- A.14.2.4 Restrictions on changes to software packages
- Covered by the Change Management Policy
- A.14.2.7 Outsourced development
- Covered by the Supplier Security Policy"
Assign topic to the user
Please note that according to ISO 27001, security controls can be demanded to treat relevant risks, fulfill legal requirements (e.g., laws, regulations, contracts, etc.), or by management decisions.
Considering that, you need to verify the results of risk assessment, applicable legal requirements, and your management objectives and strategies to decide which controls are applicable / not applicable.
For example, control A.14.2.9 System acceptance testing can be required for the acceptance of new information systems, upgrades, and new versions of the software provided by third parties.
This article will provide you with a further explanation about the selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Mar 04, 2022