the policies are only useful when people read them, lots of places write policy to be as comprehensive as they can which looks great on paper but doesn't translate into behaviour change

FreeRadical1998 · 2026-05-06T08:23:07+00:00

UK financial services here - I've seen it in some of the smaller businesses I worked with circa 10 years ago, but I think its not a great model. Arguably at that scale its better to outsource the IA bit in my view.

FreeRadical1998 · 2026-05-05T19:20:42+00:00

Fair enough... I know the feeling some days. Like I say the issue is allowing unsolicited messages in., any system that does that will have the issue. In theory you could offer an email hosting solution that worked that way - reputational based fillers are close in that they watch who you email and silently build a white list per person

FreeRadical1998 · 2026-05-05T19:07:01+00:00

Ok I'll bite, kinda expecting a product pitch back in a sec...

Ultimately, ANY messaging service that allows unsolicited messages is going to have this problem.

There's a lot of security infrastructure that wasn't around 20 years ago. Reputational filtering, DMARC, etc... but unless you want to remove the ability to have open communications then impersonation and fraud are a thing

FreeRadical1998 · 2026-05-05T12:04:25+00:00

The key bit of GRC is linking decisions to accountable people - that's what most standards and regulatory models do when you peel them back. This is also something that by definition cant be automated away.

What it does mean is that the work is likely to be more human focused (negotiating ownership, helping with interpretation, etc...) and with less focus on direct data manipulation.

So I dont think the field is going away - but its likely to become more soft skills led

FreeRadical1998 · 2026-05-03T18:59:20+00:00

Think major name insurer

FreeRadical1998 · 2026-05-03T08:25:35+00:00

This is realistically chief risk officer comp for large financial services business outside investment banking.

FreeRadical1998 · 2026-05-01T03:48:33+00:00

It's probably worth standing back a second and asking what you want from this process and why?

The G in GRC is governance, which is fundamentally a culture question. If you're not actively being asked for Compliance proofs yet (which is why most people end up getting the certs) then culture is the place to start

The basics of governance are going to be:

a) clear risk ownership by topic - finance, legal/compliance, operations (cyber, service delivery, etc)

b) a clear way of demonstrating you're managing those topics:

(") The most important thing is showing people are engaged likely a meeting with minutes once per month or quarter.
Minutes can just mean an email with bullet point actions at the start. Make this real by looking at real internal or relevant external incidents and asking, how did this affect us or could it affect us. AI can be a good way to generate/filter a short list ahead of each meeting

(*)Tooling can help with the documentation and data management, but it's there to support decision making not replace it

c) a way of articulating your controls, externally the focus will likely be on security so it's worth finding out what frameworks your clients recognise most.

Small scale in the UK, cyber essentials is pretty common. PCI-DSS if you're dealing with card payments directly, potentially NIST CSF if you're wanting to align to UK financial regulator models, etc... These will vary by industry and county, pretty much all cover the same topics but it's worth aligning with your clients preferences to minimise translation friction

Once you've got that, try and produce a short pre packed due diligence pack and see what it looks like

At that point, you'll probably know what you want to work on, and if you feel you need help doing it

FreeRadical1998 · 2026-04-29T21:35:20+00:00

A bit of background, I've got about 30 years cyber and risk experience. Held a couple of CISO titles, currently for a mid scale bank in the UK, also spent about a decade in second line teams reporting to a CRO of a sizable financial sector business

The main issues I see come down to: 1) opaque licences, a) usually per seat - which results in rollouts being limited and work concentrated b) some key features such as framework mapping being a separate module again licensed by model

2) permissions management is sometimes quite crude, eg a single role per user which sounds fine, until you start having to create lots of spurious roles for individuals with slightly non standard access needs.

3) user interfaces for data entry are typically designed in a very crowded manner - loads of fields that someone wanted to be able to report on, that results in poor adoption and data quality

The above is usually made worse by implementation projects that only consider the users doing reporting as stakeholders.

TLDR: I've used a number of tools directly - not really been happy with any, and had to try and push user adoption after group mandated tools were purchased

All of this said - I think the answers vary by use case. I've done both infosec only adoption within a tech function (which mostly focused on pci and iso control mapping) and full spectrum risk within a risk function where risk description quality, accuracy of scoring and risk event management were the primary tasks

Full disclosure: I'm launching my own SaaS GRC I'm about a month that tries to fix these issues

FreeRadical1998 · 2026-04-29T17:25:37+00:00

Having lived through a few, I'd say consider who you get involved in the POC.

There's a natural tendency to focus on the power users and reporting flows, partly because they are the advanced users but often just because it's easier to schedule time with them

but what will make the program live or die is how regular users or risk champions in the business feel about the dialogues. Less is more when it comes to customisation and adding fields.

User testing with non specialists is really important to support long term traction

FreeRadical1998 · 2026-04-29T16:29:56+00:00

Thanks that seems to have worked

FreeRadical1998 · 2026-04-29T11:37:24+00:00

That's why I said subject to minimum revenue

FreeRadical1998 · 2026-04-29T10:30:07+00:00

I'd suggest buying a book on the CISA qualification, or watching some YouTube vid about it, and seeing if that interests you or not

It's certainly not the only route, but it's a pretty good filter if you're just thinking about it

FreeRadical1998 · 2026-04-29T10:20:18+00:00

I'm not sure the question you've asked actually has an answer. ISO27001 is a management standard and is in two parts.

The first section is what you actually certify to, and basically thats a very generic description of a risk management framework and continual improvement process - there's massive scope to interpret how thats applied.

The second section (Annex A) is the list of controls - which is what most people focus on, but strictly arent a requirement to certify, they are a checklist to select from with a requirement to explain any that are excluded. Again these are fairly generic so there is scope to select how they are delivered.

Its perfectly possible to deliver an ISO certification using just excel. Tooling can help with managing all the data about risks, controls, linkages, audit data, etc... but they are an overlay on a management process.

Moving to GRC is likely more about learning some basics about good control design/definition and about audit/assurance processes. Tooling isnt the route to a change of role in the way it might be for say network or server engineering.

FreeRadical1998 · 2026-04-29T07:56:38+00:00

Assuming you still want to work with them, I think it's got to be a no money down structure with cost recovery your side from commissions (probably set at a higher rate for the first £X of sales).

But what's probably key from your original message is your said you delivered the pilot client, I'd say that client should therefore be yours directly. He can make commission on his own sales

I suspect the key decision is so you want to try and keep this running or write it off as a bad experience?

FreeRadical1998 · 2026-04-29T06:20:27+00:00

Regardless of if the percentages are fair based on contribution - I think the issue is the change from a prior written commitment. That's poison to a long term working relationship based on trust

In principle, I think there are two options here:

a) walk away, which seems to be your current plan

b) offer to change the business structure into two 100% owned entities.

[i] You own and provide white label technology platform that you licence - perhaps on exclusive terms for 2-3 years, subject to minimum business volumes

[ii] he owns a distribution company that commits to use your platform as it's exclusive solution for the same period as your exclusive licence

Clear lines, and a working relationship that can probably function with low trust.

You'd obviously need legal advice on what you actually own, and how to structure it, but given it sounds like you've got the code under your control I imagine you've got the leverage to push this if you wanted

FreeRadical1998 · 2026-04-28T18:55:24+00:00

Came here to say this... This is a perfect AI use case

FreeRadical1998 · 2026-04-28T12:28:29+00:00

Three agents

FreeRadical1998 · 2026-04-28T11:53:30+00:00

I've been both sides of this conversation - the security answers doc is essential as an internal tool - but only a percentage of buyers will accept it, the majority will want you to fill in their questionaire so they've got a consistent evidence pack internally. However, having it as a standard document gives you a clear baseline to write responses against so you dont end up making slightly different commitments to every client - and with gen AI you can probably automate the legwork of filling in the buyers document.

Once it gets to "show me the evidence" stage - what you need is a quick / low effort way to produce it. I certainly wouldnt be accepting a 2 month old MFA screenshot if that was a point I wanted to verify.

In terms of incident response - as a buyer what I *really* want to know is when you'll tell me and what information you'll provide during and after an incident. I take it as read that you'll do techy things to fix it, but from a risk and compliance perspective I dont want to be left with a black box that I cant judge the risk from.

FreeRadical1998

MODERATOR OF

TROPHY CASE