Buen dia, estoy realizando mis documentos de requisitos de seguridad en temas de desarrollo de software, solo que vi la plantilla y me surgió la duda.
Estoy elaborando un procedimiento de desarrollo de software donde agrego el OWASP para programación y sus actividades, pero veo que esta es una plantilla de política y no un procedmiento, mi pregunta es ¿Aún adquiriendo la política tendría que desarrollar el procedimiento, o esta política es suficiente para la auditoría de certificación?
https://advisera.com/27001academy/es/documentation/politica-de-desarrollo-seguro/
Gracias
(Good morning, I am preparing my security requirements documents on software development issues, only I saw the template and I had a doubt. I am preparing a software development procedure where I add the OWASP for programming and its activities, but I see that this is a policy template and not a procedure, my question is, still acquiring the policy would I have to develop the procedure, or is this policy enough for the certification audit?
https://advisera.com/27001academy/es/documentation/politica-de-desarrollo-seguro/
Thanks)
Assign topic to the user
Please note section 3.3 Secure engineering principles of the Secure Development Policy states that specific procedures for systems development and maintenance will be written, so in addition to the policy you need to develop the procedure.
The policy was developed this way because including the information about systems development and maintenance in it would make the policy unnecessarily complex.
For futher information, see:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
Comment as guest or Sign in
Nov 17, 2020