Comment by Keyframe

I went through the process and while it seems it's daunting, it's just a bunch of work and some cash. Once established it's also transformative (or should be) on your ongoing processes and practices. You codify those into a bunch of documents (jesus, that's a lot of documents type of thing) and provide evidence for each; Auditors latch onto those randomly. It's then your job to upkeep documents and evidence which can be helped with tools that have frameworks for those. We use drata and it's really simple and helpful to use.

I don't think you would be able to be compliant as a solo dude though, not easily. A bunch of protocols and practices revolve around governance, handovers, failovers, risk mitigation etc and if you're the only guy there's a hard path ahead. Are you reviewing and approving your own code that goes to production? If things go down and you're the first to call (let's say by automated alerting) and you're not available, who is the next one to call as in what's the documented succession plan or automated remediation.. etc.

Compensatory controls do not strictly require a human, they require mitigation of risk associated with a single human. You'd have to automate a lot of these governances "gates" then. So it would be possible, since evidence you would have to provide is work not org-chart, but it'd be a ton of work.

I went into it thinking I need to answer these 167 documents and provide evidence on an ongoing basis, but it actually also transformed the way we do things. I think for the better. At the end of the day, I also think this can be gamed as probably most certificates, but it's not worth it and transformation you go through makes sense.