logoalt Hacker News

dijksterhuistoday at 11:16 AM1 replyview on HN

one reason (among others) — compliance.

a corporate/b2b saas environment without stuff like this is often a non starter.

- SOC2

- ISO/IEC 27001:2022

- ISO/IEC 27017:2015

- ISO/IEC 27018:2019

- VPAT 508

https://about.gitlab.com/security/

no mention of these on the forejo site, so i can’t put “our internal software is all SOC2/ISO NUMBER compliant” as a bullet point on a slide deck.

it is theatre. but it’s industry theatre.


Replies

bogwogtoday at 2:30 PM

Aren't those about organizational processes instead of just specific software features? For example, I don't think self-hosting gitlab is enough to claim ISO/IEC 27001, just based on this snippet from wikipedia:

> ISO/IEC 27001 requires that management:

> Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;

> Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

> Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.