ISO 27001: DevOps toolchains

1 - How can ISO 27001 be granted if all changes are only visible in DevOps toolchains? Changes are no longer approved and implemented, only playbooks in Jenkins, Ansible, Docker or OpenShift are started.

Answer: Please note that the tools you mentioned (Jenkins, Ansible, Docker, or OpenShift) only automatizes specific tasks that are part of the change management process (mostly related to the implementation, control, and monitoring of changes in systems source code). Tasks like change planning and change risk evaluation still are performed out of such tools. Additionally, for starting the process related to such tools, someone responsible for the system to be changed needs to approve such action.

Considering that, the mentioned tools would be only part of your change management process, and for ensuring that your change management processes are compliant with ISO 27001 you should also consider the steps of the processes that are performed out of such tools.

To see how a change management document compliant with ISO 27001 looks like, and which parts of your process you need to document, please take a look at the free demo of our Change Management Policy at this link: https://advisera.com/27001academy/documentation/change-management-policy/

For further information, see:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

2 - Can these tools be viewed as a certified management system?

Answer:  Please note that a management system is much more than a tool. It involves processes, policies, and procedures too. Additionally, tools cannot be certified against ISO 27001, because the certification is based on the management system scope, which in the case of ISO 27001 is defined in terms of information, processes, or locations, not technologies.  

To see how documents compliant with an ISO 27001 ISMS look like, please access the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Herzlichen Dank für Eure Rückmeldung. Diese ist sehr hilfreich für mich und unterstützt meine Annahme. Das heist aber auch, dass die DevOps-Deployments innerhalb Toolchains vertraglich nicht abgesichert sind, Niemand trägt eine rechtliche Betriebsverantwortung. 

Please note that legal operational responsibility may be only one of the requirements that you need to fulfill. To make your change management process legally secure you need to identify all legal requirements (e.g., laws, regulations, and contracts) that you must fulfill. For example, you may have a legal requirement demanding the use of a specific change approach, or technology.

In this case, the recommendation is to hire a local legal expert advisor to help you identify the requirements you need to fulfill.

An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/