You need a written security policy, but that was pretty close to pro forma. The compliance firm wrote us one which we disseminated appropriately.

You basically just need to follow some reasonable security standards. Firewalls, ssh/ssl admin terminals, no shared credentials, and then follow a basic security policy.

Thanks, that sounds a lots less complicated than the advice I was given.

The only situation where I can imagine it being a pain is if you aren't already following good security procedures.

If your ops/DevOps guys are experienced pros, they're probably going to be pretty close to compliant, just out of habit. That said I guess it's not terribly hard to envision a scenario where there's no firewall, bad user access controls, and a host of other crap that could be painful to fix if you only have junior-level ops talent.