Many organizations want to adopt DevOps practices to get the benefits associated with it: faster time to market, increased stability and quality, and more time to build stuff that’s valuable to the bottom line. But they often get tripped up by audits and compliance checks to make sure the organization is adequately addressing risk. DevOps practices don’t align well with traditional audit practices. So these organizations are often left asking themselves, “How do I position my organization for an audit when I’m using DevOps practices?” Until recently, there hasn’t been a really good answer.
But that’s changing.
Over the last few months, I’ve had the privilege of working with Gene Kim, James DeLuccia, and Byron Miller (three super smart people who are incredibly knowledgeable about DevOps and audits) on a project to develop the DevOps Audit Defense Toolkit. The vision for the project is to define the authoritative guidance for how management and auditors should conduct audits in organizations where DevOps practices are in use.
The first draft of the toolkit is out and we’ve already received some incredibly useful feedback on it. If you want a good overview, George V. Hulme wrote a terrific article on CSO Online about the project, why we’re doing it, and what we hope to accomplish. You can also join a growing Google+ community for the toolkit – people are posting some great content there.
This is a really exciting project, especially when I think about the impact the toolkit can have on bringing the DevOps and audit communities closer together and make audits less painful and more productive. While we have more work to do on the toolkit, we know it’s possible – something Simon Storm demonstrated in his awesome presentation at the DC Continuous Delivery meetup a couple months ago. Hopefully the DevOps Audit Defense Toolkit can help more organizations realize those same benefits.