What kind of documents are required to satisfy this clause? We have principles in place, but I'm unsure of documentation needed.
Assign topic to the user
ISO 27001 does not specify how to document secure system engineering principles, so organizations are free to document them as best fit their needs.To see a document covering secure system engineering principles compliant with ISO 27001, please see this demo template: https://advisera.com/27001academy/documentation/secure-development-policy/In its section 3.3 Secure engineering principles you can document the principles you have in place (e.g., adoption of user authentication techniques, secure session control, data validation, etc.), or refer to the documents where they are explained (e.g., documents about guidance on secure programming techniques).
These articles will provide you with further explanation:
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
Comment as guest or Sign in
Aug 10, 2022