Why did I build my own platform?
Throughout more than a dozen years of working in quality, information security, risk management, and compliance, I have observed that the biggest gap between theory and practice appears at the moment of implementation. That is why I created SecureHaveNET – my own platform that serves as an experimental proving ground where I can test and refine approaches related to GRC, ISO/IEC 27001, PDCA, and risk management in a real-world environment.
SecureHaveNET was born out of a simple need to test theory in practice. It is about testing my skills in various roles and, ultimately, documenting these experiences not only for myself but for others as well.
GRC in practice – or is it just an abstraction?
For many, GRC is just a collection of rules.
I feel it differently: for me, it is the operating system of my project.
Managing the domain and structure of SecureHaveNET was not limited to uploading a simple index.html file to a server. It was a choice of conscious hierarchy and architecture. In this context, GRC became for me a set of questions about purpose, risk, and compliance.
Governance: This is my vision. Does this name, this structure, and this skeletal framework of the site actually fulfill the goal of creating a substantive knowledge proving ground? A haven that not only develops me but also inspires and is useful to my readers.
Risk: This is the ability to anticipate what could destroy this vision – from architectural errors and performance issues to a lack of substantive content for the reader.
Compliance: This is the verification of whether what I implement is consistent with the established quality standards and my own expectations.
Only when I defined GRC in this way could I proceed to actual construction – and it was right here, in the process of constantly checking this consistency, that my PDCA-based approach was born. Below, I present how I have translated these assumptions into specific areas of risk and technical solutions.
PDCA in practice
One of the reasons this project proved so valuable was the opportunity to observe the PDCA cycle in action, where every phase is crucial.
Plan
In my assessment, one of the most frequently neglected elements of planning is requirements analysis and risk assessment. An idea alone is not yet a project; it must be translated into specific requirements, constraints, and expected outcomes.
Risk management begins with the very first decision
Building the platform was an exercise for me from the very beginning. Each design decision came with specific benefits, costs, and potential threats.
Therefore, risk management was present from the start as part of the planning stage. Not in the form of a formal register, but as a continuous process of identification, assessment, and decision-making.
Although I did not maintain a formal risk register, my decision-making process was very similar to the approach used in professional business projects. First, threat identification. Then, impact assessment. Finally, choosing the appropriate risk mitigation actions. Before selecting the final solution, I tested various options, analyzed pros and cons, and considered the long-term consequences of every decision.
| Risk Area | Risk Description | Control (ISO/IEC 27002:2022) | Mitigation Strategy (Actions) |
|---|---|---|---|
| Hosting and domain | Domain reputation and user trust | Annex A 8.20 (Network security) | Ensuring confidentiality and integrity via TLS/SSL, securing DNS records, and periodic service health checks during technical reviews. |
| Site performance | Slow operation and negative user experience | Annex A 8.26 (Application security), Annex A 8.25 (Secure software development life cycle) | Optimization of code architecture, elimination of unnecessary dependencies, and rigorous performance verification in the development process. |
| Quality of solution | Discrepancy between expectations and the final effect | Annex A 8.29 (Information security testing) | Functional and security testing, review audits, and an iterative PDCA approach. |
| Security and architecture | Risk of unauthorized access or poor navigation structure | Annex A 8.25 (Secure software development life cycle), Annex A 8.26 (Application security) | Security-by-Design architecture, protection of the admin panel access with 2FA, and ensuring navigation integrity. |
| Data transmission protection | Risk of data leakage or session hijacking (tabnabbing) | Annex A 8.24 (Cryptography) | Implementation of HTTPS, enabling HSTS (HTTP Strict Transport Security) headers, and isolation of external links via
rel="noopener noreferrer" attributes. |
| Legal requirements | Risk of non-compliance with data protection, copyright, and trademark laws | Annex A 5.2 (Roles and responsibilities), Annex A 5.31 (Intellectual property) | Implementation of a disclaimer and privacy policy, and obtaining consent for the use of external trademarks. Clear assignment of responsibility for legal compliance. |
| Information backups | Data loss due to failure or error | Annex A 8.13 (Information backup) | 3-copy strategy (Local, Server, Cloud); verification of data integrity during every synchronization and file versioning. |
| Change management | Introducing unstable solutions to the production environment | Annex A 8.32 (Change management) | Use of modular CSS architecture and technical commenting; verification of changes in a local environment prior to deployment. |
| Dependency on external tools | Loss of control over the project and "artificial" solutions | Annex A 5.19 (Information security in supplier relationships) | Sovereignty principle: prioritizing self-hosted/vanilla code over third-party generators and SaaS services. |
In the case of SecureHaveNET, the planning phase included selecting the platform's technology and architecture, as well as defining requirements regarding security, performance, regulatory compliance, and ensuring an intuitive and comfortable experience for users.
Do
After the planning phase is completed, the actual implementation of the project begins. This is where theory meets practice.
During the development of SecureHaveNET, it often turned out that technically correct solutions did not always meet expectations regarding performance, ergonomics, or visual consistency.
Prototypes and testing various solution variants were also essential elements. Thanks to this, some flawed decisions were eliminated before the actual implementation began (though not all of them).
Therefore, the implementation did not consist solely of writing code. It also included testing different concepts, analyzing results, and continuously adjusting the project to the established goals.
Optimization: Performance vs. UX
Many optimizers fall into the trap of removing all interactions to gain milliseconds. I chose a compromise. I realized that the site should be not only fast but also useful. The results show that it is possible to reconcile these – while maintaining animations and dynamics, I achieved significant progress.
Conscious security (Supply Chain Security)
During development, I made the decision to abandon external libraries (CDN) in favor of local resources. In the era of supply chain attacks ("Trojan horse" in external code), I considered moving all scripts to my own server to be the only way to achieve full control. This approach forced better code organization but gave me peace of mind – if something doesn't work, the issue is mine, not the provider's.
Professionalism built on details: From general to specific
True professionalism does not end with a vision – it is realized in the details. My approach, based on top-down design, combines strategic frameworks with technical optimization. It is the sum of "invisible" decisions that builds the final effect.
- Security: Implementation of HTTPS, rigorous configuration of CSP (Content Security Policy), and protection against tabnabbing attacks (rel="noopener").
- Performance: LCP optimization from 6.2s to 0.7s through precise adjustment of the main thread (TBT) and resource formats.
- Semantics and Accessibility: Implementation of a clean HTML structure that improves indexing (SEO) and accessibility (A11y).
- Risk Management: Transparent communication of disclaimers and visual segregation, treated on par with technical safeguards.
The PDCA Paradox: Why I stopped chasing microns and seconds
As someone rooted in quality, I naturally strive for perfection.
However, I quickly noticed that endless PDCA iterations can become a trap – leading to "project freeze" through analysis.
I realized that it is scientifically proven: the constant pursuit of the ideal kills progress.
My approach changed to a "small steps" technique:
I realized that I am not chasing microns, but value. A completed project that works correctly is worth more than an ideal prototype that never saw the light of day.
Check (Audit)
For me, an audit is not just a formality, but primarily an opportunity for verification and learning (ISO/IEC 27001:2022, clause 9.2 Internal audit). Of course, one could outsource an external audit, but in this case, I decided on self-verification. In practice, this meant analyzing metrics such as loading time, number of requests, link security, as well as assessing compliance with requirements. Audit results — non-conformities and items for improvement — open the way to real improvement.
Both formal audit assessments (e.g., compliance classes) and ongoing process metrics serve as real tools that precisely indicate what needs improvement. (ISO/IEC 27001:2022, clause 9.1 Monitoring, measurement, analysis, and evaluation).
| KPI Indicator | Desktop (07.04) | Desktop (08.06) | Mobile (07.04) | Mobile (07.04) | Progress (Desktop) | Progress (Mobile) |
|---|---|---|---|---|---|---|
| Performance Score | 39 | 63 | 49 | 90 | ▲ +24 pts | ▲ +41 pts |
| Accessibility | 89 | 91 | 88 | 90 | ▲ +2 pts | ▲ +2 pts |
| Best Practices | 50 | 58 | 50 | 100 | ▲ +8 pts | ▲ +50 pts |
| SEO | 92 | 100 | 92 | 100 | ▲ +8 pts | ▲ +8 pts |
Scale explanation:
- 0–49: Critical (Requires intervention)
- 50–89: Needs optimization
- 90–100: Optimal
Comparison of performance and technical quality indicators
- Performance - Page loading speed and responsiveness (key for UX).
- Accessibility - Inclusivity and page adaptation for users with disabilities (WCAG).
- Best Practices - Code hygiene and technical security (e.g., HTTPS, lack of outdated libraries).
- SEO - Search engine visibility (site structure, indexing, meta-data).
In conclusion, the results confirm the effectiveness of the implemented optimizations. The performance growth (+24 points for desktop and +41 points for mobile) and SEO +8 points for both prove the validity of the project assumptions. Currently, technical stability and a high UX standard remain the top priority. The remaining areas for improvement have been included in the backlog and will be addressed in the next PDCA cycle.
Act
For me, every audit and metric is an entry point into the improvement process; both are essential and complement each other. If we do not know what needs improvement, we cannot develop.
I often hear: »why another audit if things were fine?«. For me, it's not nitpicking, but an opportunity for verification: is it safer, faster, better? An audit for the sake of an audit is a waste of time. Real value lies in the Act phase, where audit results are translated into concrete actions.
Key lessons
I have learned a lot, but I present the two most important lessons below.
The SecureHaveNET project confirmed an observation I see daily: success rarely depends on a single tool, technology, or procedure. Far more important is the decision-making process, the ability to identify risks, and consistency in continuous solution improvement.
Regardless of whether we are building a website, developing OT systems, implementing ISO/IEC 27001 requirements, or preparing an organization for a TISAX® audit, the fundamental principles remain unchanged:
Theory exists to be applied in practice, and every choice should be an informed calculation.
In my decision-making process, facts are crucial. I always compare options: what risks does solution A carry versus solution B? What is the cost of implementation, and — most importantly to me — is there a more creative path? I am an advocate for finding optimal solutions; I know that a higher cost does not always translate into greater security or better quality.
These lessons allow me to better understand organizational challenges. In this project, I faced the essence of GRC: how to balance the profit and loss statement with risk reduction, using limited technical resources.
Summary
I treat GRC as a map. Governance sets the direction and boundaries (frameworks), informing you where you are headed and which standards you must follow to maintain compliance and security.
In turn, the PDCA cycle is like both a compass and a lever. It is a mechanism used in daily work to get closer to the designated goal. Thanks to the Check and Act stages, PDCA allows for real-time course correction, verifying system performance, and implementing necessary optimizations.
The values of these areas complement each other – one without the other is insufficient. GRC without PDCA remains only a theory, while PDCA without GRC becomes wandering without a purpose.
Within just a few months, SecureHaveNET has transformed from a simple technical project into an environment enabling the practical testing of GRC, information security, risk analysis, and continuous improvement topics. Thanks to measurable KPIs, regular reviews, and the PDCA methodology, this project has become living proof of the effectiveness of the mechanisms I use in my daily professional work.
References and source documents
- ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements.
- ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection - Information security controls.
Q&A: GRC, Risk Management, and PDCA in practice
What is GRC from an engineering perspective?
It is a precise division of roles in the process of creating secure systems:
- Governance sets the framework and direction – it dictates "how it should be".
- Risk Management is a continuous process; every threat must be assigned to a specific project and updated in real-time.
- Compliance is nothing more than technical verification that our assumptions are fully realized in code and infrastructure.
In this view, the engineer's role is crucial: they not only overcome technical obstacles and implement code, but they take full responsibility for ensuring the solution is resilient against identified risks and fits perfectly within the set framework.
Why are ISO/IEC 27001 and ISO/IEC 27002 the foundation of my project?
These standards impose rigor that verifies the resilience of a solution. During audits, I learned that paper procedures without technical evidence of effectiveness are worthless. SecureHaveNET is an attempt to practically meet these requirements.
How does the PDCA cycle prevent stagnation in projects?
PDCA forces continuous questioning that goes beyond basic security: "Is it safer?", "Is the content quality at the highest level?", "Do the site's responsiveness and ergonomics still ensure a consistent and pleasant experience for the user?".
Without the Check and Act phases (audit and improvement), a project becomes a "set and forget" product, which is a critical mistake in information security and quality management. Thanks to PDCA, each iteration of the SecureHaveNET platform is not just a "fix," but a conscious process of raising the project's maturity – technically, substantially, and visually.
Risk management: a formality or a necessity?
It is an absolute necessity that goes beyond filling out tables. In my view, risk management is not "registers for the sake of registers," but a natural element of architectural planning – every project, process, or product requires understanding what could cause it to fail to perform its function.
As an auditor, I don't just look at dry KPIs because they often mask real problems. I ask about the mechanics: what is the input, what is the process, and what is the output? I look for critical points that could fail in the functioning of the process itself, because that is where the risks hidden from statistics lie – an audit allows you to see what indicators cannot tell you.
ISMS: what is the most underrated aspect?
The "Check & Act" role. Organizations are great at writing policies but often fail in verifying effectiveness (auditing) and truly learning from incidents or tests, which leads to an illusion of security or an illusion of quality.