Secure system engineering principles
Assign topic to the user
Gokhan - said
Dear Dejan,
could you please tell me what document or action should I prepare for the Secure system engineering principles (clause A.14.2.5) ?
Thanks in advance
Gökhan
is this about software development?
In the control A.14.2.5 you can incorporate security techniques in all architectural layers - business, data, applications and technology.
Basically, you can create a Secure development policy where you should describe what are your internal standards are - of course, you have to write those standards based on IT systems you are using.
Thank you Dejan.
But the copany doesnt develope any software. in this case should I write anything?
If you are not involved in any kind of implementation of information systems, and if you have no associated risks, then you can define this control as non applicable in the Statement of Applicability. In such a way, you don't have to apply this control at all.
Hi
In my our company mail business is software development and information systems. we defined secure software development policy, and we decide to write Secure system engineering principles policy.
could you please tell me
could you please tell me what document or action should I do for the Secure system engineering principles,how to do this?
thanks
You'll find an explanation on how to document secure engineering principles in this thread: https://community.advisera.com/topic/how-to-document-system-secure-engineering-principles/
Hi Dejan,
As my understanding this policy will be applied on some of our internal website tools those we developed by our-self and use for internal purpose only. How about systems those we do not develop but purchase and implemented it, such as: Exchange server, Antivirus server, File server, etc.? should we apply this policy?
Thank you,
Zack.
For the out-of-the-box systems/services/software you do not need the Secure system engineering principles policy since you are not developing them on your own.
Thank Dejan for your reply. One more quick question, how about not in-house application? We're testing and developing application for our client, should we apply this policy too?
If this application that you're testing (together with its data) is within the scope of your ISMS, then yes - you should apply the Secure system engineering principles policy on this application.
See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Comment as guest or Sign in
Jan 12, 2016