DEVOPS position according to ISO27001
Assign topic to the user
ISO 27001 does not prescribe anything about DevOps, so organizations can define them the way they see fit, provided information security requirements are fulfilled (e.g., secure development, protections of production software, etc.).
ISO 27001 control A.12.1.4 specifies you need to separate development, testing and operational environments, but this does not mean that the teams cannot work on more than one environment.
Please note that provided that the development team cannot alter software authorized to be released to production, they can have access to the production environment (in some cases this is useful so they can observe bugs in a production environment that cannot be reproduced in development environment).
One way you can adopt to achieve this objective is by defining different user accounts for DevOps teams, one with access to the development environment (with full access to development tools) and the other with access to the production environment (with no access to development tools and no other means they can use to change software already tested and approved for production).
Another way is to have specific roles in the development and production environment (i.e., a person with access to development tools does not have access to the production environment, and vice-versa). This would be the implementation of segregation of duties.
These articles will provide you a further explanation about software development and segregation of duties:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
Comment as guest or Sign in
Jan 28, 2022