Expert Advice Community

Guest

Control A.14.2.7

  Quote
Guest
Guest user Created:   May 05, 2020 Last commented:   May 13, 2020

Control A.14.2.7

We are in the process of implementing ISO 27001, the company doesn’t have external development so the A.14.2.7 control for outsourced development is not applicable, shall we consider all A. 14 controls are not applicable or only A.14.2.7 Your advice is highly appreciated
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 05, 2020

 All controls from section A.14 System acquisition, development, and maintenance would be "not applicable" only if you also do not have an internal development process.

In case your organization has internal development, you have to perform a risk assessment and evaluate legal requirements to verify if other controls from section A.14 are applicable or not.

Up to this point, since you don’t have external development, only control A.14.2.7 Outsourced development is not applicable to your organization.

This article will provide you a further explanation about software development:

Quote
0 1
Guest
Guest user May 07, 2020

Is A. 14.1.2 and A. 14.1.3 related to only payments applications?

Quote
0 1
Expert
Rhand Leal May 08, 2020

Controls A. 14.1.2 (Securing application services on public networks) and A. 14.1.3 (Protecting application services transactions) are applicable to all kinds of applications, not only payment applications.

For example, any application that is remotely (i.e., from outside organization's network) accessed can make use of control A.14.1.2. And for control A.14.1.3, by "transactions" it means any operation performed between systems, not financial ones.

Quote
0 1
Guest
Nirseen May 10, 2020

Please, I have another question, we don’t have any outsource development or online transactions so A. 14.1.2, A.14.1.3 and A.14.2.7 are not applicable.
Internally, we are using Sharepoint for storing documents only, sometimes we do some customization without using any code is this lead us to use the following controls: A14.1.1, A.14.2.1, A.14.2.2, A.14.2.2, A.14.2.3, A.14.2.4, A14.2.5, A.14.2.6, A.14.2.8, A.14.2.9 and A14.3.1
?
Appreciate your advice

Quote
0 0
Expert
Rhand Leal May 13, 2020

I'm assuming that by "customization without using any code" you mean parameterization of available options or setting up workflows.

Considering that, please note that controls from section A.14 cover not only system development, but also acquisition and maintenance, and "customization without using any code" can be understood as security in the support process, so the controls you mentioned may be applicable if you have relevant risks that can be treated by them, or legal requirements (e.g., laws, regulations or contracts), demanding the implementation of such controls.

For example, requests for configuration of a new parameter may need to be formally defined, and after that its implementation must be planned and test to be sure it won't have a negative impact on the current implementation.

This article will provide you a further explanation about selecting controls:

These materials will also help you regarding selecting controls:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 05, 2020

May 13, 2020

Suggested Topics

Guest user Created:   May 23, 2019 ISO 27001 & 22301
Replies: 1
0 0

Control applicability

Guest user Created:   Mar 04, 2022 ISO 27001 & 22301
Replies: 1
0 0

Annex A