ISO 27001 doubt on applicability of controls
My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.
I understand that if there is any type of internal software development the controls must be applied.
However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.
In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.
Assign topic to the user
Please note that the mentioned controls:
- 8.25 Secure development life cycle
- 8.26 Application security requirements
- 8.27 Secure system architecture and engineering principles
- 8.28 Secure coding
- 8.29 Security testing in development and acceptance
They are intended to protect the development of any software, not just in-house software, so if your company intends to make changes to an open-source software/platform and there are relevant risks or applicable legal requirements (e.g., laws, regulations, or contracts) that justify implementing such controls, then you need to implement them.
Only in case you do not have relevant risks or applicable legal requirements or have open-source software where you do not make any changes, then you do not need to implement these controls.
For further information, see:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/blog/2017/01/24/how-to-integrate-iso-27001-a-14-controls-into-the-system-software-development-life-cycle-sdlc/
Comment as guest or Sign in
May 22, 2023