Annex A.14.2 controls
I have a question that I cannot get a clear answer to. I hope that you can help.
My customer develops a software product for its customers. They do not however carry out any software development for themselves. All of the systems that they use in-house are commercial-off-the-shelf packages like Office365, Slack, PeopleHR, and Xero (all of which are SAAS applications). They do not customise the code at all.
We are trying to establish whether or not they need to apply the Annex A.14.2 controls as these are aimed at "developments within the organisation".
Do you have any thoughts on this?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that Annex A.14.2 controls are not aimed at "developments within the organization", but to "the development lifecycle of information systems", which can be performed both in-source or outsourced.
Considering that, to establish if controls of this section are applicable or not, you need to perform a risk assessment, to identify if there are relevant risks that demand the implementation of such controls. From your question, I'm assuming the software development is outsourced, and if such controls need to be implemented, you should handle this by means of controls of section A.15 supplier relationships, by the establishment of contracts or terms of service to ensure such controls are implemented.
These articles will provide you a further explanation about risk assessment and supplier management:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
In 27002, the control for a Secure development policy 14.2.1 refers to
Rules for the development of software and systems should be established and applied to developments within the organisation
Two questions:
When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?
Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.
So, if development of commercial software is not covered by A.14.2, and if configuration f commercial software is not counted as development, I assume we can safely remove A.14.2 from the SOA.
When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?
Please note that the term "developments within the organization" refers to the development process, not to the final users, so it is applicable both for when developed software is for internal use or is to be sold to customers.
Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.
So, if development of c
The configuration is an action related to installation, not development.
Considering both previous answers, control A.14.2 would be applicable in case the mentioned development process covers commercial software.
Comment as guest or Sign in
Sep 28, 2020