Secure System Engineering Principles

For ISO 27001, secure engineering principles are the high-level rules defined to apply security in software development (e.g., Assure information protection in processing, transit, and storage). This standard defines the control A.14.2.5 Secure system engineering principles to be implemented if you have relevant risks or legal requirements to justify its implementation.

Regarding the required documentation level, ISO 27001 does not prescribe any documentation level, so organizations are free to use the document level that best suits their needs. For example, you can define security principles as statements in a policy (e.g., security must be considered in business, data, application, and technological layers, security must balance protection and accessibility needs, etc. ), or you can provide them as detailed engineering procedures on how they must be implemented.

To see an example of a document that covers this control in a policy, I suggest you take a look at the free demo of this template: https://advisera.com/27001academy/documentation/secure-development-policy/

These articles will provide you a further explanation about secure engineering principles:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/