Query on Annex A Controls - IS027001
The company I work for is working towards attaining ISO27001 certification this year and I am part of the project team embarking on this.
I am working through Risk Management at the moment, having completed Risk Identification & Assessment, I am looking at treatment now.
I am specifically looking at the Application & Databases Information Assets. I note the risk of Inadequate Maintenance, however, I cannot find a control specific to Software/Application Maintenance.
My thought train is towards version releases, upgrades, database maintenance plans, data checks, etc. The nearest controls I have noted are
A.11.2.4 Equipment Maintenance
A.12.5.1 Installation of Software on Operational Systems
A.14.1.1 Information Security requirements analysis and specification, A.13.1.2 Security of Network Services
Is there a specific one for Software Maintenance?
Appreciate some direction
Assign topic to the user
Software maintenance is basically covered by controls from section A.14 System acquisition, development, and maintenance (there is no single control specific for this purpose).
Control A.14.1.1ensures that maintenance is done in order to reach some requirements set to protect information.
The other controls you mentioned are more related to the security of information systems implementation and daily operations.
These articles will provide you a further explanation about the software development life cycle:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
Comment as guest or Sign in
Jun 02, 2020