Expert Advice Community

Guest

Annex A.14.2 controls

  Quote
Guest
Guest user Created:   Sep 22, 2020 Last commented:   Sep 28, 2020

Annex A.14.2 controls

I have a question that I cannot get a clear answer to.  I hope that you can help.

My customer develops a software product for its customers.  They do not however carry out any software development for themselves.  All of the systems that they use in-house are commercial-off-the-shelf packages like Office365, Slack, PeopleHR, and Xero (all of which are SAAS applications).  They do not customise the code at all.

We are trying to establish whether or not they need to apply the Annex A.14.2 controls as these are aimed at "developments within the organisation".

Do you have any thoughts on this?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 22, 2020

Please note that Annex A.14.2 controls are not aimed at "developments within the organization", but to "the development lifecycle of information systems", which can be performed both in-source or outsourced.

Considering that, to establish if controls of this section are applicable or not, you need to perform a risk assessment, to identify if there are relevant risks that demand the implementation of such controls. From your question, I'm assuming the software development is outsourced, and if such controls need to be implemented, you should handle this by means of controls of section A.15 supplier relationships, by the establishment of contracts or terms of service to ensure such controls are implemented.

These articles will provide you a further explanation about risk assessment and supplier management:

Quote
0 0
SteveR Sep 25, 2020

In 27002, the control for a Secure development policy 14.2.1 refers to

Rules for the development of software and systems should be established and applied to developments within the organisation

Two questions: 

When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?

Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.

So, if development of commercial software is not covered by A.14.2, and if configuration f commercial software is not counted as development, I assume we can safely remove A.14.2 from the SOA. 

Quote
0 0
Expert
Rhand Leal Sep 28, 2020

When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?

Please note that the term "developments within the organization" refers to the development process, not to the final users, so it is applicable both for when developed software is for internal use or is to be sold to customers.

Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.
So, if development of c

The configuration is an action related to installation, not development.

Considering both previous answers, control A.14.2 would be applicable in case the mentioned development process covers commercial software.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 22, 2020

Sep 28, 2020

Suggested Topics

Guest user Created:   Aug 20, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risks treatment

Guest user Created:   Oct 22, 2019 ISO 27001 & 22301
Replies: 1
0 0

Control implementation