Guest user Created: May 23, 2019 Last commented: May 23, 2019

Control applicability

We currently have not outsourced complete software development but there are some application we acquired from third parties (Those application are general not specially developed for us) but we request some new features and customization time to time, so the make necessary changes for us, in this case the control Outsourced development is applicable for us? I look forward to your advise on this.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 23, 2019

Answer:

First you have to identify if these new features and customization involves new/updated code or just parameterization of existing components/features (e.g., implementation of a new workflow, activation of a preexisting feature, etc.), and if the risks involved are unacceptable (so you have a justification to implement the control). In case it involves new/updated code the control A.14.2.7 (Outsourced Development) is applicable, otherwise, control A.12.1.2 (Change Management) would be more appropriated.

It is important to note that since these activities are performed by outsourced provider, the needed control must be a part of your con tract or service agreement with this provider.

These articles will provide you further explanation about security in suppliers relations:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 23, 2019

Expert Advice Community