How DevSecOps can make your ISO 27001 based ISMS more mature


Let us start with a slightly overdrawn picture of Information Security. Why? Because it is a strange thing. Nearly everybody knows it. Most people already came into touch with it directly or indirectly. They tell you how important it is and how bad it would be if a cyber-attack happens. But on the other hand, Security Officers trying to implement security measures, often have to deal with pushbacks:

  • The “security-guys” are always blocking or slowing down the most profitable projects for the business side.
  • The developers and system administrators only see the additional workload added to their jobs due to security.
  • It seems a kind of sport to circumvent security measures in the most creative way for many end-users.

How practical security can be

We don’t want to be a doom-monger, it’s not always as bad as we just described it, but people working in Information Security might recognize some of the above stories for a longer time. Complaining is not the reason for this article; it explains how practical security can be implemented in a very early software development stage using DevSecOps.

At the same time, it relates to the more theoretical and compliance-orientated Information Security Management Systems (ISMS) most companies have in place today. There are several ideas on how to combine both approaches. We will focus on a relatively new one: OWASP DSOMM, the DevSecOps Maturity Model from the Open Web Application Security Project.

ISO 27001: well known and widely used

Let’s start with ISO 27001, the Information Security Standard most of our customers’ ISMS is based on. While ISO 27001 defines the general requirements, the associated ISO 27002 gives a detailed list of required and recommended documents. It measures controls from organizational topics like a well-defined Information Security Organization over processes (on-/offboarding, incident response, supplier management), up to detailed requirements like a password policy or a well-defined roles and responsibilities matrix.

What is really needed

People complain about the ISO-Standard requirements and controls because it changes their daily business; it’s too high-level. Many want to have precise requirements they can use and implement directly, but unfortunately, the pure ISO 27001 / 27002 is not working on that level. A mapping between the high-level and the low-level practical implementation for day-to-day operations is needed.

Therefore, we focus on one new mapping-idea: one part of the requirements listed in ISO 27002 is a “documented system development process” (section A.14). This is where DevSecOps and the OWASP DevSecOps Maturity Model (DSOMM) come into play.

Why DevSecOps makes sense for your organization

DevOps (combination software development – “Dev”; and IT operations “Ops”) is also well-known in the software development industry for years. Its target is to shorten the systems development life cycle and provide continuous delivery with high software quality. Such software development based on DevOps is often implemented within the framework of agile approaches like Scrum or Kanban, as both ideas aim at the same target: short life cycles and continuous delivery.

DevSecOps (DevOps with deeply integrated security – “Sec”) was added to DevOps later, as people realized that implementing security already in an early development stage has several advantages. Possible security issues are recognized early, and a fix is unnecessary during or in a late development stage. As a rule of thumb, the later you identify a security issue within the software life cycle, the more expensive it will be to fix it.

Identifying security issues

Relative costs to fix bugs, based on time of detection

Taking care of security bugs already during the development phase (requirements, architecture, coding, integration, component testing) could save plenty of resources – time and budget, as well as poor team motivation.

Coming back to the initial pushbacks security officers have to face, DevSecOps would satisfy several parties:

  1. Firstly, the business-side
    1. gets no (or at least less) late “blockers” from security
    2. gets lower costs as well as more in-time- and in-budget-projects due to early bug fixing
  2. Secondly, the developers and system administrators
    1. have to deal with fewer security issues during test and implementation, which could save plenty of time
    2. automatically educate themselves to do it in the same and more secure way in future projects, as the overall process was more straightforward and less frustrating

As just described, performing software development with the DevSecOps approach has many advantages. The problem is how we can use this rather practical and development orientated approach as input for an ISO 27001 based ISMS, for example:

  • how to store secrets,
  • how to handover confidential parameters, or
  • how to do an inventory of running artifacts, and so on.

This approach does not handle these topics on such a detailed level. The input is necessary to document and prove what is done to reach specific ISO 27002 controls. Anybody ever taking part in an ISO 27001 based audit knows how important such information is and how focused most auditors are on the SoA (Statement of Applicability). The SoA documents exactly such links between an ISO 27002 control and the technical or organizational measure a company has implemented to address it.

Combining them: the OWASP DSOMM approach

The project team of OWASP DSOMM recognized this need as well. Relatively recent, a mapping from the DSOMM topics to the ISO 27002 controls has been added. Some of our clients working by DevSecOps use this mapping already. The ISMS-maintainer can directly map the measures performed during DevSecOps to the corresponding ISO 27002 controls as listed in the SoA. Most DSOMM mappings refer to A.14 (documented system development process) and some to controls like A.12 (operations, backups, monitoring, etc.), so the coverage is already relatively wide.

So using the new DSOMM-ISO27701-mapping could be a bridge between the high-level ISMS and the low-level software development process. We highly recommend discussing this topic between the product- and risk-owners of the development-teams and the Information Security Officers (CISO). It’s one step closer to more mature and secure software. At the same time, also one step closer to a mature ISMS.


Are you doing software development in your company, either for self-use or as a product for others? Do you care about Information Security, not only in theory but also on a practical level? Well, then you definitely should take a closer look at DevSecOps in general, especially if your development teams work agile already. We at CISO AG help you automate the core security tasks and implement them into your DevOps workflow.

Choosing a Virtual CISO or CISO as a Service?

What is vCISO?

vCISO (virtual information security officer) is a new type of C-level security executive aimed at helping enterprises improve their cybersecurity programs and achieve compliance. It’s a role intended to prevent or defend against cybercrime, and critical data breaches as the number of such attacks continues to rise. Cybersecurity threats exist in every corner of the big wide world, and cybercriminals are already coming up with new ways to attack businesses. For example, the latest Log4J critical vulnerability is being exploited in the wild, as you read this. This is why it’s more important than ever to protect your business against these threats — but that’s easier said than done.

A vCISO ( Virtual Chief Information Security Officer) is a C-level security leader that works with your management, IT, and security teams to develop a strategy for eliminating any possible data breaches or intrusion attempts. A vCISO is an external experienced professional that provides ongoing assistance in many cybersecurity areas, including risk assessment and strategizing, technical support, internal education, organization restructuring — and many others.

It’s a tough job, but somebody has to do it. It can be easy for information security to take a back seat in the hustle and bustle of running a business. A cyberattack could cost your company millions — leading to damaged reputation, fines from the government, and in some cases even lawsuits from customers.

Working with a Virtual Chief Information Security Officer (vCISO) means having an experienced expert in your corner to help you build and execute a cybersecurity program to combat cyberattacks at every level.

“A top vCISO knows how to deliver their knowledge and experience effectively,whilet developing a security-positive culture within an organisation. Education is key, at all levels, and elevating existing talent often provides the fastest results.” — said Cathal Judge, founder of CISO AG.

A full-time CISO or a vCISO? Which do you choose?

The global information security market is expected to reach USD 167.12 billion by 2025, according to the latest study by Grand View Research Inc. An increase in data breaches, changing IT infrastructure, and the trend of outsourcing IT security are three factors driving this growth.

The truth is that cyberattacks have hit businesses of all sizes. Yet, many companies lack the resources to deal with such threats effectively. The bigger you are in terms of revenue, employees, or customers base, the more likely you are to be a target of hackers.

You need a security expert on board to keep their systems safe and secure but don’t have an in-house professional to do so.

A need for skilled C-level security talent — but not enough people qualified to fill all the jobs — is making in-house CISOs one of the hottest positions in the cybersecurity talent market today.

Solving the CISO Shortage

Skilled and experienced chief information security officers (CISOs) are costly and difficult to find. With the rising demand for CISOs, more organizations are looking to hire them, but it can be hard to find the right person. High-level CISO candidates are in short supply, which means there’s fierce competition for the best ones.

There are many conflicting opinions when it comes to CISOs vs. vCISOs. A full-time CISO is more expensive but more hands-on. However, a vCISO allows security team members to grow their skills and can be more economical in the short term for companies.

Value of a vCISO for Your Organization

What if your business could get the cybersecurity assistance it needs when it needs? Should you manage cyber security in-house or through an outside provider? An on-demand virtual CISO (vCISO) is a cutting-edge expert in security who works with you as your business grows and your security requirements change.

And when you do find one, they’re often too expensive. So what if your business could get cybersecurity assistance from a world-class expert when it needs it? That’s where a vCISO comes in.

This means that organizations that need to fill that critical role might have to turn to an on-demand virtual CISO (vCISO). Then you can focus on your business operations while the vCISO handles your information security needs.

4 Benefits of Hiring a Virtual CISO

1. Cost Efficiency

The current market for Chief Information Security Officers is competitive, and the demand for qualified candidates is outpacing supply. If you’re looking to hire a full-time CISO, you may be surprised by the cost. It’s estimated that a well-rated, full-time CISO can command six-figure salaries and stay in the role for only a few years. Instead of hiring someone at this price point, you can hire a vCISO, which costs 30-40% less. A vCISO can start working immediately and requires significantly less onboarding costs than a full-time hire — no benefits or payroll required.

Virtual Chief Information Security Officers are expertly trained and highly experienced professionals who are usually able to start working immediately and require significantly less onboarding costs than a full-time hire — no benefits or payroll. A virtual CISO offers a much more affordable option for your business –  they charge a fraction of the cost of hiring a full-time CISO and remove the risk associated with training up a new employee.

2. The Flexibility of vCISO Services

Major companies worldwide are using vCISO’s services to outsource their cybersecurity and compliance needs – because they trust that they’ll get top-quality results without having to invest heavily in the talent themselves. Their relationships with our team are built on trust and managed remotely, allowing them to cut down on overhead without being held back by long-term financial commitments or hiring bottlenecks.

3. Breadth and Depth of vCISO Expertise

Because your vCISO is often at the forefront of innovation and continuously adapting to new and evolving security standards, they will be able to provide your organization with the best today’s technology. A vCISO being independent can serve as a change agent in your company. Hiring a vCISO is a great way to ensure that you have access to as many resources as possible, including industry experts with more specific skill sets. Such experts can act as an extension when it’s needed, providing comprehensive security guidance to your organization and giving you the best chance of preventing or recovering from cyberattacks.

4. Independence

vCISOs are unique, and they share the skills of a C-level executive and the knowledge of a security expert. As external security consultants, vCISOs are an essential ingredient for the success of your cyber security. Because a vCISO is not part of the company, they have no bias and will be able to provide a fresh perspective on your organization’s security needs.

They are an independent set of eyes on your team and your business environment, which means they can find vulnerabilities and weaknesses before attackers do — allowing you to improve your cybersecurity posture before any incidents happen. They also work to fix any existing issues that your team may not be aware of, potentially stopping costly breaches in their tracks.

A virtual CISO will provide you with expert strategic advice and insight as they come from outside the organization and have plenty of experience dealing with security threats, so they aren’t stuck with “how we’ve always done it.” They’re professional experts who aren’t burdened by office politics or agendas — they have to get the job done right and done right the first time. A vCISO can benefit anyone who wants to save time and money on their cybersecurity capabilities.

vCISO Role and Responsibilities

The vCISO serves as a liaison between the business and technology departments. The responsibilities of a vCISO are diverse, they include driving information security education within the company, recommending best practices to prevent security incidents and protect against external threats, and examining internal systems and processes to create actionable plans that build upon the strengths of existing systems while also improving upon the cybersecurity weaknesses.

Not only can a vCISO design and build a complete security framework for a company, but they can also draw up and enforce appropriate policies and procedures. With an eye for compliance and security, they can ensure that everything runs smoothly — all while serving as a go-to resource for the management team.

In a nutshell, the vCISO would be in charge of a wide range of cybersecurity aspects. A vCISO can help you prepare to meet regulatory compliance requirements and cybersecurity standards such as HIPAA, PCI DSS, ISO 27001, ISO 9001, NIST SP 800-53, NIST SP 800-171, and others.

  • Identifying your business-critical assets for risk assessment analysis
  • Developing your organization’s cybersecurity strategy
  • Building a cybersecurity plan and program (mid-term, short-term)
  • Building a Governance, Risk, and Compliance (GRC) program
  • Maintaining overall security operations
  • Assessing people, including managing personnel, contractors, and vendors
  • Building and executing staff cybersecurity & compliance training strategy
  • Security policies, guidelines, and standards
  • HIPAA or PCI compliance
  • Vendor risk assessment
  • Bring-Your-Own-Device (BYOD) policy and enforcement
  • Security strategy procurement
  • Incident response plan and incident remediation
  • Regulatory compliance
  • Implementation of a security awareness program.

CISO as a Service

CISO-as-a-Service is an expert engagement model that centralizes cybersecurity management and facilitates collaboration between in-house IT and cybersecurity teams. It makes it easier for businesses to comply with GDPR, HIPAA, and PCI-DSS.

CISO-as-a-Service brings businesses and cybersecurity programs to the next level. It allows enterprises to strengthen their cybersecurity program they also manage regulatory compliance. It is an essential component that every organization should invest in — it will enable clear, more efficient communication between the C-suite and the IT department, allowing leaders to trust their cybersecurity protection.

CISO-as-a-Service takes all of the work, heartache, and headache out of creating a high-quality cybersecurity program for your business. It’s an essential and critical investment for the enterprise to evaluate and strengthen the effectiveness of its cybersecurity program—and meet ever-changing regulatory compliance demands from governing bodies around the world.

Virtual CISO or CISO as a Service Offered by CISO AG

Your security needs are complex, but working with an experienced cybersecurity team is simple. When you partner with CISO AG, we do the heavy lifting for your team with CISO-as-a-Service engagement. CISO AG provides a holistic, client-focused approach to cybersecurity so that you can dedicate your energy to your core business.

Both vCISO and CISO-as-a-Service give you access to years of our expertise. Our diverse team of experts in various cybersecurity domains will help you identify your critical information assets, whether on-premise or in the cloud, build out a solid and consistent cyber defense system, and achieve compliance with industry regulations across the globe.

CISO AG extends your team, which means we continuously work hard to keep you fully protected. While our rates are very affordable, we don’t cut corners on quality. Our clients come first — we’ll be there around the clock to protect you from cyber threats of all kinds.

If you’d like to learn more about how our vCISO package or CISO-as-a-Service can benefit your company, feel free to drop us a line at: today.

Top 10 Benefits of DPO as a Service & Virtual DPO

Are you in compliance GDPR regulations?

The General Data Protection Regulation (GDPR) requires every organization to comply with specific data protection and privacy regulations. Organizations that fulfill the Information Commissioners Office (ICO) requirements must hire a Data Protection Officer. All organizations should have a DPO who is fully responsible for defining and managing controls over sensitive information.

The aggressive nature of ever-evolving cybercrime poses a serious threat to European people, businesses, and public administration organizations. At the same time, the mobile and remote workforce makes it more challenging to comply with GDPR.

Most organizations are processing ever-increasing amounts of data as a result of digitalization. Consequently, these companies must take appropriate measures to safeguard their customers and business by handling data appropriately. Designating a Data Protection Officer ensures that there is oversight and management for your valuable corporate data.

The General Data Protection Regulation (GDPR) requires every organization to comply with specific data protection and privacy regulations. Organizations that fulfill the Information Commissioners Office (ICO) requirements must hire a Data Protection Officer. All organizations should have a DPO who is fully responsible for defining and managing controls over sensitive information.

A higher risk of non-compliance might result in a penalty of 4 percent of your global revenue or up to €20 million, whichever is greater.

Playing the ignorance card won’t work once your company has been fined for non-compliance with GDPR.

If you’re not a GDPR expert, the GDPR rules might be challenging to understand and comply with. DPO helps your organization comply with the General Data Protection Regulation (GDPR) of the European Union to prevent compliance confusion and massive financial losses.

What you should know about the Data Protection Officer

Generally, a data protection officer (DPO) is an independent corporate official competent in maintaining compliance with the European Union’s General Data Protection Regulation. The DPO is responsible for conducting internal privacy assessments and overseeing, supervising, and providing consultancy on all topics related to the GDPR. 

A DPO must have direct access to top management, who can assist them in making decisions on personal information processing. Your company executives have minimal or no influence on DPO’s activities, findings, and recommendations. 

If there is a conflict of interest, top management will not exercise any pressure on the DPO, just as IT managers are prohibited from taking on the function of a DPO under any circumstances. Also, a company executive involved in future or existing litigation or regulatory action against the company should not be designated as the DPO.

An organization-wide security policy should be well-established, communicated to, and adhered to by everyone. It is essential to keep in mind is that when someone is appointed as a DPO does not mean this person is entirely responsible for data protection compliance. The DPO’s role is to supervise any required modifications and make sure all employees know the data protection policy.

Data Protection Officer Role

Let’s take a closer look at the designation of the Data Protection Officer: mandated and voluntary DPO positions, the scope of competencies, their independence, conflicts of interests, liability, etc.

This role is sometimes referred to as a Privacy Officer or an Information Officer. While the roles and obligations for appointing a DPO vary between jurisdictions, there are some standard requirements. Usually, DPO will not need to be appointed by smaller organizations or those that only process limited amounts of personal data, although appointing DPO in such cases may still be encouraged.

When a DPO appointment is required, there are often stipulations regarding who can be appointed as a DPO. The appointment of a Data Protection Officer is generally governed by a set of rules and regulations that vary across geographies. However, legislative requirements to appoint DPOs are becoming increasingly common around the world, and their responsibilities are getting better defined.  

In the EU, the GDPR provides that DPO must be appointed based on their relevant professional qualifications or extensive experience and that the individual is easily contactable. In addition, there can be requirements as to where a DPO is located. 

Once a DPO has been appointed, many jurisdictions require that contact details of the DPO must be provided to the local supervisory authority. In addition, it is often a legal obligation to provide the DPO’s contact details in privacy policies or notifications to data subjects. 

Data Protection Officer Responsibilities

DPOs may also be tasked with generally monitoring GDPR compliance or performing previews of their organization. To ensure the effectiveness of the DPO in fulfilling these responsibilities, several laws, including the EU’s GDPR, stipulate that the DPO must have a high degree of independence. The above may mean, for example, that a DPO cannot be penalized for performing their tasks.  

It is the responsibility of the data protection officer (DPO) to provide businesses with data compliance and privacy guidelines and report any violations of data regulations. The DPO position requires advanced knowledge of GDPR and other relevant data protection laws, including the ePrivacy Directive. In most cases, a DPO’s primary responsibility is to ensure compliance with the applicable privacy legislation in the jurisdiction. This may include overseeing subject data requests, assisting with data protection, impact assessments, employee security awareness training, and cooperating with supervisory authorities.

Some laws further provide that a DPO must be able to communicate with senior management. Other variations on DPO appointments around the world include whether different organizations can appoint the same DPO, conflict of interest requirements, whether a group can be designated a DPO, and obligations related to appointing the deputy DPOs are similar. 

DPO Qualifications Summary

  • Ability to train staff on data protection awareness.
  • Self-confidence and a deep understanding of the organization’s processes and industry.
  • The capability of teaching large groups of people and clarifying complex concepts.
  • Background in law. A data protection officer (DPO) is defined in GDPR article 37 as a person with professional skills and understanding of data protection laws and procedures. 
  • Experience in cybersecurity security. Companies subject to GDPR must hire someone who has dealt with real-world security incidents and can advise on security risk assessments, countermeasures, and data protection impact assessments (DPIA). As a rule of thumb, a DPO should have expertise in cyber security.

Outsourcing DPO: DPO as a Service

Outsourcing the DPO function is an obvious first choice for small and medium-sized businesses. To hire a DPO, companies must find someone practical enough to understand that their capabilities to the role are less important than their ability to negotiate appropriate solutions in an increasingly unpredictable regulatory environment. The competent and experienced DPO confidently makes his way through the marsh.

On the other hand, if you appoint an in-house DPO, there will be opposition from every department that the DPO comes into contact with. Information technology (IT) perceives GDPR as an unnecessary burden on their project timetables, while sales and marketing view it as an unreasonable interference with the capacity to execute effectively. Security concerns that the new rule contradicts directly with existing regulatory obligations they’re currently carrying. Legal is left scratching their heads at how unclear the law is.

That said,  the DPO must be ready to collaborate with various functional departments. He or she must have the courage to speak up, defend their convictions, and know when to maintain the position and when to compromise. Most crucially, this person must be able to measure the impact of your organization’s compliance responsibilities on your bottom line.

10 Benefits of External Data Protection Officer

  1. To comply with the GDPR, all DPOs must be independent resources for the firm.
  2. You don’t have to invest in educating your DPO because he or she has and a solid understanding of the GDPR on paper and in practice. 
  3. Appointing the DPO role to the company’s top IT or security manager is not recommended, as the DPO will be obliged to provide honest feedback on the company’s IT and security systems.
  4. The experienced external DPO is familiar with both the GDPR’s substance and its interpretations. He can analyze sophisticated regulatory requirements and provide valuable insights and practical recommendations.
  5. The DPO must be thoroughly familiar with both the text and the practical implementation of the GDPR and other privacy laws, cybersecurity, and risk management.
  6. An external DPO is an expert in the data protection and data privacy domains, providing objective advice and guidance. A strong understanding of the organization and the data it handles allow him to enable clients to remain up with the current risks to the organization and enforce GDPR compliance.
  7. It’s significantly simpler to replace a consultant than an employee if you’re unhappy and dissatisfied with a DPO service.
  8. An outsourced DPO may have more robust insight into how other businesses are implementing GDPR solutions.
  9. There are no conflicts of interest with the external data privacy consultants.
  10. The hidden benefit of increased data transparency resulting from GDPR compliance is your enhanced ability to make educated business decisions. 

DPO as a Service by CISO AG 

In some circumstances, the General Data Protection Regulation (GDPR) mandates the controller or data processor to appoint a DPO (data protection officer). GDPR-related requirements are not always prominent and easy to implement in your day-to-day operations. The DPO role also requires extensive knowledge of the data protection domain and a thorough understanding of the organization’s industry.

DPO as a Service by CISO AG is offered to organizations of all sizes interested in getting structured, hands-on guidance based on our global GDPR, Data Privacy, and Protection experience.

CISO AG offers DPO as a Service Package. We undertake the external DPO function. Our team of experienced legal, cybersecurity, risk management, and data privacy experts advise your organization and help implement and continuously monitor all the compliance postures. CISO AG has all licenses and certifications for GDPR compliance and data protection implementation.

We cover a broad range of relevant GDPR knowledge and best practices. We will provide you with the necessary materials, well-defined procedures, and documents. Here is a summary of the expertise and results CISO AG brings to the table.

  • Inform and advise on privacy legislation guidelines
  • The advice on developing and updating procedures and policies
  • Support on the completion of DPIAs (data protection impact assessments)
  • Coordinate and act as a contact point for the supervisory authority
  • Reliance on the data protection-related operations, such as data subject requests, personal data breaches, and more.
  • Monitor compliance with the regulation and follow up on existing controls.

Your GDPR Compliance Objectives & CISO AG Deliverables

Privacy legislation guidelines

  • Inform and counsel the controller, processor or employees, on any GDPR-related issues.
  • Organize data protection awareness workshops and employee training. 
  • Implement data protection principles and central concepts within your organization.
  • PIMS. Establish a Personal Information Management System (PIMS), in line with ISO 27701 / BS 10012.

Assistance with the completion of DPIAs (data protection impact assessments)

  • Collect and examine the current documentation.
  • Advice on the design and revision of policies and procedures
  • Data protection-related procedures support
  • Organize workshops with the relevant stakeholders to review the procedures and/or policies, identify the ones to ve created or updated.
  • Participate in tailored seminars to resolve remaining issues and identify emerging data protection support requirements.
  • Assess the current data protection procedures and provide recommendations for improvements.
  • Serve as the point of contact for the supervisory authorities

Risk Management Framework (Monitor compliance and existing controls)

  • Organize meetings with critical stakeholders to have a better understanding of the varied business situations that exist.
  • Put procedures in place for a regular check on compliance with the data protection regulation.
  • Provide practical advice based on real business scenarios and broad experiences.
  • Provide tools, templates, best practices, steps, and tips for setting and implementing the GDPR governance within your organization.
  • Provide advice and design practical solutions for transfers of personal data: to third countries, third parties and the cloud, etc. Cross-border data transfers – options & solutions. Ensure compliance in international data transfers.
  • Advice on protecting information assets, encrypting and anonymizing, preventing data leaks, minimizing soft and hard hardware vulnerabilities, and assessing privacy solutions and technologies.
  • The DPIA (data protection impact assessment) considering the following factors: need, time, procedures, internal/external collaboration, workflows, legal risks, approvals, and communication.
  • Regular data privacy audits and monitoring: e-discovery, data security; cybersecurity; privacy by design; privacy impact assessment; data protection audit, activity tracking.
  • Privacy awareness training for employees
  • Practicalities on dealing with requests and complaints
  • Real-world scenario based-case for a data breach and incidence response plan
  • Provide a comprehensive set of standard documents and examples to prove GDRP compliance, including certificates