Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Cloud computingISMS compatible with software development process

Do you have ISO/IEC 27017 -Information technology - Security techniques - code of practice for information security controls based on ISO/IEC 27002 for cloud services template for standard. I need urgently similar document. Thanks

0 0

Assign topic to the user

Select user

Guest

AntonioS Jan 12, 2016

No sorry, this is not our business, we have all necessary templates for the implementation of the ISO 27001 (and other standards like ISO 22301, ISO 20000, etc), but we do not sell the document of the standards, because them are developed by ISO.org and you can buy them directly on her official site.

Anyway, if you are thinking to implement the ISO 27001, maybe this article can be interesting for you "ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Question 1: In a project Terms of Reference we have been asked to prepare a report to prove that the newly established or updated software development process (analysis, design, development, testing and maintenance) is ISO 27001:2013 compat ible. This is for an MIS system. Is this possible? My understanding is that ISO 27001 refers to an ISMS, not to just any software development. Have I misunderstood?

Question 2: Also the report has to be signed by a competent ISO 27001 specialist - but I don't know if such a specialist would be willing to sign a report for something that has not yet been developed

Answers:

Answer 1: You are right, ISO 27001 establishes requirements for an Information Security Management System, and it is compatible with software development process. So much so, that you can find in the Annex A of the standard security controls like: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures, A.14.2.3 Technical review of applications after operating platform changes, etc. Anyway, the report that you mean can be developed only if you have implemented the ISO 27001 in your organization, if not, the report will be empty.

Answer 2: Yes, you need an internal auditor qualified in ISO 27001, but in this case if the software is not developed, it is hard to prove that the security controls are in place, and it is very important if you want to show that you have implemented the ISO 27001 in your organization.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community