Awareness and training for secure software development
I have a question about the appendix of the policy for safe development - the specification of safety requirements. I try to add the appendix into the risk treatment plan. What is the measure for awareness and what is the method for evaluating results? Who will have access to the document?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
If I understood correctly, you are trying to treat a risk by using the "specification of information system requirements" appendix of the Secure development policy, and this is not a proper approach.
The risk treatment plan must be related to the Secure development policy. The specification of information system requirements is an evidence that the policy is being followed.
Regarding awareness and training, for secure development you should consider, for example, courses or trainings about software development, using as evaluation results the approval on exams related to these acitivities.
People who should have access to these results would be HR personnel and the employee immediate manager.
Hey Rhand, I think I explained it in a bad way and we talked past each other.
The "specification of safety requirements" (the appendix of the policy for safe development ) is the only implemetation method of control A.14.1.1. Cause of that I would like to add the document "specification of safety requirements" to the risk treatment plan (to show the auditor that we have execute these activity in order to achieve the objective(s) of the ISMS). In connection with this activity I was asking what I could add for the column "Awareness Action / Measure" and "Method for the evaluation of results".
Hi, Christin. Please note that considering your scenario, an example of filling out the risk treatment plan columns you mentioned would be:
- Description of activities: Development of specification of safety requirements
- Training and awareness programs: Course about risk assessment, system Functional Specification, controls for Software security (these are the competencies required to fill in the specification of safety requirements)
- Method for evaluation of results: number of changes on specification of safety requirements considering failures on validation and acceptance testing (i.e., the less security failures in validation testes, and the less refusal of customers on delivered systems, the better are the specifications).
Comment as guest or Sign in
Oct 23, 2019