Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Kevin Wilson, Our journey to ISO 27001 Workshop | Event Stream Mendix 2 | YouTubeToText
YouTube Transcript: Kevin Wilson, Our journey to ISO 27001 Workshop
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This presentation provides an overview of ISO 27001, an international standard for information security management systems, detailing its benefits, the certification process, and its impact on developers, emphasizing how robust security practices can enhance long-term productivity and resilience.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello.
Just doing a quick audio test.
Hello everyone. >> Hi.
>> Hi.
>> So, welcome today. Thank you for coming. Um,
Um,
so for the guys that are online, if you
guys online, we're coming from our
office in Dawn Cape Town. Um, so we've
just come off some some pizza and table
tennis. So, the the afternoon nap risk
is high, I'd say. Um, so let's uh let's
hang in there with me. Um, so yeah,
welcome. I see there's a couple more
people online. Thank you so much for joining.
joining. Um,
Um,
cool. So, today I've been asked to speak
about every developer's favorite topic,
governance and compliance.
Um, so that's exactly what I'm going to
do for hopefully 30 minutes straight.
Um, so it should be should be a blast.
Strap in. Um, yeah. So,
just introduction to myself. I'm Kevin
Wilson. Hi guys.
>> Kevin Wilson. I'm co-founder of
Commotion. We've been going for about uh
12 years now
in various industries. So we um have
Senalytics which is a company that does
consolidated investment reporting in the
financial services space. We've got
Commotion Dash which is a kind of
cloud-based analytics tool for large
scale data analytics. And then of course
we've got Commotion low code which is
our low code development uh resource in ARM.
ARM.
Yeah. And we are based locally in South
Africa with the global footprint around
the world in the US and in Europe.
Yeah. So today I'm going to just start
off with just giving a bit of an
overview. What is ISO 271?
What does it mean? Then I'm going to
just unpack our journey that we went on
with a little bit of kind of general
points on on the process to to getting
certified. Then I'm going to touch just
briefly on Menx control center and how
that uh overlaps with 271 and then just
talk a little bit generally about um
impact of the space for developers.
So cool firstly what is 271? So it's the
international standard for information
security management systems. So that is
an information security management
system or ISMS is the kind of process
and system that you put down in your
company that defines how information
security is managed across the whole
organization. So it's the control of
information security and how you make
sure that the information is actually
secured. So how does it do it? So it's
ISO 271 has a list of controls. It's
called the NXA controls. That's where
you start. That's all the kind of
required controls and then you would go
about and implement those controls by
means of policies and or procedures in
your in your business.
Cool. Um so the end goal is obviously
appropriate management and protection of
company information and risk management
or reduction of risk risk. So just
briefly context of 271 that the reason
why you would be doing something like
this obviously we all know ever
increasing threat of information
security compromises and then coupled
with that there's been a obviously over
the last say 10 years there's been a
real tightening of data privacy
legislation and regulation around uh
data and processing of data.
So for developers um obviously a privacy
and security aware developer is valuable
in this context uh and it's not just
about contributing to system features
but actually to the organization and the
client as a whole. So I think that's
that's critical for me.
So why is 271
valuable? I think if you've ever been
handed a third party security assessment
or dealt with a security incident, you
probably already know why it's valuable.
Um I must admit the first couple of
third party assessments that we received
um were very stressful. Um there's
nothing like a wellplaced question kind
of make you realize that you've got a
lot of work to do. Um so you know $271
is is a really a well- definfined
framework that helps you get through
these things so that these assessments
are actually almost a breeze right so
yeah so obviously also having said that
it's a diff differentiator to your
customers if you present a 271
certificate you know in your pre-sales
process um it's going to it's going to
like kind of leap frog your head we've
seen that um you those assessments or
pre-sales customer assessments have
really been reduced a lot just by the
ability of to provide that certificate.
Um reduces that friction. So it's going
to reduce time during your customer
and then obviously on a practical level
it just does give customers confidence
that the scary of the information is
well managed and really taken seriously.
And surprisingly, it actually really
does reduce risk um throughout your organization.
organization.
Cool. So, moving on, just want to
outline like it's obviously very kind of
detailed. There's a lot of lot of stuff
in the in the standard, but I just
wanted to like just from a high level
just unpack kind of some of the areas
for you guys for some context. So,
firstly, some key principles. So, risk
management. How do you actually deal
with risk? How do you make sure that you
kind of classify your risks and um
mitigate all of them kind of with the
same mindset so you're not kind of
misclassifying risks. So to have one
kind of central risk management process
and standard that's part of the ISO
standard to implement that. Access
control is a big one. How do you you
know make sure your you have segregation
of duties principle and lease privilege
applied. How do you actually um make
sure that you can actually audit who has
access to what in your company? That's
all part of the the standard. Then of
course incident response. How do you
monitor, detect and report security
events? So a key part of it. Management reporting
reporting
um is really like an overarching thing.
So um the standard does require evidence
of regular management reporting and
engagement. So it's not just something
you put in um and leave. There's an
ongoing engagement that you have to kind
of demonstrate in your company.
Then of course change management. How do
you manage change throughout your
organization and actually have
considerations for information security
while you're going through those
changes? Then of course secure
development. So how do you um develop
with security in mind and ensuring you
know secure features through all your
STLC stages.
training is a big aspect of it. So
ongoing training and and um for for
everyone in the company basically on
information security
and then continuous improvement um
continual review of your policies and
procedures uh and then also feeding back
from things like if there are incidents
take learnings from those incidents and
and and improve going forward.
Cool. So before you begin this process,
I would say management buying is really
critical. Um obviously it's top
management, senior management level, but
also middle management needs to buy in
and understand the reasons and value for
certification. If you don't do this,
it's going to be uh a whole lot of this.
Um it's going to be very frustrating to
get anything landed in your in your
company because it's all about actually
having processes and being able to show
evidence for these for these processes.
So in reality, you're probably going to
have some of this anyway, but there will
be less there'll be less uh if you have,
you know, full management buying.
So our journey really started off kind
of like that. We didn't really know much
about it. We knew it was a good thing
and a thing that we needed given the the
environment we were operating in. So we
decided to engage with knowledgeable
external consultants to assist us. So
that was a combination of legal
consultants and um really 271 certified consultants.
consultants.
We started off with a kind of developed
our pol policy ethos which was we try to
search for the balance between theory
and practice to ensure we arrived at the
best set of realistic executable
executable rules and processes and not a
list of unattainable goals. So in that
picture is pretty clear. Sometimes you
can put a policy in place and that's all
nicely theoretical and neat, but as soon
as it gets into the real world, you have
reality hits you and it doesn't really
quite operate like that. So, we really
wanted to make sure that what we put
down actually, you know, landed in the
in the company and actually really
actually made a difference. Otherwise,
it's kind of a checkbox exercise, which
is which is not what what we wanted to do.
do.
So, initial actions for the process of
certification. First action is scoping.
So here you determine what um part of
the organization you're actually
certifying and what controls actually
relevant to your operations. So for
example we we included you know the
whole all the divisions of our company
in the certification but you know as a
cloud cloud hosted as a provider of
cloud hosted solutions we all the
physical security controls weren't fully
relevant to us not having on-prem um
servers and that kind of thing. So there
were some controls that you can kind of
exclude and you as long as you can
explain why you've excluded those
controls that's acceptable to the to the standard.
standard.
Uh so the outputs of this initial step
is your business scoping document and
it's what's called a statement of applicability.
applicability.
So the business scoping document that
defines the context and your operations.
What do you actually do? Uh what
industry do you work in? The internal
and external factors affecting your
business. your resources, culture, legal
requirements and economy. And then you
you define your stakeholders and what
their requirements are like customers,
shareholders, employees. And then you
really scope the SMS within the
organization. So do you only focus on
one product, one division, or do you do
the whole organization?
So it's there's a little bit of
flexibility in terms of how you how you
certify and and what processes you certify.
certify.
So then the statement of applicability
that's effectively a list of all the 271
controls and this is where you would
state whether the controls are relevant
to your organization or not and also
what you would do in your statement of
applicability is create a document
reference to your policy that has an
implementation for that specific
control. So for example, you'll see here
um the top one of the top level controls
would be you have to have policies for
information security. So there you would
list we have a information security
governance policy and a information
security policy that sets out how we
deal with our policies and those kind of
things. So this is kind of the the
framework that you're going to be be
So the actual process itself from that
point that you've done your scoping
you will then switch into policy
development developing of your SOPs or
standard operating procedures big aspect
is information asset classification
which I'll talk about then actual
implementation of processes that you
need in your business and then obviously
the audit the audit process.
So policy development, what is a policy?
It's a set of principles, rules, and
guidelines to govern your business
process. Importantly, this was one of
one of the consultants uh told us early
on. It's not aspirational. It's not what
you wish you did. It's what you actually
do because you're going to be asked for
evidence, right? So uh that's a big kind
of catch point. It's it's tempting to
put there in in your policy what you
wish you were doing. But yeah, so some
examples of policies may what your
biggest policy will probably be your
information security policy that defines
your uh information assets. How do you
deal with that? How do you classify data
that you hold? How do you set the rules
around the data? Um and then also some
baseline security requirements for
systems and employees. Privacy policy
also a big one refers to um data privacy
legislation and it's your commitment to
customers how you will deal with their
data um SDLC policy software development
life cycle how do you make sure you go
through that process in a in an orderly
and well-managed way how do you respond
to incidents that's detailed in your
incident response policy business
continuity policy and then obviously
something that's more recent the gener
generative AI policy that defines kind
of your acceptable use of AI in your in
your company.
So an SOP you can think about the
standard operating procedure as how do
you take those policy principles and
actually implement it in a specific area
in your business. So it's kind of a lot
more practical whereas the policy is
more principles the SAP is more
practical and again should reflect the
actual process. So usually what or what
we've done is our policies refer to kind
of the different areas you need an
access control SOP that outlines exact
details of access control for example.
So there's some examples there. Like I
said, access control, what is the actual
procedure to request and record access
to systems? Infrastructure SOP, what are
your technical standards for your
infrastructure and your systems? STLC
SOP, how do you make sure you groom
appropriately? How do you make sure you
test properly? And how do you keep
record of these um processes so that
they're auditable so you can actually
give evidence that you are following
these processes?
And then third party SOP. How do you
practically engage with a third party
when they need access to your
environment or systems? Um and then big
one is employee on offboarding SOP. I
was actually quite surprised during our
first certification audit. That was
literally the first thing we were
questioned on. Just kind of go in
thinking it's it's like a technical
thing and a system based thing. But they
actually drilled us a lot on the the
actual HR processes like um
pre-employment screening. How do you
actually do you know when someone's
someone doesn't work for you anymore,
how do you terminate their access and
all of that those kind of things. So an
important one.
So quick word on information assets. So
in our in our world we call it a data
scope. Uh
so an information asset is really in my
view one of the key kind of like aspects
of ISMS. So everything
every set of data or system that you
kind of access or hold or or are
responsible for has to be defined as an
information asset in in your information
asset register. So the key thing there
is you can't manage what you don't know
about. So if you don't know the system
exists, you don't actively uh know this
data set is being processed in your
company, you're not going to manage it
pretty well. So that's what information
asset classification is. Um making sure
you kind of know about all the data
that's in your organization.
So when you define it, you define it
with what is this data, who's
responsible for it, um what are the
different access levels that are allowed
to this data, how do you gain access,
and what are the security requirements.
for example, encryption at risk at rest
um and in transit. Um how you how can
you share the data out, where does it
actually reside. So um you know exactly
where it is and then how long do you
keep the data for? So those are just
some things that you would then classify
for each information asset that you
have. And then a lot of your processes
run off of these information assets.
Cool. So then just moving on to
implementation. So this is
kind of a the a little bit of a
iterative thing that what we found is
sometimes when you start implementing
you realize you actually have to go back
and refine some of your processes and
policies. Um so it kind of works in a
bit of a bit of a loop. Um so you
actually have to then put some effort
into actually implementing processes in
the business based off those policies
and SOPs. Um so examples are your risk
management process. You actually have to
have place where you log your risks. You
have to have regular meetings where you
discuss your risks. Uh and you have to
have a process to obviously add new
risks and rate risks and all of those
things need to be built into your
business. You need to do you know if you
don't have them already you need to um
build your HR processes in how do you
implement your SDLC policy. So we
implement directly inside Jira as a
well- definfined process. Your technical
security processes need to be
implemented like how do you do
vulnerability management and what's the
process around that? How your
contracting has to be defined to make
sure you've got contracts in place for
all the all the entities that you're
dealing with and then of course your
ongoing management reporting
uh requirements. So that's monthly
meetings where you talk where you
project your risks uh to management
meeting discuss things that are kind of
happening in the space. So
So
given that what what we realized quickly
so what we did is to manage all the
tasks for 271 compliance we implemented
what we call a compliance matrix. So
that's all the tasks that you have to do
in the year. What um what we did is we
set that out and kind of split it up in
the year and gave it each task due
dates. Um so that was purely it's not
purely a requirement but for us it just
made it easier to know that you can
achieve all your tasks and execute on
all your tasks in the given year that
you kind of need to do it. I think the
worst thing you can do is wake up the
day before audit and then realize you
haven't got to everything.
So that's just a
nice way to kind of plan and make sure
you're ready. So then the actual um
audit process
firstly the requirement is an internal
audit document. So this is actually
something you give to the external
auditor as well. They look at it. If
you're not going to have any findings or
or notes on that audit report, they're
going to probably be suspicious because
generally there's always something, you
know, that you can improve um and make
better. So that process is really
reviewing all your internal
documentation, reviewing your processes,
actually gathering some of the evidence
that um these things are actually
implemented in in your business. Um
that's very helpful when you get to the
external audit and you already have all
that ex that evidence um stored. That's
that's how we do it. And then obviously
the output of that is an internal audit report
report
like I mentioned. Then the external
audit um is an has to be an external
company that comes in reviews everything
including your internal audit report and
they will they will request evidence um
for certain uh
for certain processes in your business.
How how it's generally works is you'll
do your a first full audit uh and then
once you're certified you'll do two
surveillance audits which are not full
audits and then every third year you'll
do you'll have to do a full audit again.
Cool. Then hopefully you get to
celebrate because you got a certificate.
You may or may not look older and grayer
with some sweat stains maybe, but you
would be able to celebrate.
Cool. So, Mendix control center
um so control center provides menx
admins with a centralized overview of
all the MEX activities with the ability
to manage and control these activities.
So the way the way I saw this is it's
actually giving you some tooling to
really tick some of the boxes for um 271
controls. So it's a it's it's kind of a
useful tooling.
So what I went and did is just map some
of the controls to the control center um
features. So for example, you can manage
your admin user access. Obviously, it's
documented in the system, so it's easy
to audit. That speaks into the A8 a2
private access rights control, which is
a specific control on ISO general access
management. Um, the the fact that you
can configure onboarding communication
to developers kind of speaks into the
information security awareness training
section. You can have kind of like
preconfigured training that goes out to
your new guys to to assist with ticking
that box. Um the fact that you actually
have a list of all your applications
goes to you know what I was talking
about information assets those
applications would be each of those
would be considered an information asset
monitoring ongoing monitoring that it
gives you um obviously access control
segregation of duties because you've got
role based permissions you can do there
um and then on the security side of it
you can set your medics password policy
um you can also set data um replication
for failover and then um you can set up
your SSO
and then actually quite a big one are
these in the software composition um
section is speaks directly to managing
your technical vulnerabilities. So you
get reports of your findings. You
actually know you you'll actually have a
software bill of material so you know
exactly what you're using in your
applications which is a key part of
those implementing those controls and
you can manage the third party
components that you use allowed to use
Okay, cool.
So I think what I want to just then just
speak a little bit more generally.
Um I think this is kind of like a classic
classic
uh viewpoint like on one on one side you
have productivity on the other side you
have security. The way to have the most
productivity is to have zero security
because then you don't have to worry
about anything. You can just work right
that's obviously not the ideal um
scenario. So I just wanted to speak into
uh this a little bit.
So in my mind there's always going to be
friction between security processes and
productivity because control always does
that puts friction in place of actually
doing you know getting something done.
So I think developers often experience
like these kind of information security
requirements as restrictive frustrating
and slowing down delivery. Um and I can
I can see that. But I just want to
challenge this this view a little bit
today. Um,
and I want to just as a counter claim
say properly defined and consistently
followed information security processes
can actually improve your long-term
productivity for the business. Um, and
I'm going to speak a little bit why I
say that. So,
as an example, if you don't have a def
well structured and defined SDLC,
um, you're going to probably not deal
with issues that you needed to up front.
So if you do have it, you're probably
going to reduce your back and forth
because you're implementing kind of
almost like properly from the beginning
in um reducing your rework. So we all
know that as soon as you have to go back
and rework on something generally takes
longer than if you had um incorporated
your requirements from the beginning. Um
and then I think in my mind um you know
properly properly defined security
processes actually reduce what I call
security debt. So that would be take the
form of overlooked requirements that
surface late in the development cycle,
emergency fixes due to vulnerabilities
discovered post release or even in the
worst case a security incident.
So um in my view by embedding security
into your development process you're not
just protecting data you're protecting
velocity reducing risk and actually
building resilience into your software delivery.
delivery.
So security incidents are not fun. Um
they are time consuming to actually
investigate an incident determine the
root cause and determine how to respond
to an incident. Um, you have reporting
obligations to customers. You even
potentially have reporting operations uh
reporting obligations to information
regulators, you know, the legal bodies
that oversee the data privacy
legislation or directly to data subjects
with possible fines.
You've obviously got reputational
damaging damage that impacts your
customer trust uh and retention.
You going to have additional development
work to mitigate those risks. And then
on top of all that, you've got legal
costs and contractual liabilities. So
this is all kind of what you're trying
to avoid.
So I think some some practical things
for me um when you speak about privacy
and security by design really starts off
when you're grooming and it's important
to have specific security related
questions to formulate what the security
requirements are. It's easy to kind of
get straight into what does the system
have to do, but there are some kind of
questions that also need to be asked at
this point. What data is being
processed? Are there privacy
considerations? Is it specifically
regulated data like credit card
information? That's a whole, you know,
there's a whole another bank of
requirements that are that will be
needed to be built for that. Um, what
are your encryption requirements? What's
the access requirements? How do you gain
access? Do you need rolebased access um
etc? If you're integrating with any
third parties, how do you um integrate
securely? What do you need to put in
place there? And what are the
non-functional technical requirements
like availability, uptime, audit login
and all of those kind of things. Then I
think what during the coding phase
really just as developers equip yourself
with security skills in the specific
area. That's where obviously your MEX
training and certifications also assist
knowing the secure trading standards and
best practices in your area. Um
implementing kind of mechanisms like
data minimization. So making sure the
applications and processes that you work
on actually only use the minimum amount
of data needed and not just kind of you
know classic select star everything in
and and and work with it like that. So
you can actually reduce risk by just
minimizing the data set that you that
you're working on
and then just ensuring appropriate audit
login and obviously not logging
sensitive data and logs
testing in the testing phase. Um the key
thing here is making sure that you
actually test against your previously
defined security requirements. So that
would be you know considered almost
non-functional testing testing that your
user access is you know uh working and
the specific access levels are
implemented correctly for example. Cool.
Cool.
So for me the reality is that if you
want effective information security is
actually everyone's job. Um
and clients are actually looking to
developers to implement not only
functional applications but also
applications that are actually actually
secure. Um so in my view your efforts
have a large impact on the practical
security of data processed by the
applications that you actually are
working on. Cool. So that is that is my
story. Don't know if uh I'm not sure how
to handle questions from online
perspective but
Okay, cool. I don't know if anyone has
>> I have a question. >> Yeah.
>> Yeah.
>> Um, so in the beginning of your
presentation, you say that it actually
um increases your security. What was
that phrase? Was that the whole um one
of the benefits? It actually reduces risk.
risk. >> Yeah.
>> Yeah.
>> How is that measured?
uh because it's a it's a it's a claim to
make but like
>> if you look at black holes you can see the
the
>> you can't see the black hole itself you
see the outline what's around it
>> yeah the yeah the outing effect so how
is that claim measured
measured
>> yeah so I mean that actually part of it
part of like the ISO process is actually
measuring the effectiveness of your
information security actually ironically
so I think you would measure that in
you would actually measure in number of
incidents but obviously if you weren't
tracking that before you wouldn't know
if it improved or not but
right as soon as you're tracking that
that's one key way you would measure it
I think the other thing is um
I think man just just knowing just that
you know what's happening that you know
you have a place where you can check who
has access to what um in your
organization as an example is really
like it's actually a big deal because if
something happens, you know who has
access to it. It's likewise, if you have
if you don't track your information
assets and you have a a you know some
kind of um exposure on that data, you
don't know what the rules are about the
data that you that you have, you don't
know what to do about it. So, it is a
difficult thing to probably track
practically specifically because you
probably didn't have anything
beforehand. But you would want to you
would want to see those things when you
start ISO kind of coming through and
actually, you know, improving and
>> Can we see online? No, I can see the
chat here, but nothing.
>> It's the It's the what? The midday nap.
>> Post pizza.
>> I told Derek that my target for today
was to at least at least get one person
sleeping. So
hopefully I achieved it. I wouldn't know
if it was online. No.
>> Okay, cool. I think we're going to end
it here then.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
