Notes on compliance tools.

November 22, 2020. Filed under compliance 1 notes 1

Recently I’ve been chatting more with Chris Stobie, Calm’s Engineering Director of Infrastructure (obligatory, come work with us!), about how we can get more value from our compliance work. As any company starts selling and partnering with larger companies, the size and quantity of security reviews increase, and fulfilling some of the better-known security regimes is the most reliable way to reduce that overhead.

To learn a bit from the community, I tweeted out curious if folks thought highly of the various related compliance tools and platforms out there, and I've collected the notes here.

Some of the considerations to think about:

  • Are you willing to use the compliance work as an opportunity versus just an obligation? If you treat this as purely a burden, you'll get very little out of the process.
  • Which regimes do your (enterprise) users want from you?
  • Multi-tenant versus single-tenant – how well protected and isolated is your compliance data within these platforms?
  • How much of the verification is automated versus just a checklist for you to follow?

Most commonly used tools:

Open source tools:

Some useful links and such from the responses: