CES environment is high secure virtual environment built in AZURE cloud. Goal is to seek certification of this virtual data center to ISO 27001 certification. To ensure that new applications enjoy the ISO certification credentials that is issued to the CES environment, any new internal Applications and COTS software that will live in the above environment will follow an onboarding process. The on-boarding process will be managed thru an Operating Level Agreement with clearly defined security criteria that should be met (8 access, 9 asset, 14 development etc…). The development teams are out of scope for this audit as they are located all around the world. Having said that the development and production environment will all live within the CES environment. Teams will access the development environment by remote access thru the CES communication channels. Development or production communication channels into the virtual environment will be managed by the CES virtual security control s. All of this criteria will be internally audited and approved by CES team prior to allowing dev teams to live and operate within the CES environment. Customers accessing the applications, can only do so by first being authenticated by the CES front end. All networking, communication activities will be monitored, managed and controlled by the CES front end.
Analogy, CES is a highly secure hotel. Applications can only get a room in this hotel only by checking in and meeting all the stipulated CES security checklists and being approved by the CES team. Once checked in, any communication with the applications or other systems in the hotel by someone or something must past thru the gate that CES controls, monitors and manages. We are hoping that with this design, any applications that are on boarded after the certification is issued are also automatically conferred the ISO 27001 credentials. Assumption the on-boarding process gets audited during the certification audit.
Thoughts, will this be acceptable from a certification registrar perspective.
ISO 27001 cannot be used to certify software, only the processes that support them (e.g., development and maintenance processes). Considering that, if you can show evidences that your on boarding process can reduce the identified relevant risks of introducing new applications to the environment to acceptable levels, handle incidents properly , and that the environment is continuously improved, this will be sufficient for a successful certification audit.
These article will provide you further explanation about security on software development and defining ISMS scope on the cloud: