Part 33 - A14 System acquisition, development and maintenance
This clause of the Annex A of ISO 27001 provides a really important strategy for your ISO information security management system. That strategy is that you need to focus on the lifecycle of entire information security system.
ISO 27001 just doesn’t focus on IT and networks, it focuses across the whole system. It is important that this strategy is in place from the beginning. You need to take a broad approach across your systems.
The clause is broken into 3 sub-clauses.
A.14.1 Security requirements of information systems
The objective of this clause is to ensure that your information security is an integral part of information systems across your entire lifecycle including providing services over public networks.
So you need to look across all your systems and check that information security is built into every step.
Here at Mango we had already mapped our entire lifecycle during the development of our ISO 9001 system, so we knew what our systems were. We then just checked all the information security activities for each of the steps and upgraded or enhanced what we had in place.
We checked through or marketing, development, sales, implementation, support and financial systems for information security vulnerabilities. We updated our documented procedures and added more steps just to ensure we were providing prevention activities.
A.14.2 Security in development and support processes
The objective of the second clause is to ensure that your information security is designed and implemented into the development lifecycle of your information systems.
Your organisation designs and develops systems all the time. It’s what you do day-in-day-out. So this clause will take some time to figure out for your business.
For Mango, we not only design and develop our own systems, we also design and develop our product Mango. Every. Single. Day. So this clause had a major impact on us.
The development department was enhanced significantly. We introduced systems from requirements capture all the way though to support.
So I suggest you map your processes from start of development right through to release. Then check for the security areas that need to be enhanced.
The standard here gives you areas you need to cover, they include:
- Secure development policy
- System change control procedures
- Technical review of applications after operating platform changes
- Restrictions on changes to software packages
- Secure system engineering principles
- Secure development environment
- Outsourced development
- System security testing
- System acceptance testing
A.14.3 Test Data
The third and final clause has the objective to ensure that you protect the data used for testing.
Here at Mango we capture all our testing in test reports. These reports are securely stored but at the same time easily recoverable.
- Map your processes from start to finish.
- Look across all your systems and check that information security is built into every step
- Check all the areas against the checklist provided in A 14.2.
- Store your test data securely
View previous blogs in this series "ISO 27001 Information Security Management Standard":