Brokenhouse
Back to Startup playbook
Guidance

Policies and procedures

Useful for

StartupGovernanceISO 27001

Introduction

Policies describe intent. They say what the company believes, what standard it is trying to meet and what behaviour is expected.

Knowledge scope

This is startup-specific guidance in the public playbook. It is framed around the Company Ready -> POC Started decision point and the practical trade-offs a small company faces while moving from idea to Production.

Why it matters

Procedures describe how the policy is carried out and how evidence is produced. That distinction matters for startups because lightweight policies can still create strong operating habits and better customer onboarding.

How it fits the playbook

This reference supports the Company Ready -> POC Started stage of the startup CTO playbook. It gives the public context for the decision without exposing the deeper assessment method behind the agentic operating model.

Design considerations

  • Use ISO 27001 as a baseline without pretending early certification is the goal.
  • Start with core policies for access, change, data classification, data protection, logging, secrets, incidents, backups, suppliers and devices.
  • Include document management so policies have owners, versions, reviews and approval evidence.
  • Let AI draft, but require people to read, challenge, approve and own content.
  • Back every policy with a procedure that can produce evidence.

What good looks like

The company has short, useful policies, practical procedures and evidence that the documents are controlled, reviewed and owned.

How Brokenhouse helps

Turn this into a practical plan.

I help technology teams turn this guidance into decisions, implementation plans, governance evidence and production-ready operating models.

Talk through your situation

Next guidance

Related decisions to work through

Ops

Is the company ready?

The first few months of a software business are not just about building the product. They are about creating the conditions that allow the product to be built, deployed, governed and supported without the company tripping over its own foundations.

Ops

Can we start the POC?

Before starting the POC, there is a small amount of governance that should be put in place. This is not about slowing the team down or pretending to be an enterprise. It is about creating enough shape that the first few months do not become a mess of forgotten passwords, inconsistent names, unclear decisions and accidental access.

Data

Are we ready for a Pilot?

Before moving from POC to Pilot, the company needs a data governance baseline. This is separate from technical governance. Technical governance asks who can deploy, who can access Azure and how the environment is built. Data governance asks what information the company collects, where it is stored, why it is allowed to hold it and how it protects it.