Connect with us

Hi, what are you looking for?


ISO 27001: Annex 14 System Acquisition, Development and Maintenance

This article explains A.14.1 Security Requirements of Information Systems & A.14.1.1 Information Security Requirements Analysis and Specification.

A.14.1 Security Requirements of Information Systems

The goal is to ensure that information management throughout the entire lifecycle is an integral part of the information system. It includes the needs of information systems that enable public networks to provide services.

A.14.1.1 Information Security Requirements Analysis & Specification


Information security requirements should be incorporated into new or enhanced information systems

Implementation Guidance

Information security requirements need to be assessed using a variety of approaches, including the development of policy and regulatory enforcement criteria, threat analysis, incident assessment, and thresholds of vulnerability. The identification results will be logged and reviewed by all stakeholders.

Business assessments of the information in question and the possible negative effects of inadequate protection should be taken into account when setting information security standards and performing inspections.

At the early stages of projects for information systems, information security specifications and related processes will be defined and managed. Consideration of information security requirements early in the design process, for example, yields more efficient and dependable solutions.

In addition to these requirements, information security must also consider:

1. Confidence in users’ identities required if authentication must be obtained;
2. Management of all business users as well as privileged users and skilled users’ access to the system;
3. Explain the roles and responsibilities of users and managers;
4. Protecting assets that need protection, such as accessibility, confidentiality, and integrity;
5. Specifications for business processes, including transaction records and monitoring, non-repudiation standards;
6. Requirements imposed by other security controls, including monitoring and logging features, or systems for detecting data leaks.

Dedicated controls are recommended for any cloud-based or internet-based applications that provide infrastructure or carry out transactions.

When purchasing goods, a structured testing and procurement process must be followed. The security requirements found in supplier contracts will be met. A product that lacks safety features should have the risks and associated controls reevaluated before purchase.

To implement the recommended security settings for the final system software/service stack, the planning should align with the available security configuration guidance.

To ensure the security criteria identified are met, product acceptance criteria, such as functionality criteria, should be defined. These criteria should be considered before acquiring a product. The additional functionality should be reviewed to ensure that no unacceptable risks will arise.

Other Information

ISO/IEC 27005 and ISO 31000 provide guidelines on how to use risk management processes to identify controls to meet information security requirements.

Related Questions

1. What are the controls of ISO 27001?
2. Which control applies to ISO 27001: Annex 14 System Acquisition Development and Maintenance?
3. What are the requirements of ISO 27001?
4. How many controls are included in ISO 27001 standard?
5. What are the three ISMS security objectives?
6. Would you please define ISO 27001: Annex 14 System Acquisition Development and Maintenance?

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like


The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...


ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4) Introduction Business and IT managers, developers and auditors,...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...


The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...