I’ve heard a lot of questions about DevOps, audit, compliance, and how they all fit together. I’ve fielded more questions from more people recently. In my mind, that means more people are applying DevOps patterns and practices to their work and the work they’re doing is real (as opposed to sandbox, pilot, or “let’s try this stuff out” projects). Why else would they be interested in audit and compliance?
Here are some resources that might be helpful if you’re “doing the DevOps” and interested in making audit and compliance efforts go more smoothly.
- The DevOps Audit Defense Toolkit. I wrote this with Gene Kim, James DeLuccia, and Byron Miller — three people who are incredibly knowledgeable about DevOps and audit. The DevOps Audit Defense Toolkit vision is to define the authoritative guidance for how management and auditors should conduct audits in organizations where DevOps practices are in use. I have another post on my blog about the DevOps Audit Defense Toolkit.
- Simon Storm’s talk from DOES 2014. Simon shows how he gets the auditors (compliance) on board with “doing the DevOps”. The title of Simon’s talk should say it all: “Positioning Agile and Continuous Delivery for Auditors and Examiners”. Great talk packed with info. He gave a similar awesome presentation at the DC Continuous Delivery meetup.
- An Unlikely Union: DevOps and Audit (DevOps Enterprise Forum guidance). Many organizations are adopting DevOps patterns and practices, and are enjoying the benefits that come from that adoption. More speed. Higher quality. Better value. However, many organizations often get stymied when dealing with information security, compliance, and audit requirements. There seems to be a misconception that DevOps practices won’t work in organizations which are under SOX or PCI regulations.
- The DevOps Handbook. Gene Kim, Jez Humble, Patrick Debois, and John Willis certainly know a thing or two about DevOps. This book has a section entitled “Ensure Documentation and Proof for Auditors and Compliance Officers” in Part VI with some great content and case studies about how DevOps practices support audit and compliance.