Expert Advice Community

Guest

Awareness and training for secure software development

  Quote
Guest
Guest user Created:   Oct 22, 2019 Last commented:   Oct 23, 2019

Awareness and training for secure software development

I have a question about the appendix of the policy for safe development - the specification of safety requirements. I try to add the appendix into the risk treatment plan. What is the measure for awareness and what is the method for evaluating results? Who will have access to the document?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 22, 2019

If I understood correctly,  you are trying to treat a risk by using the "specification of information system requirements" appendix of the Secure development policy, and this is not a proper approach. 


The risk treatment plan must be related to the Secure development policy. The specification of information system requirements is an evidence that the policy is being followed.


Regarding awareness and training, for secure development you should consider, for example, courses or trainings about software development, using as evaluation results the approval on exams related to these acitivities.


People who should have access to these results would be HR personnel and the employee immediate manager.

Quote
0 0
Christin Schulze Oct 22, 2019

Hey Rhand, I think I explained it in a bad way and we talked past each other.
The "specification of safety requirements" (the appendix of the policy for safe development ) is the only implemetation method of control A.14.1.1. Cause of that I would like to add the document "specification of safety requirements" to the risk treatment plan (to show the auditor that we have execute these activity in order to achieve the objective(s) of the ISMS). In connection with this activity I was asking what I could add for the column "Awareness Action / Measure" and "Method for the evaluation of results".

Quote
0 0
Expert
Rhand Leal Oct 23, 2019

Hi, Christin. Please note that considering your scenario, an example of filling out the risk treatment plan columns you mentioned would be:

  • Description of activities: Development of specification of safety requirements
  • Training and awareness programs: Course about risk assessment, system Functional Specification, controls for Software security (these are the competencies required to fill in the specification of safety requirements)
  • Method for evaluation of results: number of changes on specification of safety requirements considering failures on validation and acceptance testing (i.e., the less security failures in validation testes, and the less refusal of customers on delivered systems, the better are the specifications).
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 21, 2019

Oct 23, 2019