Part 33 - A14 System acquisition, development and maintenance
This clause of the Annex A of ISO 27001 provides a really important strategy for your ISO information security management system. That strategy is that you need to focus on the lifecycle of entire information security system.
ISO 27001 just doesn’t focus on IT and networks, it focuses across the whole system. It is important that this strategy is in place from the beginning. You need to take a broad approach across your systems.
The clause is broken into 3 sub-clauses.
A.14.1 Security requirements of information systems
The objective of this clause is to ensure that your information security is an integral part of information systems across your entire lifecycle including providing services over public networks.
So you need to look across all your systems and check that information security is built into every step.
Here at Mango we had already mapped our entire lifecycle during the development of our ISO 9001 system, so we knew what our systems were. We then just checked all the information security activities for each of the steps and upgraded or enhanced what we had in place.
We checked through or marketing, development, sales, implementation, support and financial systems for information security vulnerabilities. We updated our documented procedures and added more steps just to ensure we were providing prevention activities.
A.14.2 Security in development and support processes
The objective of the second clause is to ensure that your information security is designed and implemented into the development lifecycle of your information systems.
Your organisation designs and develops systems all the time. It’s what you do day-in-day-out. So this clause will take some time to figure out for your business.
For Mango, we not only design and develop our own systems, we also design and develop our product Mango. Every. Single. Day. So this clause had a major impact on us.
The development department was enhanced significantly. We introduced systems from requirements capture all the way though to support.
So I suggest you map your processes from start of development right through to release. Then check for the security areas that need to be enhanced.
The standard here gives you areas you need to cover, they include:
- Secure development policy
- System change control procedures
- Technical review of applications after operating platform changes
- Restrictions on changes to software packages
- Secure system engineering principles
- Secure development environment
- Outsourced development
- System security testing
- System acceptance testing
A.14.3 Test Data
The third and final clause has the objective to ensure that you protect the data used for testing.
Here at Mango we capture all our testing in test reports. These reports are securely stored but at the same time easily recoverable.
Takeaways
- Map your processes from start to finish.
- Look across all your systems and check that information security is built into every step
- Check all the areas against the checklist provided in A 14.2.
- Store your test data securely
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13