Expert Advice Community

Guest

Secure development

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Secure development

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

1. A.14.2.1 Secure development policy =does this control still applicable for organization that fully outsource their development process? 
2. A.14.2.2 =does this control only for during development process (i.e. coding, bug fixing), or does it includes changes when system is put into operations (i.e. new requirements, enhancement)? How does it differ from A.12.1.2? Does operating system patching/updating part of A.14.2.2 or A.12.1.2? 
3. A.14.2.5 =is this only applicable for inhouse development? Is this applicable when analyzing system requirements and system design?
 

Answer:

Point 1:

Yes, you can apply this control, but in this case you need to request a secure development policy to the external company

Point 2: 

You can consider this control for development process and also for changes in systems when you put them into operations. The control A.12.1.2 is more general (for all changes related to information security: organization, business processes, information processing facilities, etc.), and the control A.14.2.2 is specifically related to changes to systems within the development lifecycle. I think that operating system patching/updating is more related to the control A.14.2.2
Point 3:

Yes, but here you can also demand a secure system engineering principles to an external company, and yes, you can apply this control when analyzing system requirements and system design.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics