From past 2 month i was working on ISO and PCI DSS certification and i found it was interesting to learn the security and loop holes. This 2 certifications requires good amount of practice and documentation. Below I'm adding few point which actually helps to get the certifications and keep your things (product/ release/ team etc.) in a better shape.
1. Software Release/Change Management / Quality Assurance : Always define a release process according to your best fit. Have a proper doc fro release cycle and always have tag (Or any unique identifier) not only for your build but for you doc for issues/story. This enables few things like, having a clean folder across the team, if in case you want to go back to understand some feature or issues, even there is chance some time it helps to understand the mistake we did earlier can be fixed now etc. Also having a proper change management enables you to control you release cycle and give better understanding about why this needs to go any why not. Because when it comes to external people they really care about why this decision is taken and the person who has taken this decision is really having a understanding or not. So if you are having a cross function people in change management it helps a lot to have details justification. Post this all once your build is ready for QA you should one more generic tools which enables the security breach according to the standard. We can try Sonarqube, Sonarlint, varacode, etc which helps to improve code quality and keeps the software failure rate very low.All these above stuffs are makred in checklist of PCI DSS, which means you have to follow this.
2. Logs/ Monitoring / Scans : Collect as much logs you can.Basic logs need be collected is user activity (action performed by individual user), user creation and deletion,Audit logs. And also you need to have proper monitoring tool where you are catching enough information regarding all software module so if any incident occurs team should be able to capture enough information. Even they suggest that we should have SIMT (System integrity monitoring tools- Ossec) so you can see the activity and action happening on you server. Also we have to perform weekly or daily antivirus scans which generates log related to heath of the system (Antivirus name : ClamAV CPU Utilization : 1-5 %). there is also a need of log retention period of min 365 Days.
3. Authentication / Access level : This is must do and PCI DSS verify this very carefully. You must have a policy of access level or there should be a process to provide access so it would be visible for all. If we are using Google Cloud or AWS we should utilize the IAM policy which a good control on access level. When it comes to authentication the expectation is you are having MFA enabled every where, even for cloud console and for machine. And there should be policy of password as well.
4. Performing Internal Audit / PT / VA : Once we are in practice of ISO or PCI DSS we have to schedule a proper audit every month or in 2 month so we can assure things are in proper place. Even you have need to perform PT(Penetration testing) and VA (vulnerabilities assessment), so our machine and servers always meet the security requirements. To get is easily achievable You can create a set of rule which follows the PCI pattern and share across the team, so while creating machine you follow one Rule 1. , while creating Creating user you can follow Rule 2 and so on.
I can say once i got involve in this practice i have learned a lot in terms of security breach, controls, in depth DevOps, high level process etc.
PavanKumar Belagatti & Milica I feel i have just shared my exp not replied back to exact question but hope this helps others.