Engineering Excellence

Benchmarking Against Best Practice

Intermediate

Beyond our own metrics, we should measure ourselves against the wider industry's proven standards: security baselines, architecture frameworks, maturity models, and published research. Learning from how the best teams build means we do not have to learn every lesson the hard way, or through a breach. Use these as a checklist and a guide. Adapt them to our context. Do not copy them blindly.

The industry has built up a huge amount of knowledge in the form of frameworks and standards. Strong engineers know this work and apply it instead of reinventing it. Examples include OWASP (web and app security risks), the Microsoft Azure Well-Architected Framework (reliability, security, cost, performance, operations), the Twelve-Factor App (cloud-native apps), DORA and Accelerate research (delivery), and certification standards such as SOC 2 and ISO 27001.

Benchmarking against these shows where we meet the standard and where we have gaps. This feeds certification readiness and continuous improvement. The skill is to apply them with thought (they are guidance, not rules to follow blindly) and to keep up to date as they change.

Know and apply the standards

DoUse OWASP (such as the Top 10 and ASVS) as a baseline checklist for application security. Most real-world web vulnerabilities are already well documented (see Web & Frontend Security, Threat Modelling).
DoCheck designs against the Azure Well-Architected Framework's pillars: reliability, security, cost, performance, and operational excellence (see Azure & Cloud Platform, Cost & Scale Planning).
DoFollow twelve-factor and cloud-native principles for services, such as keeping config in the environment and processes stateless (see Configuration, Designing for Failure).
DoCompare delivery performance against DORA's industry bands to see where we stand and what to aim for (see DORA Metrics).
DoCheck ourselves against certification controls (SOC 2, ISO 27001, AppSource) as a regular gap-check, not a rush just before launch (see Marketplace & Certification Readiness).
ConsiderRunning simple maturity self-assessments to find the weakest areas worth investing in next.

Adapt, don't copy blindly

DoApply best practice to our context and limits (regulated FinTech, our stack). Understand the reasons behind it so you can adapt it, not just copy it.
DoKeep up to date. Standards and threats change (OWASP updates, new framework versions), so review them again over time (see Continuous Learning, Regulatory Change Management).
DoTurn the gaps you find against these standards into prioritised improvement work (see Continuous Improvement, Vulnerability Management).
DoLearn from the wider industry through post-mortems, engineering blogs, and research, so we gain from others' costly lessons cheaply (see Continuous Learning).
AvoidCopying a practice or tool just because a big company uses it, without checking whether it fits our scale and needs (see Choosing Technology).
AvoidTreating a framework as a box-ticking exercise. The goal is to truly meet the standard, not to claim a badge (see Professional Ethics).

Self-review checklist

AskHave I checked this against the relevant standard (OWASP, Well-Architected, twelve-factor) instead of making it up?
AskWhere do we fall short of best practice, and is closing that gap on the backlog?
AskAm I adapting the practice to our context, or copying it without understanding it?
AskIs my knowledge of these standards up to date?

Why it matters: The industry has already learned, often the hard way, what good looks like. If we ignore that knowledge, we will relearn it through our own outages and breaches. Benchmarking against established standards and research keeps us honest about where we really stand and helps us reach elite faster. It is also exactly what certifications and serious customers expect from us.