The purpose of this article is to explain ISO 27001 Annex: A.14.2.3 Technical Review of Applications after Operating Platform Changes, A.14.2.4 Restrictions on Changes to Software Packages & A.14.2.5 Secure System Engineering Principles.
A.14.2.3 Technical Review of Applications after Operating Platform Changes
Control– When changing operating platforms, the critical applications of business must be revised and tested to eliminate negative ramifications on the business.
During the process, the following points should be addressed:
– Review of the application control and procedures of integrity to determine if changes to the operating system have compromised either;
– Coordinate communication of operating system changes to allow proper testing and reviews before implementation;
– Ensure that the business continuity plans are updated appropriately.
Other Information – Operating systems, database software, and middleware applications comprise operating environments. API modifications should also be tracked.
A.14.2.4 Restrictions on Changes to Software Packages
Control– Modifying software packages should be discouraged, limited to what is necessary, and strictly monitored.
Implementation Guidance– Where possible and necessary, use the vendor-supplied software packages without modifying them.
If a software package needs to be modified, the following points need to be taken into account:
– Incompatibility with built-in controls and integrity processes;
– Whether the Vendor has given consent;
– the ability to receive the necessary vendor changes during schedule system updates;
– A change in the organization’s responsibility for future software maintenance may have impacts;
– Compatibility with additional software.
It is recommended to keep the original software if modifications are necessary and apply the modifications to the specified copy. Implementing a software update management process will ensure that all permitted software is updated with the latest patches and application updates. If necessary, all changes should be reported and checked, to apply to software updates if needed. If necessary, an unbiased evaluation agency will review and verify the modifications.
A.14.2.5 Secure System Engineering Principles
Control– A secure system engineering standard must be established, documented, maintained, and implemented in any project involving the implementation of an information system.
Implementation Guidance– It is important that secure IT Engineering procedures based on security engineering principles be defined, documented, and applied in the IT Engineering department of the organization. It is important to balance data security and accessibility across every architecture layer (including business, data, applications, and technology). There is a need to evaluate new technology for security threats and review the design of documented attack patterns.
To make certain that these principles and developed engineering processes contribute effectively toward improved safety standards, such principles and developed engineering processes should be reviewed periodically. As well as being reviewed regularly, they should also be updated as needed to keep up with changes in technology and to make certain that they remain applicable to any new threats.
Developing agreements and other binding agreements between outsourced organizations and their suppliers should apply the established principles of security engineering to outsourced information systems as appropriate. Suppliers must adhere to the same rigorous security engineering standards as the company does.
Other Information– A secure engineering approach should be applied during the development of applications with input/output interfaces. Using secure engineering techniques you can prevent unauthorized access to accounts, control secure access to accounts, validate data, perform sanitation, and remove debugging codes from your system.
1. What are the best practices for securing software applications?
2. What controls were used in ISO 27001 Annex: A.14.2.3 Technical Review of Applications?
3. What does an application security engineer do?
4. How can cybersecurity be applied?
5. How can different software programs compromise your security?
6. What is the ISO 27001 Annex: A.14.2.3 Technical Review of Applications after Operating Platform Changes?