ISO 27001 Annex: A.14.2.6 Secure Development Environment, A.14.2.7 Outsourced Development, A.14.2.8 System Security Testing & A.14.2.9 System Acceptance Testing

This article explains ISO 27001 Annex: A.14.2.6 Secure Development Environment, A.14.2.7 Outsourced Development, A.14.2.8 System Security Testing & A.14.2.9 System Acceptance Testing.

A.14.2.6 Secure Development Environment

Control

ISO 27001 Annex: A.14.2.6 Secure Development Environment in organizations aims for a secure development environment and integration efforts throughout the development process, and they should be adequately protected.

Implementation Guidance

In the process of integrating and developing systems, secure development environments include people, processes, and technology.

For specific system development efforts, organizations need to evaluate the risks associated with system development efforts and set up secure development environments that take into account the following:

1. Sensibility of data processing, data storage, and data transmission through the system;
2. The laws and policies that apply, for example, the rules or guidelines of the organization;
3. Pre-existing security controls in place within the organization approving the system’s development;
4. Trustworthiness of personnel working in the environment;
5. The degree to which the system production was outsourced;
6. The necessity of segregating the different environments for development;
7. Control of access to the environment for development;
8. Keeping track of environmental changes as well as code contained within them;
9. Backups are stored in secure offsite locations;
10. The environment is controlled in terms of data transfer.

An organization will record and provide the corresponding processes in secure development processes after establishing the level of security for a specific development context.

A.14.2.7 Outsourced Development

Control

The organization must monitor and track all activities concerning the outsourced system integration.

Implementation Guidance

When system development is outsourced, the following points should be considered across the entire external supply chain of the organisation:

1. Outsourcing content licensing, intellectual property, and code ownership;
2. Securing design, coding, and test requirements; also the contractual requirements;
3. Providing the approved threat model to the external developer;
4. Approval of deliverables based on quality and accuracy;
5. Document that security and privacy criteria were used when determining minimum standards;
6.Demonstrate adequate testing to prevent both malicious intent and unintentionally malicious content from being delivered;
7. Show that appropriate research was conducted to protect against known vulnerabilities and in collecting data;
8. When the source code of a file is not available anymore, escrow schemes are used
9. The right to inspect development processes and controls;
10. Documentation of an efficient development environment for developing deliverables;
11. Organizers are responsible for complying with applicable laws as well as ensuring effectiveness.

Other Information

The ISO / IEC 27036 provides additional information on provider relations.

A.14.2.8 System Security Testing

Control

Testing security functionality should be conducted during development.

Implementation Guidance

In developing processes for new or updated systems, thorough testing is necessary, which should include developing detailed business schedules, testing inputs, and analyzing outputs under a variety of circumstances. The development team is initially responsible for carrying out such tests. There will then be appraisals of specific approvals (relevant to both internal and external development) to ensure that the system is performing according to expectations. The scope of research should be proportionate to the importance and complexity of the program.

A.14.2.9 System Acceptance Testing

Control

All new information systems, enhanced versions, and re-releases should be tested for acceptance and include the proper requirements.

Implementation Guidance

As part of the system acceptance testing, secure data must be tested and compliance with safe system development practices should be verified. It is also important to test the components and integrated systems that have been received. Companies can use automated tools.

Verification should be undertaken of code analysis tools, vulnerability scanners, and security-related defect-rectification techniques.

Tests must be performed in a realistic environment to make sure the system is not vulnerable and that its reliability can be relied upon.

Related Questions

1. What is the ISO27001 implementation process?
2. For physical security, which of the following ISO standards has been developed?
3. How many controls are included in ISO 27001?
4. What does information processing facilities mean??
5. Describe ISO 27001 Annex: A.14.2.6 Secure Development Environment?