Expert Advice Community

Guest

Secure Development Life Cycle

  Quote
Guest
Guest user Created:   Jun 09, 2021 Last commented:   Jun 09, 2021

Secure Development Life Cycle

Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 09, 2021

Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

You are partially correct. While ISO 27001 does not apply to products or services, it can be applied to a product lifecycle process, which may cover support to sold products, and the release of updates to fix identified security breaches. For example, regular security updates for smartphones, released by their manufacturers, are an example.

2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

ISO 27001 does not explicitly specify controls for SDLC, but by the nature of the controls from section A.14 (System acquisition, development, and maintenance) these can be applicable to SDLC.

As for hardware, please note that the SDLC concept applies to both hardware and software, and controls from section A.14 from ISO 27001 Annex A refer to systems, which are composed either by hardware, and software elements.

For further information, see:

2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

In case your support service process is included in your ISMS scope, then you need to go through all ISO 27001 requirements. The situation about collecting data or not will only affect make difference regarding which risks your process will be exposed to, and the applicable controls (i.e., by intervening and collecting data you will be in a more complex and riskier situation).

About which controls to consider regarding logs/records/info, this will depend on the results of risk assessment and applicable legal requirements.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 09, 2021

Jun 09, 2021

Suggested Topics