We have a strong culture of autonomy across our teams and we wanted to keep that. The big question for us was - how can we keep doing DevOps in our teams and standardize compliance across them? Also, as a developer, the change management part of the ISO certification worried me. I thought it would mean meetings and checklists.
We started with a proof of concept in two teams with Github and Bitbucket. The teams chose the types of evidence that they wanted to record in Kosli - pull requests, code reviews, and so on.
When it comes to the change management part of the audit, all the auditor needs to know is that you have a process and that you’re following it. All we had to do was show them the Kosli dashboard.
We were delivering our software according to our process, but until Kosli we didn’t have an easy way to prove we were compliant
We could bring up any change and display the evidence that it had been through code review, had an deployment approval done by a certain person on a certain date, and that it was running in production.
We didn’t spend any extra time gathering evidence manually because all of it had been recorded in Kosli. We were delivering software according to our process, but until Kosli we didn’t have an easy way to prove that we were compliant.
When it came to the change management part of the ISO27001 audit we passed with flying colors. The auditor said “this tool will make me unemployed.”