Secure Engineering Principles (control A.14.2.5)
Assign topic to the user
Answer:
The control A.14.2.5 is related to the large information system design, which also includes the development of software. So, you simply need to design the security into all architecture layers: business, data, application and technology.
How can you design security during the development of software? With a Secure Development Policy, I mean, with rules that establish how to codifying a secure code, so an auditor could search this document (although is not mandatory to have a document for this).
So, generally the auditor will search in your organization procedures or technical instructions that you uses for the information systems design: Some examples: Secure Development Policy, Policy of fortification of servers, policy of configuration of data bases, etc.
Regarding the Secure Development Policy, this template can be useful for you (you can see a free version cl icking on “Free demo” tab) “Secure Development Policy” : https://advisera.com/27001academy/documentation/secure-development-policy/
By the way, for more information about the security controls, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Feb 29, 2016