I am implementing ISO 27001:2013 for one company. They do not develop any software but they use out of the box softwares for internal usage. Rest they have typical IT network (Switches, Routers, Email etc).
Are below mentioned controls applicable?
A. 14.2.5 Secure System Engineering Principles
A. 14.2.6 Secure Development Environment
A. 14.2.8 System Security Testing
A. 14.2.9 System Acceptance Testing
A. 14.3.1 Protection of Test Data
A. 10.1.1 Policy on the use of Cryptographic Control
Answer:
The decisions about if these controls apply, needs to be made after the risk assessment & treatment. So, if there are no risks related to the develop of software, or with cryptographic controls, you dont need to apply them.
Finally these articles can be interesting for you:
ISO 27001 risk assessment 6 treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
"The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jan 13, 2016