Software Development Security
I have some clarification with regards to A 14 Domain.
1. Why ISO 27001 documentation toolkit from Advisera does not have a template for “Secure Development Environment Guidelines”?
2. We are a medium organization where we do limited development particularly customization of COTS software (Web Content Management {CMS} and Student Information Management {SIMS}). In this case how to analyze which A 14 controls will be applicable to our organization?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Why ISO 27001 documentation toolkit from Advisera does not have a template for “Secure Development Environment Guidelines”?
Answer: Please note that ISO 27001 does not require a Secure Development Environment to be documented, and not many companies are asking for such a document, so we decided not to develop this template. You can document these guidelines as part of the Secure Development Policy, located in folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance.
If you have access to ISO 27002 you can find guidance on how to Secure Development Environment. If you do ot have access to this standard, I suggest you this link for some insight: https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/
2. We are a medium organization where we do limited development particularly customization of COTS software (Web Content Management {CMS} and Student Information Management {SIMS}). In this case how to analyze which A 14 controls will be applicable to our organization?
Answer: The applicability of controls is defined by performing the risk assessment and risk treatment processes, and by the identification of any legal requirement (e.g., laws, and contracts) applicable to your organization.
The templates for performing the risk assessment and risk treatment processes are located on folder 05 Risk Assessment and Risk Treatment, and templates for performing identification of legal requirements are located on folder 02 Identification of Requirements.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment and risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Apr 04, 2020