Hi All!
I know that ServiceNow is ISO 27001 certified... Just to clarify up front, I am not looking for their certification documentation, as I already have that.
My question is for ServiceNow Customers who are developing on top of the ServiceNow platform. Are there any customers that are ISO27001, that are willing to share a little bit of that experience? Some of my peers are under the impression we need to check source code (script includes, business rules, client scripts, table creation... all of it) into an external source control system to be compliant.
My view is that there is no control requirement that says we need to use external source control.
- ServiceNow is our source control and has all versions and changes stored in sys_audit
- ServiceNow stores credentials in a secure and approved way
- There is no way to capture "all development" into external source control due to legacy global applications and scripts as well as historically created tables.
- And even if you could, it would require either a TON of manual effort, or some type of custom development to automatically pull updates into some kind of git repo.
Any help would be much appreciated... thanks!
