Expert Advice Community

Guest

DEVOPS position according to ISO27001

  Quote
Guest
Guest user Created:   Jan 28, 2022 Last commented:   Jan 28, 2022

DEVOPS position according to ISO27001

Hello 27001 Academy, According to ISO 27001, is there any interpretation about the DEVOPS current position? I mean... the requirement is clear about not having development team accessing production environments, but, what about Devops, are they considered as developers or just like operators in charge of promoting sw to production? Thank you for your opinion.
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 28, 2022

ISO 27001 does not prescribe anything about DevOps, so organizations can define them the way they see fit, provided information security requirements are fulfilled (e.g., secure development, protections of production software, etc.).

ISO 27001 control A.12.1.4 specifies you need to separate development, testing and operational environments, but this does not mean that the teams cannot work on more than one environment.

Please note that provided that the development team cannot alter software authorized to be released to production, they can have access to the production environment (in some cases this is useful so they can observe bugs in a production environment that cannot be reproduced in development environment).

One way you can adopt to achieve this objective is by defining different user accounts for DevOps teams, one with access to the development environment (with full access to development tools) and the other with access to the production environment (with no access to development tools and no other means they can use to change software already tested and approved for production). 

Another way is to have specific roles in the development and production environment (i.e., a person with access to development tools does not have access to the production environment, and vice-versa). This would be the implementation of segregation of duties.

These articles will provide you a further explanation about software development and segregation of duties:

- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Quote
0 0
Guest
Viviana Fernández Jan 28, 2022

Awesome Rhand! Thank you so much for your answer

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 28, 2022

Jan 28, 2022

Suggested Topics