YouTube 字幕：
Kevin Wilson, Our journey to ISO 27001 Workshop

不必从头看完视频——获取完整字幕，搜索关键词，一键复制。

AutoDub

听懂YouTube外语视频

沉浸式YouTube翻译中文配音

告别语言障碍，拥抱全球优质内容

免费使用

视频字幕

视频摘要

Summary

Core Theme

This presentation provides an overview of ISO 27001, an international standard for information security management systems, detailing its benefits, the certification process, and its impact on developers, emphasizing how robust security practices can enhance long-term productivity and resilience.

Mind Map

点击展开

点击探索完整互动思维导图

Hello.

Just doing a quick audio test.

Hello everyone. >> Hi.

>> Hi.

>> So, welcome today. Thank you for coming. Um,

Um,

so for the guys that are online, if you

guys online, we're coming from our

office in Dawn Cape Town. Um, so we've

just come off some some pizza and table

tennis. So, the the afternoon nap risk

is high, I'd say. Um, so let's uh let's

hang in there with me. Um, so yeah,

welcome. I see there's a couple more

people online. Thank you so much for joining.

joining. Um,

Um,

cool. So, today I've been asked to speak

about every developer's favorite topic,

governance and compliance.

Um, so that's exactly what I'm going to

do for hopefully 30 minutes straight.

Um, so it should be should be a blast.

Strap in. Um, yeah. So,

just introduction to myself. I'm Kevin

Wilson. Hi guys.

>> Kevin Wilson. I'm co-founder of

Commotion. We've been going for about uh

12 years now

in various industries. So we um have

Senalytics which is a company that does

consolidated investment reporting in the

financial services space. We've got

Commotion Dash which is a kind of

cloud-based analytics tool for large

scale data analytics. And then of course

we've got Commotion low code which is

our low code development uh resource in ARM.

ARM.

Yeah. And we are based locally in South

Africa with the global footprint around

the world in the US and in Europe.

Yeah. So today I'm going to just start

off with just giving a bit of an

overview. What is ISO 271?

What does it mean? Then I'm going to

just unpack our journey that we went on

with a little bit of kind of general

points on on the process to to getting

certified. Then I'm going to touch just

briefly on Menx control center and how

that uh overlaps with 271 and then just

talk a little bit generally about um

impact of the space for developers.

So cool firstly what is 271? So it's the

international standard for information

security management systems. So that is

an information security management

system or ISMS is the kind of process

and system that you put down in your

company that defines how information

security is managed across the whole

organization. So it's the control of

information security and how you make

sure that the information is actually

secured. So how does it do it? So it's

ISO 271 has a list of controls. It's

called the NXA controls. That's where

you start. That's all the kind of

required controls and then you would go

about and implement those controls by

means of policies and or procedures in

your in your business.

Cool. Um so the end goal is obviously

appropriate management and protection of

company information and risk management

or reduction of risk risk. So just

briefly context of 271 that the reason

why you would be doing something like

this obviously we all know ever

increasing threat of information

security compromises and then coupled

with that there's been a obviously over

the last say 10 years there's been a

real tightening of data privacy

legislation and regulation around uh

data and processing of data.

So for developers um obviously a privacy

and security aware developer is valuable

in this context uh and it's not just

about contributing to system features

but actually to the organization and the

client as a whole. So I think that's

that's critical for me.

So why is 271

valuable? I think if you've ever been

handed a third party security assessment

or dealt with a security incident, you

probably already know why it's valuable.

Um I must admit the first couple of

third party assessments that we received

um were very stressful. Um there's

nothing like a wellplaced question kind

of make you realize that you've got a

lot of work to do. Um so you know $271

is is a really a well- definfined

framework that helps you get through

these things so that these assessments

are actually almost a breeze right so

yeah so obviously also having said that

it's a diff differentiator to your

customers if you present a 271

certificate you know in your pre-sales

process um it's going to it's going to

like kind of leap frog your head we've

seen that um you those assessments or

pre-sales customer assessments have

really been reduced a lot just by the

ability of to provide that certificate.

Um reduces that friction. So it's going

to reduce time during your customer

and then obviously on a practical level

it just does give customers confidence

that the scary of the information is

well managed and really taken seriously.

And surprisingly, it actually really

does reduce risk um throughout your organization.

organization.

Cool. So, moving on, just want to

outline like it's obviously very kind of

detailed. There's a lot of lot of stuff

in the in the standard, but I just

wanted to like just from a high level

just unpack kind of some of the areas

for you guys for some context. So,

firstly, some key principles. So, risk

management. How do you actually deal

with risk? How do you make sure that you

kind of classify your risks and um

mitigate all of them kind of with the

same mindset so you're not kind of

misclassifying risks. So to have one

kind of central risk management process

and standard that's part of the ISO

standard to implement that. Access

control is a big one. How do you you

know make sure your you have segregation

of duties principle and lease privilege

applied. How do you actually um make

sure that you can actually audit who has

access to what in your company? That's

all part of the the standard. Then of

course incident response. How do you

monitor, detect and report security

events? So a key part of it. Management reporting

reporting

um is really like an overarching thing.

So um the standard does require evidence

of regular management reporting and

engagement. So it's not just something

you put in um and leave. There's an

ongoing engagement that you have to kind

of demonstrate in your company.

Then of course change management. How do

you manage change throughout your

organization and actually have

considerations for information security

while you're going through those

changes? Then of course secure

development. So how do you um develop

with security in mind and ensuring you

know secure features through all your

STLC stages.

training is a big aspect of it. So

ongoing training and and um for for

everyone in the company basically on

information security

and then continuous improvement um

continual review of your policies and

procedures uh and then also feeding back

from things like if there are incidents

take learnings from those incidents and

and and improve going forward.

Cool. So before you begin this process,

I would say management buying is really

critical. Um obviously it's top

management, senior management level, but

also middle management needs to buy in

and understand the reasons and value for

certification. If you don't do this,

it's going to be uh a whole lot of this.

Um it's going to be very frustrating to

get anything landed in your in your

company because it's all about actually

having processes and being able to show

evidence for these for these processes.

So in reality, you're probably going to

have some of this anyway, but there will

be less there'll be less uh if you have,

you know, full management buying.

So our journey really started off kind

of like that. We didn't really know much

about it. We knew it was a good thing

and a thing that we needed given the the

environment we were operating in. So we

decided to engage with knowledgeable

external consultants to assist us. So

that was a combination of legal

consultants and um really 271 certified consultants.

consultants.

We started off with a kind of developed

our pol policy ethos which was we try to

search for the balance between theory

and practice to ensure we arrived at the

best set of realistic executable

executable rules and processes and not a

list of unattainable goals. So in that

picture is pretty clear. Sometimes you

can put a policy in place and that's all

nicely theoretical and neat, but as soon

as it gets into the real world, you have

reality hits you and it doesn't really

quite operate like that. So, we really

wanted to make sure that what we put

down actually, you know, landed in the

in the company and actually really

actually made a difference. Otherwise,

it's kind of a checkbox exercise, which

is which is not what what we wanted to do.

do.

So, initial actions for the process of

certification. First action is scoping.

So here you determine what um part of

the organization you're actually

certifying and what controls actually

relevant to your operations. So for

example we we included you know the

whole all the divisions of our company

in the certification but you know as a

cloud cloud hosted as a provider of

cloud hosted solutions we all the

physical security controls weren't fully

relevant to us not having on-prem um

servers and that kind of thing. So there

were some controls that you can kind of

exclude and you as long as you can

explain why you've excluded those

controls that's acceptable to the to the standard.

standard.

Uh so the outputs of this initial step

is your business scoping document and

it's what's called a statement of applicability.

applicability.

So the business scoping document that

defines the context and your operations.

What do you actually do? Uh what

industry do you work in? The internal

and external factors affecting your

business. your resources, culture, legal

requirements and economy. And then you

you define your stakeholders and what

their requirements are like customers,

shareholders, employees. And then you

really scope the SMS within the

organization. So do you only focus on

one product, one division, or do you do

the whole organization?

So it's there's a little bit of

flexibility in terms of how you how you

certify and and what processes you certify.

certify.

So then the statement of applicability

that's effectively a list of all the 271

controls and this is where you would

state whether the controls are relevant

to your organization or not and also

what you would do in your statement of

applicability is create a document

reference to your policy that has an

implementation for that specific

control. So for example, you'll see here

um the top one of the top level controls

would be you have to have policies for

information security. So there you would

list we have a information security

governance policy and a information

security policy that sets out how we

deal with our policies and those kind of

things. So this is kind of the the

framework that you're going to be be

So the actual process itself from that

point that you've done your scoping

you will then switch into policy

development developing of your SOPs or

standard operating procedures big aspect

is information asset classification

which I'll talk about then actual

implementation of processes that you

need in your business and then obviously

the audit the audit process.

So policy development, what is a policy?

It's a set of principles, rules, and

guidelines to govern your business

process. Importantly, this was one of

one of the consultants uh told us early

on. It's not aspirational. It's not what

you wish you did. It's what you actually

do because you're going to be asked for

evidence, right? So uh that's a big kind

of catch point. It's it's tempting to

put there in in your policy what you

wish you were doing. But yeah, so some

examples of policies may what your

biggest policy will probably be your

information security policy that defines

your uh information assets. How do you

deal with that? How do you classify data

that you hold? How do you set the rules

around the data? Um and then also some

baseline security requirements for

systems and employees. Privacy policy

also a big one refers to um data privacy

legislation and it's your commitment to

customers how you will deal with their

data um SDLC policy software development

life cycle how do you make sure you go

through that process in a in an orderly

and well-managed way how do you respond

to incidents that's detailed in your

incident response policy business

continuity policy and then obviously

something that's more recent the gener

generative AI policy that defines kind

of your acceptable use of AI in your in

your company.

So an SOP you can think about the

standard operating procedure as how do

you take those policy principles and

actually implement it in a specific area

in your business. So it's kind of a lot

more practical whereas the policy is

more principles the SAP is more

practical and again should reflect the

actual process. So usually what or what

we've done is our policies refer to kind

of the different areas you need an

access control SOP that outlines exact

details of access control for example.

So there's some examples there. Like I

said, access control, what is the actual

procedure to request and record access

to systems? Infrastructure SOP, what are

your technical standards for your

infrastructure and your systems? STLC

SOP, how do you make sure you groom

appropriately? How do you make sure you

test properly? And how do you keep

record of these um processes so that

they're auditable so you can actually

give evidence that you are following

these processes?

And then third party SOP. How do you

practically engage with a third party

when they need access to your

environment or systems? Um and then big

one is employee on offboarding SOP. I

was actually quite surprised during our

first certification audit. That was

literally the first thing we were

questioned on. Just kind of go in

thinking it's it's like a technical

thing and a system based thing. But they

actually drilled us a lot on the the

actual HR processes like um

pre-employment screening. How do you

actually do you know when someone's

someone doesn't work for you anymore,

how do you terminate their access and

all of that those kind of things. So an

important one.

So quick word on information assets. So

in our in our world we call it a data

scope. Uh

so an information asset is really in my

view one of the key kind of like aspects

of ISMS. So everything

every set of data or system that you

kind of access or hold or or are

responsible for has to be defined as an

information asset in in your information

asset register. So the key thing there

is you can't manage what you don't know

about. So if you don't know the system

exists, you don't actively uh know this

data set is being processed in your

company, you're not going to manage it

pretty well. So that's what information

asset classification is. Um making sure

you kind of know about all the data

that's in your organization.

So when you define it, you define it

with what is this data, who's

responsible for it, um what are the

different access levels that are allowed

to this data, how do you gain access,

and what are the security requirements.

for example, encryption at risk at rest

um and in transit. Um how you how can

you share the data out, where does it

actually reside. So um you know exactly

where it is and then how long do you

keep the data for? So those are just

some things that you would then classify

for each information asset that you

have. And then a lot of your processes

run off of these information assets.

Cool. So then just moving on to

implementation. So this is

kind of a the a little bit of a

iterative thing that what we found is

sometimes when you start implementing

you realize you actually have to go back

and refine some of your processes and

policies. Um so it kind of works in a

bit of a bit of a loop. Um so you

actually have to then put some effort

into actually implementing processes in

the business based off those policies

and SOPs. Um so examples are your risk

management process. You actually have to

have place where you log your risks. You

have to have regular meetings where you

discuss your risks. Uh and you have to

have a process to obviously add new

risks and rate risks and all of those

things need to be built into your

business. You need to do you know if you

don't have them already you need to um

build your HR processes in how do you

implement your SDLC policy. So we

implement directly inside Jira as a

well- definfined process. Your technical

security processes need to be

implemented like how do you do

vulnerability management and what's the

process around that? How your

contracting has to be defined to make

sure you've got contracts in place for

all the all the entities that you're

dealing with and then of course your

ongoing management reporting

uh requirements. So that's monthly

meetings where you talk where you

project your risks uh to management

meeting discuss things that are kind of

happening in the space. So

given that what what we realized quickly

so what we did is to manage all the

tasks for 271 compliance we implemented

what we call a compliance matrix. So

that's all the tasks that you have to do

in the year. What um what we did is we

set that out and kind of split it up in

the year and gave it each task due

dates. Um so that was purely it's not

purely a requirement but for us it just

made it easier to know that you can

achieve all your tasks and execute on

all your tasks in the given year that

you kind of need to do it. I think the

worst thing you can do is wake up the

day before audit and then realize you

haven't got to everything.

So that's just a

nice way to kind of plan and make sure

you're ready. So then the actual um

audit process

firstly the requirement is an internal

audit document. So this is actually

something you give to the external

auditor as well. They look at it. If

you're not going to have any findings or

or notes on that audit report, they're

going to probably be suspicious because

generally there's always something, you

know, that you can improve um and make

better. So that process is really

reviewing all your internal

documentation, reviewing your processes,

actually gathering some of the evidence

that um these things are actually

implemented in in your business. Um

that's very helpful when you get to the

external audit and you already have all

that ex that evidence um stored. That's

that's how we do it. And then obviously

the output of that is an internal audit report

report

like I mentioned. Then the external

audit um is an has to be an external

company that comes in reviews everything

including your internal audit report and

they will they will request evidence um

for certain uh

for certain processes in your business.

How how it's generally works is you'll

do your a first full audit uh and then

once you're certified you'll do two

surveillance audits which are not full

audits and then every third year you'll

do you'll have to do a full audit again.

Cool. Then hopefully you get to

celebrate because you got a certificate.

You may or may not look older and grayer

with some sweat stains maybe, but you

would be able to celebrate.

Cool. So, Mendix control center

um so control center provides menx

admins with a centralized overview of

all the MEX activities with the ability

to manage and control these activities.

So the way the way I saw this is it's

actually giving you some tooling to

really tick some of the boxes for um 271

controls. So it's a it's it's kind of a

useful tooling.

So what I went and did is just map some

of the controls to the control center um

features. So for example, you can manage

your admin user access. Obviously, it's

documented in the system, so it's easy

to audit. That speaks into the A8 a2

private access rights control, which is

a specific control on ISO general access

management. Um, the the fact that you

can configure onboarding communication

to developers kind of speaks into the

information security awareness training

section. You can have kind of like

preconfigured training that goes out to

your new guys to to assist with ticking

that box. Um the fact that you actually

have a list of all your applications

goes to you know what I was talking

about information assets those

applications would be each of those

would be considered an information asset

monitoring ongoing monitoring that it

gives you um obviously access control

segregation of duties because you've got

role based permissions you can do there

um and then on the security side of it

you can set your medics password policy

um you can also set data um replication

for failover and then um you can set up

your SSO

and then actually quite a big one are

these in the software composition um

section is speaks directly to managing

your technical vulnerabilities. So you

get reports of your findings. You

actually know you you'll actually have a

software bill of material so you know

exactly what you're using in your

applications which is a key part of

those implementing those controls and

you can manage the third party

components that you use allowed to use

Okay, cool.

So I think what I want to just then just

speak a little bit more generally.

Um I think this is kind of like a classic

classic

uh viewpoint like on one on one side you

have productivity on the other side you

have security. The way to have the most

productivity is to have zero security

because then you don't have to worry

about anything. You can just work right

that's obviously not the ideal um

scenario. So I just wanted to speak into

uh this a little bit.

So in my mind there's always going to be

friction between security processes and

productivity because control always does

that puts friction in place of actually

doing you know getting something done.

So I think developers often experience

like these kind of information security

requirements as restrictive frustrating

and slowing down delivery. Um and I can

I can see that. But I just want to

challenge this this view a little bit

today. Um,

and I want to just as a counter claim

say properly defined and consistently

followed information security processes

can actually improve your long-term

productivity for the business. Um, and

I'm going to speak a little bit why I

say that. So,

as an example, if you don't have a def

well structured and defined SDLC,

um, you're going to probably not deal

with issues that you needed to up front.

So if you do have it, you're probably

going to reduce your back and forth

because you're implementing kind of

almost like properly from the beginning

in um reducing your rework. So we all

know that as soon as you have to go back

and rework on something generally takes

longer than if you had um incorporated

your requirements from the beginning. Um

and then I think in my mind um you know

properly properly defined security

processes actually reduce what I call

security debt. So that would be take the

form of overlooked requirements that

surface late in the development cycle,

emergency fixes due to vulnerabilities

discovered post release or even in the

worst case a security incident.

So um in my view by embedding security

into your development process you're not

just protecting data you're protecting

velocity reducing risk and actually

building resilience into your software delivery.

delivery.

So security incidents are not fun. Um

they are time consuming to actually

investigate an incident determine the

root cause and determine how to respond

to an incident. Um, you have reporting

obligations to customers. You even

potentially have reporting operations uh

reporting obligations to information

regulators, you know, the legal bodies

that oversee the data privacy

legislation or directly to data subjects

with possible fines.

You've obviously got reputational

damaging damage that impacts your

customer trust uh and retention.

You going to have additional development

work to mitigate those risks. And then

on top of all that, you've got legal

costs and contractual liabilities. So

this is all kind of what you're trying

to avoid.

So I think some some practical things

for me um when you speak about privacy

and security by design really starts off

when you're grooming and it's important

to have specific security related

questions to formulate what the security

requirements are. It's easy to kind of

get straight into what does the system

have to do, but there are some kind of

questions that also need to be asked at

this point. What data is being

processed? Are there privacy

considerations? Is it specifically

regulated data like credit card

information? That's a whole, you know,

there's a whole another bank of

requirements that are that will be

needed to be built for that. Um, what

are your encryption requirements? What's

the access requirements? How do you gain

access? Do you need rolebased access um

etc? If you're integrating with any

third parties, how do you um integrate

securely? What do you need to put in

place there? And what are the

non-functional technical requirements

like availability, uptime, audit login

and all of those kind of things. Then I

think what during the coding phase

really just as developers equip yourself

with security skills in the specific

area. That's where obviously your MEX

training and certifications also assist

knowing the secure trading standards and

best practices in your area. Um

implementing kind of mechanisms like

data minimization. So making sure the

applications and processes that you work

on actually only use the minimum amount

of data needed and not just kind of you

know classic select star everything in

and and and work with it like that. So

you can actually reduce risk by just

minimizing the data set that you that

you're working on

and then just ensuring appropriate audit

sensitive data and logs

testing in the testing phase. Um the key

thing here is making sure that you

actually test against your previously

defined security requirements. So that

would be you know considered almost

non-functional testing testing that your

user access is you know uh working and

the specific access levels are

implemented correctly for example. Cool.

Cool.

So for me the reality is that if you

want effective information security is

actually everyone's job. Um

and clients are actually looking to

developers to implement not only

functional applications but also

applications that are actually actually

secure. Um so in my view your efforts

have a large impact on the practical

security of data processed by the

applications that you actually are

working on. Cool. So that is that is my

story. Don't know if uh I'm not sure how

to handle questions from online

perspective but

Okay, cool. I don't know if anyone has

>> I have a question. >> Yeah.

>> Yeah.

>> Um, so in the beginning of your

presentation, you say that it actually

um increases your security. What was

that phrase? Was that the whole um one

of the benefits? It actually reduces risk.

risk. >> Yeah.

>> Yeah.

>> How is that measured?

uh because it's a it's a it's a claim to

make but like

>> if you look at black holes you can see the

the

>> you can't see the black hole itself you

see the outline what's around it

>> yeah the yeah the outing effect so how

is that claim measured

measured

>> yeah so I mean that actually part of it

part of like the ISO process is actually

measuring the effectiveness of your

information security actually ironically

so I think you would measure that in

you would actually measure in number of

incidents but obviously if you weren't

tracking that before you wouldn't know

if it improved or not but

right as soon as you're tracking that

that's one key way you would measure it

I think the other thing is um

I think man just just knowing just that

you know what's happening that you know

you have a place where you can check who

has access to what um in your

organization as an example is really

like it's actually a big deal because if

something happens, you know who has

access to it. It's likewise, if you have

if you don't track your information

assets and you have a a you know some

kind of um exposure on that data, you

don't know what the rules are about the

data that you that you have, you don't

know what to do about it. So, it is a

difficult thing to probably track

practically specifically because you

probably didn't have anything

beforehand. But you would want to you

would want to see those things when you

start ISO kind of coming through and

actually, you know, improving and

>> Can we see online? No, I can see the

chat here, but nothing.

>> It's the It's the what? The midday nap.

>> Post pizza.

>> I told Derek that my target for today

was to at least at least get one person

sleeping. So

hopefully I achieved it. I wouldn't know

if it was online. No.

>> Okay, cool. I think we're going to end

it here then.

点击任意文字或时间戳，即可跳转到视频对应位置

大多数字幕 5 秒内即可准备好

一键复制125+ 种语言搜索内容跳转到时间戳

粘贴 YouTube 链接

输入任意 YouTube 视频链接，获取完整字幕

大多数字幕 5 秒内即可准备好

安装 Chrome 扩展

无需离开 YouTube，一键获取视频字幕。安装我们的 Chrome 扩展，直接在视频页面访问任意视频的完整字幕。

免费添加到 Chrome

支持 YouTube、Coursera、Udemy 等主流教育平台

快速获取字幕：直接修改地址栏中的域名即可！

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

YouTube 字幕正在为您准备结果……

YouTube 字幕：Kevin Wilson, Our journey to ISO 27001 Workshop