Control implementation
We have passed the stage 1 of ISO 27001, one of the minor finding we should have Secure system engineering principles, as we develop a software.
I checked in your documentation of ISO 27001, there is no Secure system Engineering policy and procedure. Could you provide some guidance what should be written?
Assign topic to the user
Please note that control A.14.2.5 "Secure system engineering principles" is covered in the Secure Development Policy template, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance
These articles will provide you further explanation about secure engineering principles and software development life cycle:
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
These sites can also provide further information:
- https://www.owasp.org/index.php/Security_by_Design_Principles
Comment as guest or Sign in
Oct 21, 2019