Let’s face it, navigating compliance frameworks like SOC 2 can feel like playing a game where the rules are hidden, and the next step is to keep moving. That’s why many businesses turn to SOC 2 automation platforms to lighten the load. Sounds great, right? Well… not always.

ISO 27001 is a global standard for Information Security Management Systems (ISMS) and it provides a framework to help businesses manage and protect sensitive data through risk management, security controls, and ongoing improvements. At its core, ISO 27001 is about people, processes, and technology working together to secure information.

In business, customers, investors, and partners want to know that their data is in safe hands before doing business with you. That’s where SOC 2 compliance comes in. If your business handles customer data, achieving SOC 2 compliance can be a game-changer for helping you stand out in a crowded market and unlock new business […]

Building trust is crucial for any business, especially when dealing with customers, investors, and partners. Many people or businesses believe that getting security certifications like ISO 27001 or SOC 2 is the only way to prove they take security seriously. But the truth is, businesses can earn trust even before having these certifications. To implement […]

Thinking about getting security certifications like ISO 27001 or SOC 2, you might ask “do people really care?” The answer is Yes! Certifications aren't just fancy badges; they help your business earn trust and close deals. Customers want to know their data is safe. Certifications prove you're serious about protecting their information. The certifications matter […]

Startups move fast and security certifications like ISO 27001 or SOC 2 might not seem like a priority when the team are busy building groundbreaking features. But ignoring them could cost your startups, especially as you grow and try to win deals from big clients. Both ISO 27001 and SOC 2 global security frameworks help […]

For all businesses, security compliance is crucial for building trust and ensuring the protection of sensitive data. Many businesses aim to get ISO 27001 or SOC 2 certification to improve their credibility and security posture. But the big question is “Can a business get certification independently, without the help of a consultant?” Technically speaking, yes! […]

Getting ISO 27001 certification is a challenging and yet exciting step for startups and SMBs that want to boost their data security, earn customer trust, and meet regulations and industry requirements. Some might worry about the costs, but don’t let that hold you back! The total cost of getting ISO 27001 certification typically affected by […]

Staying compliant with standards and regulations such as ISO 27001 and SOC 2 is more important than ever in 2025. With new or updated data protection laws popping up, growing cybersecurity risks, and industry-specific guidelines, businesses need smart software to keep up and stay compliant. The right tools can simplify employees' tasks, ensure continuous compliance, […]

Achieving ISO 27001 certification is a significant milestone for any business looking to manage strong information security. It’s not only demonstrated your commitment to data protection but also increased your customer trust and compliance with regulations.

Businesses need to prioritize security and compliance in this era where data breaches and cyber threats are uncontrolled. Two of the most recognized frameworks for demonstrating strong security practices are ISO 27001 or SOC 2 certifications. But do they really matter for your business success? Let’s explore how these certifications can impact your company! Your […]

Compliance is a set of efforts ensuring that a business follows rules, laws, and regulations. Consider compliance to be comparable to following traffic laws. Stop signs and speed limits are examples of traffic laws that help everyone drive safely and properly. You face the risk to be fined or getting into accidents whenever you break […]

Businesses face increasing cybersecurity threats and regulations, creating compliance challenges, especially for smaller companies. FEHA's cross-compliance strategy simplifies this by identifying common requirements across various standards (like PDPA Singapore and ISO 27001). This approach, using AI and expert guidance, helps businesses achieve multiple compliances efficiently, saving time and resources.

2022 is about to end. But I won’t let it pass without a self-reflection on how FHIC performed throughout the year and plan to progress in the coming year of 2023. Looking Back Overall, 2022 is a fantastic year for FHIC. In summer we officially opened a new company in Indonesia, PT Comply System Indonesia, […]

When running a business, many (potential) customers/clients require certifications before committing to long-term collaborations. Certification serves as a crucial validation of your processes, demonstrating that your company adheres to accepted global standards. Take ISO 27001 as an example. This certification is commonly accepted as a standard that your organization has put strong information security management […]

Globally, the rapid pace of technological development and its widespread integration into daily life have sparked a rise in laws and regulations related to data protection and privacy. Lots of countries are actively introducing their own national laws and compliance frameworks to address their unique needs, resulting in a competitive dynamic where governments strive to establish themselves as leaders in the cybersecurity and privacy realm.

Globally, the rapid pace of technological development and its widespread integration into daily life have sparked a rise in laws and regulations related to data protection and privacy. Lots of countries are actively introducing their own national laws and compliance frameworks to address their unique needs, resulting in a competitive dynamic where governments strive to […]

Cybersecurity is critical for small businesses, but many assume that effective protection requires a hefty budget. However, there are numerous affordable cybersecurity tools and methods available that provide robust protection without draining resources. In this article, we explore some cost-effective cybersecurity shields that small businesses can use to safeguard data and operations. Updated Device […]

This is a common question, especially since many organizations are cautious about the costs associated with penetration testing. Let’s break down what you need to know. Understanding ISO 27001 and ISO 27002 First, it’s important to understand the relationship between ISO 27001 and ISO 27002. ISO 27001 is the standard that outlines the requirements for […]

Implementing ISO 27001 can be challenging, especially without dedicated support from management. To overcome it a clear plan involving excellent communication, showing the benefits, and building a security-focused culture are needed for all companies. Here are some simple strategies to gain management support for ISO 27001 implementation: 🔑 Educate and Inform Management Start by educating […]

In the competitive world of startups, securing investment and achieving growth are essential. One powerful yet often overlooked tool is ISO 27001 certification. This international standard for information security management can be a game-changer for early-stage startups, providing a solid framework for managing sensitive information and building trust with stakeholders. Here is why every forward-thinking […]

In 2024, it's surprising how many companies still insist on forcing their employees to change passwords every 60 to 90 days. Some organizations, including those that already ISO 27001 certified, even configure their systems to enforce these frequent password changes as a matter of compliance. But is this approach still necessary in today’s cybersecurity landscape? […]

Nowadays, rapid growth and innovation often take priority over security. Yet, with the rise in data breaches and cyber threats, protecting your startups' information assets is crucial. ISO 27001, the international standard for information security management, provides a comprehensive framework to secure your business sensitive data and enhance its reputation. ❗❗ ISO 27001 is Crucial […]

Achieving ISO 27001 certification is a significant milestone for any company, signaling a strong commitment to information security management. However, maintaining this certification requires ongoing effort and a proactive approach to continuous improvement. ISO 27001 emphasizes the importance of continuous improvement as a core principle. This involves regularly reviewing and enhancing your information security management […]

In today's digital landscape, small businesses often rely on their software developers or network engineers to handle information security tasks. However, when the CEO announces the need for ISO 27001 certification, a globally recognized standard for information security management, these technical experts usually find themselves facing an unprecedented new challenge. They suddenly must not only […]

ISO 27001 certification stands out as one of the most effective ways to enhance a tech startup's security posture. This framework not only strengthens internal controls but also prepares the company for independent audits, further solidifying public trust. However, newly established tech startups often face challenges when implementing ISO 27001. While software solutions can streamline […]

No business can operate without third parties. In our connected world, the security of these third parties is critical, especially with new regulations like NIS2 and DORA in Europe. In the past, an ISO 27001 certificate or SOC 2 Type II report was sufficient to show how secure a third party was. But now, that's […]

As an early-stage tech startup, you’re probably bombarded with advice about getting ISO 27001 certification or SOC 2 Type II attestation. It’s true that these certifications are crucial for doing business with larger companies, but do you really need to rush into them from the get-go? The short answer is: not necessarily. Here's why you […]

In today’s fast-changing digital world, keeping up with security standards like ISO 27001:2022 is more important than ever. This standard includes control 6.3 which focuses on information security awareness, education, and training. Many companies understand the need for security training when new employees join and during annual refreshers. However, with cyber threats evolving so quickly, […]

Last week, the Pusat Data Nasional (PDN) in Indonesia suffered a significant cyber incident, due to a ransomware attack which has affected over 210 institutions and disrupted numerous public services, including immigration and online student registrations. This incident has raised critical concerns about the state of cybersecurity in various government agencies, highlighting a pressing need […]

In the world of cybersecurity, live training (either in-person or in a webinar format) is our go-to method for teaching in companies, non-profit organizations, and education institutions. We've found it way more effective than just showing recorded videos. And this is reflected into 20+ training sessions we conducted throughout 2023. Why Live Training Rocks Live […]

Many people believe or aspire to pass ISO 27001 or SOC 2 audits in weeks. But that's not the right and sustainable path to go with if you are serious about security at your company.

“Vanta guided us…. and we got SOC 2 Type II compliant in just a few weeks” says a testimony written in Vanta’s website. And many other fantastic companies also claim how powerful their compliance management software is. Yes, those GRC (Governance, Risk, Compliance) automation software can be very helpful but you cannot depend only on […]

If you feel overwhelmed reviewing numerous vendors, don’t give up. We have some tips to simplify your job and help you work smarter, not harder. In this article, we will share our advice on how to effectively review all of your vendors in less time. On one hand, you understand the importance of regularly reviewing […]

Integrating third-party services demands thorough due diligence, a complex process involving multiple departments like Legal and Security. To make this efficient, organizations should adopt standardized checklists, consolidate vendor requests, leverage automation for repetitive tasks, and foster cross-functional collaboration to streamline the entire assessment process.

Recently, I had the privilege of attending a brief yet insightful meeting with a group of talented techpreneurs from Indonesia. It was a fascinating experience to witness firsthand the remarkable skills and innovative solutions that this vibrant community has to offer. During the meeting, it became evident that Indonesia boasts a pool of highly skilled […]

Recently, I had the privilege of attending a brief yet insightful meeting with a group of talented techpreneurs from Indonesia. It was a fascinating experience to witness firsthand the remarkable skills and innovative solutions that this vibrant community has to offer.

In the realm of cybersecurity and privacy, cultural perspectives play a vital role. Each country has unique cultural references and values that shape its citizens' views on these issues. As cybersecurity professionals, we must expand our cultural understanding to effectively address these challenges. The Impact of Cultural Reference and Values: Culture significantly influences how people […]

Last week, I was at the Hannover Messe 2023 and was blown away by the innovative tech offerings from Indonesian companies. However, while their tech is impressive, I noticed that many of them may be missing a crucial piece of the puzzle when it comes to going global - security and privacy compliance. In today's […]

As someone interested in staying abreast of cybersecurity incidents, I was intrigued by a video featuring a YouTuber who fell victim to session hijacking. Despite the unfortunate situation, the video offered transparency and a touch of humor while educating viewers on the tactics used by the cybercriminals. While session hijacking may be unfamiliar to many […]

On Friday, March 17, 2023, the Indonesian Embassy in The Netherlands received cybersecurity awareness training from FeHa International Consulting. The training, aimed at improving the embassy's staff's knowledge of basic cybersecurity practices and enhancing digital trust, covered topics such as good password practices, the importance of updating operating systems and applications, and how to prevent […]

Managing third-party risks has become a critical aspect of cybersecurity for businesses of all sizes. As companies increasingly rely on external vendors and partners to support their operations, the potential for data breaches and other security incidents grows. In an effort to mitigate these risks, many organizations utilize third-party risk management programs, which often involve […]

Working on third-party security risk assessment or due-diligence means that you are eventually use one of the so many cybersecurity rating services to expand the coverage of your review. You may thought in the beginning when designing the program "We cannot just rely on security questionnaires or pentest report from few months ago or (almost) […]

For the past week, people are very chatty and critical about LastPass security incident news. On our Twitter and LinkedIn feed, people are even rushing to change from LastPass to other providers such as 1Password or Bitwarden (note: our team use Bitwarden). Despite all the lite and heavy discussions about third-party managed password managers, we […]

Most people know about Blog. But why we added a new section called Commentary? In the past months our team had been discussing a lot about the impact of Twitter's new management style and the future of it and other social media platforms. As much as we love platforms like Twitter and LinkedIn to interact […]

We hear you loud and clear! In this post, we will try to answer all questions related to the ISO 27001 that often come to us from prospective and current clients. If you prefer to read it on some other time, you can download the page in PDF by clicking this link here. No contact […]

Many organizations ask what’s the importance of obtaining ISO 27001 certification or SOC 2 Type II assurance audit if they still receive security questionnaires from their potential customers? Maybe that’s your question too. Your team is overwhelmed with security questionnaires coming from every customer. You are thinking of cutting this job out by having ISO […]

Are you aiming to get an ISO 27001 certificate soon? Are you wondering whether you need special software and/or an external consultant to pass the audit and warrant getting the certificate? This article tells you the conditions under which you need the specialty software and/or external consultants. The last part guides you in making decisions […]

Do you want your business to be digitally secured? In this article we will give you a simple and no-cost tip that may save you a dozen hours of confusion and frustration because of an act of cybercrime. Anyone can be a victim of cybercrime. Both big and small companies.

Although many believe that completing security questionnaires is just a compliance theater to win new sales, we at FeHa International Consulting argue that there are still good things that can be derived from asking and answering these questions for a secure and compliant relationship between buyers and sellers. Unfortunately not all Third Party Risk Management […]

Customers and other sensitive information security is of paramount importance in this digital age. To show potential and existing customers how serious vendors take care of their own data and their customers data, many organizations pursue either ISO 27001 certification or SOC 2 independent attestation.

Nowadays ISO/IEC 27001 has (almost) become a commodity product. From its full title in the certificate “Information technology - Security techniques - Information security management systems - Requirements”, we perceive that companies certified with this ISO standard have adopted good management systems capable of holding their information assets secure.

Hopefully after reading my last post here, you have a clear understanding that not all ISO 27001 certificates are the same. The scope can vary and not all suppliers understand that they cannot “re-use” their hosting partner’s ISO 27001 certificate to claim that themselves are certified.

In the coming months this blog will focus on my personal experience with ISO 27001 and SOC 2 from the perspective of managing third party security risks, especially the cloud based application vendors. Having reviewed countless assurance documents in this area, I think it’s fair to say that I have seen the sheer differences of […]

I shall start with a disclaimer that I’m writing this solely based on my short experience working first hand with security questionnaires. In the past, as auditor and then second line security officer and risk manager, I was just at the receiving end of the assessment completed by the first line officers.

Potential Client: “Ferry, my supplier has a SOC report. And I don't see any finding there. Can I say that everything is fine, everything is secure? The report was prepared by one of the Big4s.“ Me: “Not yet. The report is not everything. We need to do more than just relying on a SOC report. […]

Gartner, according to the article shared by one of my contacts in LinkedIn, predicts that by 2025 40% of Boards will have a dedicated cybersecurity committee. It’s a good news for Cybersecurity and GRC professionals of course. But I’m challenging this movement with a question “Do we really need a dedicated committee to get cybersecurity […]

For the past week my Twitter, LinkedIn and Facebook timelines were busy with people discussing the updated Terms for WhatsApp. This update eventually lead to a lot of noise and many people looking into alternatives like Telegram or Signal. Whether people truly and fully migrate from WhatsApp or not, I guess only time will tell, […]

If there’s one thing that always guides me staying true to my north in performing any tasks related to Governance, Risk Management, Compliance (GRC) and Cybersecurity for the past 10 years, it would be diligently asking “WHY”. Simple but powerful. Common sense yet effective. In many cases, I have encountered that “WHY” is the right […]

I’m sure every household must have a “weird” moment where the conversation between husband-and-wife is very unusual, that is a waste when not shared. This is mine on this morning, 31 October 2020 (note: it is a translated version, because at home we are speaking Bahasa Indonesia) A (me): ...relaxed while watching My Next Guest Needs […]

Compliance isn't the goal; security is. In years of working in IT and security, many people focus too much on getting certified, like ISO 27001 or NIST, thinking they’re safe. But being compliant doesn’t always mean you’re secure. All these frameworks are helpful. The key is choosing one, following the basics, and improving. Don’t just try to pass audits, but focus on truly protecting your business and your customers. Security is a long journey, not a quick win. Aim for real protection, not just a certificate on the wall.