View article

With agile methodologies increasingly being applied in regulated environments, security and compliance emerge as critical issues. Combining both concerns is challenging because security engineering techniques are often based on linear development. We propose a method for achieving continuous and secure development by mapping the requirements of security standards into an agile process model. Additionally, this allows verification of compliance even in the face of dynamic process changes. Applicability of the method is demonstrated by using Business Process Model and Notation (BPMN) to model and extend activities and artifacts of Scaled Agile Framework (SAFe) according to requirements of IEC 62443-4-1, a standard for secure product development in industrial systems.