Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Secure system engineering principles

  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Secure system engineering principles

clause A.14.2.5)Dear Dejan, could you please tell me what document or action should I prepare for the Secure system engineering principles (clause A.14.2.5) ? Thanks in advance Gökhan
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
Guest post Jan 12, 2016

Gokhan - said

Dear Dejan,

could you please tell me what document or action should I prepare for the Secure system engineering principles (clause A.14.2.5) ?

Thanks in advance

Gökhan

is this about software development?

Quote
0 0
Guest
DejanK Jan 12, 2016

In the control A.14.2.5 you can incorporate security techniques in all architectural layers - business, data, applications and technology.

Basically, you can create a Secure development policy where you should describe what are your internal standards are - of course, you have to write those standards based on IT systems you are using.

Quote
0 0
Guest
Guest post Jan 12, 2016

Thank you Dejan.

But the copany doesnt develope any software. in this case should I write anything?

Quote
0 0
Guest
DejanK Jan 12, 2016

If you are not involved in any kind of implementation of information systems, and if you have no associated risks, then you can define this control as non applicable in the Statement of Applicability. In such a way, you don't have to apply this control at all.

Quote
0 0
Guest
Guest post Jan 12, 2016

Hi

In my our company mail business is software development and information systems. we defined secure software development policy, and we decide to write Secure system engineering principles policy.

could you please tell me
could you please tell me what document or action should I do for the Secure system engineering principles,how to do this?

 

thanks

Quote
0 0
Guest
DejanK Jan 12, 2016

You'll find an explanation on how to document secure engineering principles in this thread: https://community.advisera.com/topic/how-to-document-system-secure-engineering-principles/

Quote
0 0
Guest
Guest post Jan 12, 2016

Hi Dejan,

As my understanding this policy will be applied on some of our internal website tools those we developed by our-self and use for internal purpose only. How about systems those we do not develop but purchase and implemented it, such as: Exchange server, Antivirus server, File server, etc.? should we apply this policy?

Thank you,

 

Zack.

Quote
0 0
Guest
DejanK Jan 12, 2016

For the out-of-the-box systems/services/software you do not need the Secure system engineering principles policy since you are not developing them on your own.

Quote
0 0
Guest
Guest post Jan 12, 2016

Thank Dejan for your reply. One more quick question, how about not in-house application? We're testing and developing application for our client, should we apply this policy too?

Quote
0 0
Guest
DejanK Jan 12, 2016

If this application that you're testing (together with its data) is within the scope of your ISMS, then yes - you should apply the Secure system engineering principles policy on this application.

See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016