Talk: Agile Information Security Certification and Management: it is actually possible, no seriously, it is.

Talk description

Title:	Agile Information Security Certification and Management: it is actually possible, no seriously, it is.
Short synopsis:	When people think about InfoSec, they break out in a rash. When people think about InfoSec and agile, heart palpitations, sweating and fidgeting occur. It needn't be this way though. This session will tell the story of how a small healthcare startup began earning an ISO27001 certification, manages an ISMS and still delivers valuable working software, all without anybody having to have a little lie down. Max size: 500 chars
Long synopsis (optional):	The journey began with a faceless big pharma company requiring the small healthcare startup have an ISO27001 certification. This involves creating and maintaining and Information Security Management System (ISMS). This is a risk-based, top-down structure which helps a company think about how it manages its data, systems, employees, contracts - anything really. Creating one of these, as a seven person startup is a behemoth of a task, but one that had to be done. So, using a bunch of agile tools (software and facilitation/moderation tools) we set about creating an ISMS that would be easy to maintain, be truthful, have full coverage of everything we did, become the backbone of the company's ability to deliver products with security baked in and not fall out of date, be ignored or have people hack workarounds to avoid having to comply. It's not easy and, ultimately, not something that is ever "finsihed", but this session will enlighten you on some of the things we did to make it work, some things we'd do differently next time and, ultimately, why any company, regardless of size, can have an ISMS at certification standard within a few months. Max size: 5000 chars
Tags:
Speaker directory:

Speakers directory