Hello 27001 Academy,
According to ISO 27001, is there any interpretation about the DEVOPS current position? I mean... the requirement is clear about not having development team accessing production environments, but, what about Devops, are they considered as developers or just like operators in charge of promoting sw to production?
Thank you for your opinion.
ISO 27001 does not prescribe anything about DevOps, so organizations can define them the way they see fit, provided information security requirements are fulfilled (e.g., secure development, protections of production software, etc.).
ISO 27001 control A.12.1.4 specifies you need to separate development, testing and operational environments, but this does not mean that the teams cannot work on more than one environment.
Please note that provided that the development team cannot alter software authorized to be released to production, they can have access to the production environment (in some cases this is useful so they can observe bugs in a production environment that cannot be reproduced in development environment).
One way you can adopt to achieve this objective is by defining different user accounts for DevOps teams, one with access to the development environment (with full access to development tools) and the other with access to the production environment (with no access to development tools and no other means they can use to change software already tested and approved for production).
Another way is to have specific roles in the development and production environment (i.e., a person with access to development tools does not have access to the production environment, and vice-versa). This would be the implementation of segregation of duties.
These articles will provide you a further explanation about software development and segregation of duties: