ISO 27001: Annex 14 System Acquisition, Development and Maintenance

This article explains A.14.1 Security Requirements of Information Systems & A.14.1.1 Information Security Requirements Analysis and Specification.

A.14.1 Security Requirements of Information Systems

The goal is to ensure that information management throughout the entire lifecycle is an integral part of the information system. It includes the needs of information systems that enable public networks to provide services.

A.14.1.1 Information Security Requirements Analysis & Specification


Information security requirements should be incorporated into new or enhanced information systems

Implementation Guidance

Information security requirements need to be assessed using a variety of approaches, including the development of policy and regulatory enforcement criteria, threat analysis, incident assessment, and thresholds of vulnerability. The identification results will be logged and reviewed by all stakeholders.

Business assessments of the information in question and the possible negative effects of inadequate protection should be taken into account when setting information security standards and performing inspections.

At the early stages of projects for information systems, information security specifications and related processes will be defined and managed. Consideration of information security requirements early in the design process, for example, yields more efficient and dependable solutions.

In addition to these requirements, information security must also consider:

1. Confidence in users’ identities required if authentication must be obtained;
2. Management of all business users as well as privileged users and skilled users’ access to the system;
3. Explain the roles and responsibilities of users and managers;
4. Protecting assets that need protection, such as accessibility, confidentiality, and integrity;
5. Specifications for business processes, including transaction records and monitoring, non-repudiation standards;
6. Requirements imposed by other security controls, including monitoring and logging features, or systems for detecting data leaks.

Dedicated controls are recommended for any cloud-based or internet-based applications that provide infrastructure or carry out transactions.

When purchasing goods, a structured testing and procurement process must be followed. The security requirements found in supplier contracts will be met. A product that lacks safety features should have the risks and associated controls reevaluated before purchase.

To implement the recommended security settings for the final system software/service stack, the planning should align with the available security configuration guidance.

To ensure the security criteria identified are met, product acceptance criteria, such as functionality criteria, should be defined. These criteria should be considered before acquiring a product. The additional functionality should be reviewed to ensure that no unacceptable risks will arise.

Other Information

ISO/IEC 27005 and ISO 31000 provide guidelines on how to use risk management processes to identify controls to meet information security requirements.

Related Questions

1. What are the controls of ISO 27001?
2. Which control applies to ISO 27001: Annex 14 System Acquisition Development and Maintenance?
3. What are the requirements of ISO 27001?
4. How many controls are included in ISO 27001 standard?
5. What are the three ISMS security objectives?
6. Would you please define ISO 27001: Annex 14 System Acquisition Development and Maintenance?

About Author /

Start typing and press Enter to search