System Acquisition, Dev and Maintenance

What is system acquisition, development and maintenance?

When creating systems for your information security management system (ISMS) you need to to focus on the life-cycle of your entire information system.  Your ISMS doesn’t just focus on your IT and your networks, it focuses across your whole systems.

It is important that this strategy is in place from the beginning. You need to take a broad approach across your systems.

That is from acquisition, through development and then into maintenance.

So you need to look across all your systems and check that information security is built into every step.

Mapping Your Life-Cycle

Map your entire life-cycle during the development of your systems, so you know what your systems are. 

Then check all the information security activities for each of the steps and upgrade or enhance what is in place. 

For example check through marketing, development, sales, implementation, support and financial systems for information security vulnerabilities.  

Some things you may want to check in the development processes include:

• Secure development policy
• System change control procedures
• Technical review of applications after operating platform changes
• Restrictions on changes to software packages
• Secure system engineering principles
• Secure development environment
• Outsourced development
• System security testing
• System acceptance testing

Learn More:

• ISO 27001 Information Security Management Standard - Clause A.14 System acquisition, development and maintenance
• What are the information Security Principles? 
• What is continuous Improvement?
• What are information security manuals?
• What is business Continuity?