ISO 27001 done pragmatically: Security and Risk Management at drunomics with Jeremy Chinquist

What we learned from “Security- und Risiko-Management” (Jeremy Chinquist, drunomics GmbH)

In his session “Security- und Risiko-Management,” Jeremy Chinquist of drunomics GmbH outlines a practical path from early, ad‑hoc security practices to a structured and auditable security organization with a clear goal: ISO 27001 certification.

The central message: information security is not a state; it is a continuous process. That process requires structure (ISMS), measurement (KPIs), regular audits, and a deliberate approach to risk—acceptance, mitigation, transfer, and avoidance. Yes, there are costs. But focusing only on cost is the wrong lens. The right investments reduce risk exposure, shorten recovery time after incidents, and create day‑to‑day efficiency through documented processes—from onboarding to offboarding.

Where drunomics started: early security culture, limited structure

drunomics placed emphasis on security early on. The team used ticketing (U‑Trac) to document organizational changes, ran processes to track changes consistently, and maintained extensive documentation on security and access settings: roles, access rights, and even which passwords people were allowed to use.

The picture Jeremy paints is familiar: many companies already do the right things—often informally and scattered. Without an overarching structure, the security payoff stays limited. Documentation exists, but connections and responsibilities are not always aligned. Processes run, but they’re not systematically measured. The long‑term fix is to organize this work through an Information Security Management System (ISMS) and enforce measurement with clearly defined KPIs.

Why ISO matters: standards as orientation

Back in 2014, drunomics decided to pursue ISO certification. Jeremy positions ISO as an international federation of organizations and companies that define standards against which individuals and firms can be certified—demonstrating that required security and organizational criteria are met.

The practical value of standards is orientation. Instead of treating security as a pile of individual measures, standards help you build connected processes and make their effectiveness demonstrable. It’s not about “doing a lot,” but about documented, auditable practice—doing the right things and proving it.

ISMS: from a collection of practices to a system

The cornerstone of the transformation is the ISMS—the Information Security Management System. Jeremy calls it “nothing more than a framework,” but it’s a framework with real impact. An ISMS must be tailored to the company. Templates exist, but fit matters.

He highlights building blocks such as:

• Change management processes
• Checks around user reliability
• Many small, interlocking steps of day‑to‑day operations

His observation: “Most companies already do this, but usually in an unstructured format.” At drunomics, these parts were gradually structured, which made them governable and measurable.

Measurement as a security engine: define and use KPIs

Measurement is a recurring theme in the talk. drunomics worked with a consulting firm to define KPIs—key performance indicators—and to define its security process. These KPIs create a backbone for continuous security work because they make progress and change visible.

The effect is straightforward: if you measure, you can evaluate; if you evaluate, you can prioritize; and if you prioritize, you can allocate resources effectively—even in an area that is often abstract. KPIs give leadership and teams a shared language for security decisions.

Audits as a cadence: internal, external, and cyclical

The next milestone on the timeline: internal and external audits in the coming six months, with the aim of achieving ISO 27001 certification.

Jeremy also frames the ongoing cadence: every three years, an external audit is performed, during which the organization must demonstrate that it continues to uphold the standards. Good preparation pays off—if security processes are truly lived and documented, the external audit becomes easier, saving time and money.

Risk management without illusions: accept, mitigate, transfer, avoid

Jeremy is explicit that no company can reduce risk to zero.

What is possible is deliberate risk treatment:

• Accept the risk: the default if you don’t analyze it.
• Mitigate the risk: add checks and balances to reduce exposure.
• Transfer the risk: insurance shifts the financial impact, not the cause.
• Avoid the risk: design it out when feasible. Not every option is realistic—physically moving an office is not always viable—but measures to avoid specific risks still belong in the mix, as do contingency plans.

The strength of this framing is its realism. Not every risk can be insured away, and not every avoidance tactic is practical. But a conscious portfolio—acceptance, mitigation, transfer, and avoidance—paired with contingency planning is achievable and necessary.

Costs are real—yet the wrong primary lens

Jeremy doesn’t gloss over costs. An ISO 27001 journey incurs visible expense:

• Consulting
• Adjustments related to the office
• Documentation standards
• Printed documents
• Practically a full‑time person dedicated to ISO‑related work

His counterpoint: if you primarily view this as costly, you’re looking at it the wrong way. The right way is to look at outcomes.

• Reduced risk: when an event happens, the organization can respond to get back online sooner and return to normal workflows earlier.
• Documented processes and management attention: leadership stays engaged with the substance of security work.
• Organizational readiness for change and adaptation: clearer definitions when people leave or join the company.
• Easier audits: if you do it right, the audit process is simpler, which saves money.

This is a pragmatic stance that translates security into operational resilience: faster restarts, clearer routines, and less friction.

Editorial reflections: engineering takeaways from the session

From our DevJobs.at editorial perspective, the session provides a hands‑on blueprint for engineering and IT teams:

• Security is ongoing, not a one‑off project.
• Structure beats patchwork: an ISMS organizes what teams already do and makes it auditable.
• Measurement is mandatory: KPIs are the lever to make progress visible and steerable.
• Audits create a healthy tempo between day‑to‑day practice and certification.
• Risk treatment relies on four options—acceptance, mitigation, transfer, avoidance—plus contingency plans.
• Costs are offset by resilience, smoother operations, and simpler audits.

We map these insights to a practical implementation path that follows the contours of Jeremy Chinquist’s talk.

A path to ISO 27001 readiness: a structured progression

1) Make the current state visible: tickets, processes, documentation

drunomics did not start from scratch. Existing building blocks included:

• Ticketing (U‑Trac) to track changes
• Processes to keep changes consistently traceable
• Extensive documentation of security and access settings (roles, access rights, and the passwords people were allowed to use)

The lesson: what already exists becomes an asset once it’s folded into a system (the ISMS). Start with visibility: What’s in place? What’s reliable? What applies across the organization?

2) Establish the ISMS—tailored, not templated

The ISMS is the working scaffold, not a rigid template. It must fit the organization. The talk mentions change management processes, checks concerning user reliability, and many small steps.

The key message is that “most companies already do this,” just not in a structured way. Formalizing everyday practice, interlocking the pieces, and making them binding is where the gains come from.

3) Define KPIs—with expert support

drunomics worked with a consulting company to define KPIs and the security process. KPIs serve as the objective thread across the work—they make company change and progress visible over time.

The value isn’t the numbers alone; it’s the discipline to measure regularly and learn from it. That feedback loop sustains continuous improvement.

4) Plan audits—and use them as learning cycles

Internal and external audits are scheduled over the next six months, aiming for ISO 27001. Audits test whether processes are lived practice. An external audit occurs every three years. Good preparation reduces effort and, ultimately, costs.

5) Treat risks deliberately—plus contingency

No system removes all risk. The four methods—accept, mitigate, transfer (e.g., via insurance), avoid—form the toolbox. drunomics explicitly includes contingency planning: What do we do when an event happens so we can become operational again sooner? This is where the economic benefits materialize.

6) Put costs in context—resilience as the outcome

Consulting, office‑related adjustments, documentation standards, printing, and what amounts to a full‑time person—these are real. The payoff comes in faster recovery, clearer day‑to‑day operations, auditability, and management attention. Measuring effects shows that costs are proportionate—and that poor audit preparation itself drives avoidable expense.

Engineering lens: what teams can apply immediately

The talk translates cleanly into practical action items for teams that want to align security with day‑to‑day engineering:

• Use ticketing as the backbone: capture changes centrally as a living knowledge base.
• Document access and roles: who has which access and on what basis—including clear password usage policies where applicable.
• Establish an ISMS as the organizing frame: bring existing practices into a coherent management system.
• Define and use KPIs: measure what reflects change and progress; report, reflect, and adjust regularly.
• Design for auditability: build processes that can be demonstrated in internal and external audits.
• Treat risks as a portfolio: explicitly accept, mitigate, transfer, or avoid—and add contingency plans.
• View costs as investment in recoverability: prioritize getting “back to normal” faster over line‑item budget views.

These are not flashy tools; they are disciplined practices. That’s precisely their strength.

A dynamic standards landscape: cloud, cybersecurity, AI

Jeremy underscores that information security is a dynamic field. Within the 27,000 family there are standards for general information security, cloud‑based services, cybersecurity—and “even for AI.”

The implication for teams is simple: the environment moves. An ISMS is protective precisely because it emphasizes continuous evaluation and adjustment. Regular measurement and structure keep you aligned, regardless of which part of the standards landscape evolves next.

Why documentation makes leadership easier

A commonly overlooked benefit Jeremy calls out: solid, current documentation reduces friction during transitions. When people leave or join, responsibilities and access are more clearly defined.

Management “will pay attention” to handling these elements, which results in better readiness for change. Organizational clarity at the seams—where errors tend to occur—is a core advantage of structured security work.

Audit fitness as a by‑product of good practice

Another effect Jeremy emphasizes: well‑defined, lived processes pay off twice. First, they improve actual security—made visible via KPIs. Second, they simplify audits.

This is a grounded way to view certification: a good audit is not a paper win, but proof that the organization is operationally capable and resilient in day‑to‑day practice.

Bottom line: a realistic, implementable path

Jeremy Chinquist’s “Security- und Risiko-Management” session at drunomics GmbH showcases an approach that avoids buzzwords and centers on organizational discipline:

• Existing building blocks (tickets, processes, documentation) become a system via the ISMS.
• Measurement (KPIs) makes progress objective.
• Audits provide cadence and validation.
• Risk management balances acceptance, mitigation, transfer, and avoidance—plus contingency planning.
• Costs are real, but recovery and resilience are the real metrics that matter.

Follow this path and security improves not only on paper, but in daily operations. That is the strength of the approach outlined here: it shows how to turn security from a side project into a core part of how the company is led.

Concrete takeaways for teams

• Start with what exists: ticketing, documentation, lived processes—then bring order to them.
• Formulate an ISMS that fits your company.
• Define KPIs that make progress and change visible—and work with them in a regular cadence.
• Plan for internal and external audits as learning loops.
• Treat risks explicitly across all four modes and add contingency plans.
• Consider costs in light of resilience, recovery, and auditability.

That is how to build what Jeremy describes as a progressive process: security work that is measured, reviewed, and improved—and that delivers on its promise.

• 

  

  Agile Development at drunomics

  Jeremy Chinquist von drunomics spricht in seinem TechTalk über die Grundgedanken der agilen Entwicklungsmethode, welche beim Developer Team im Unternehmen zum Einsatz kommt.

  Watch now
• 

  

  Professionelle Web Entwicklung aus Österreich

  Oliver Berndt von drunomics zeigt in seinem devjobs.at TechTalk die Kernkompetenzen von dem Unternehmen und wie sie mit Drupal arbeiten.

  Watch now
• 

  

  Web Accessibility

  Jeremy Chinquist von drunomics gibt im Interview einen Überblick über die wesentlichen Eckpunkte von Accessibility im Web und dem EAA.

  Watch now
• 

  

  mossbo Cloud CMS Ecosystem

  Wolfgang Ziegler von drunomics gibt in seinem devjobs.at TechTalk einen Überblick über die grundlegenden Funktionen von mossbo und welche Benefits es im Vergleich zu anderen CMS' gibt.

  Watch now

• 

  

  Sinduri Guntupalli, Product Manager bei drunomics

  Sinduri Guntupalli von drunomics spricht im Interview über ihren technischen Background und das Besondere an der Arbeit mit Drupal.

  Watch now