How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC)
Information security is only as good as the processes related to it, yet we find many organizations concerned only about whether security features exist and are active in their information systems, and not how they are developed, implemented, maintained, and improved.
As a result, many information systems fail to protect information, not because of a lack of security features, but because poor development, implementation, maintenance, or improvement practices have led features to not work properly, or to be easily bypassed, causing damage against which businesses were counting on being protected.
This article will present how a structured development process (SDLC – System or Software Development Life Cycle), and ISO 27001 security controls for systems acquisition, development, and maintenance can together help increase the security of information systems development processes, benefiting not only information security, but organizations and those involved in development processes as well.
Why develop securely?
By implementing secure practices in internal development processes, or by demanding that suppliers implement them in their processes, not only is the information itself better protected, but organizations can achieve benefits like:
- reduced rework costs: security practices enforce more rigorous planning and scenario evaluation, leading to better defined systems requirements and more suitable solutions.
- reduced incident costs: better planned systems and security controls minimize the occurrence and impact of incidents.
- reduced maintenance downtime: security practices enforce more control over the development and implementation of changes, so less time is needed to perform them, and fewer problems arise.
- reduced liability: the adoption of secure practices is viewed as a due diligence effort to prevent the realization of risks, which can minimize penalties in legal actions.
As for development teams, benefits would be:
- increased requirements control: requirement changes must be evaluated and formalized before implementation.
- clear verification and validation criteria: requirements must be associated with measurable results to be achieved.
- better justifications for resources: clear results to be achieved help support demands for resources (e.g., competences, equipment, environments, etc.).
You should note that the degree by which secure development practices may be enforced must balance the need for security of the system and the productivity of the processes, or you may end up changing a security problem into a productiity problem in your development processes. A recommended tool to help find the right balance is the risk assessment table.
SDLC: System or Software Development Life Cycle?
The acronym SDLC can be attributed either to system or software when considering the development life cycle. In brief, SDLC covers the following structured processes:
- Planning: thinking about and organizing all activities required to develop the system or software
- Analysis: gaining a better understanding of what is expected from the system or software
- Design: defining the solution to be implemented
- Implementation: executing the activities required to create the system or software and make it available to users
- Operation: the effective use of the system or software
- Maintenance: making changes to the system or software to ensure it does not become obsolete
- Disposition: discarding the system or software
The fundamental difference regarding the term “System/Software” is that the system development life cycle comprises not only software, but also hardware, data, people, processes, procedures, facilities, and materials. ISO (International Organization for Standardization) has some standards covering both the system (ISO/IEC/IEEE 15288:2015 and ISO/IEC TR 90005:2008) and software (ISO/IEC 12207:2008 and ISO/IEC 90003:2014) approaches.
Applying ISO 27001 in the SDLC
ISO 27001 has a set of recommended security objectives and controls, described in Annex A.14 and detailed in ISO 27002 section 14, to ensure that information security is an integral part of the systems lifecycle, including the development lifecycle, while also covering the protection of data used for testing. By considering the following controls in SDLC processes, you can make them more robust, and with this, enhance the effectiveness of the developed information systems regarding information protection:
|ISO 27001 security controls||Rationale for application in a SDLC|
|A.14.2.5 – Secure system engineering principles
A.14.2.1 – Secure development policy
A.14.2.4 – Restrictions on changes to software packages
A.14.2.6 – Secure development environment
A.14.2.8 – System security testing
A.14.3.1 – Protection of test data
|Guidelines that drive the need for secure development according to perceived business risks. Here you can define general objectives and practices, and the levels of enforcement most suitable for your SDLC framework.|
|A.14.1.1 – Information security requirements analysis and specification
A.14.1.2 – Securing application services on public networks
A.14.1.3 – Protecting application services transactions
|These controls can be applied to ensure that system’s security requirements are considered during system or software analysis and design. Controls A.14.1.2 and A.14.1.3 provides specific situations from A.14.1.1.|
|A.14.2.2 – System change control procedures
A.14.2.3 – Technical review of applications after operating platform changes
A.14.2.9 – System acceptance testing
|These controls can be applied to ensure formal control of changes and that the desired results were achieved and no negative impact resulted from the changes.|
|A.14.2.7 – Outsourced development||This control can be applied to enforce secure development practices even by the organization’s suppliers.|
For more information about secure system engineering principles, see: What are secure engineering principles in ISO 27001:2013 control A.14.2.5?
The ISO 27001 series also has a set of standards to support security management concepts and help implement security controls specified to ISO 27002 regarding application security. These are the standards: ISO/IEC 27034-1:2011, ISO/IEC 27034-2:2015, and ISO/IEC 27034-6:2016.
Secure processes deliver secure results
As information systems grow in complexity and criticality, more vulnerability points appear, and all a wrongdoer, or careless user, needs to cause havoc on business operations is a single point (e.g., an exploitable code, a disabled security function, an ill-planned user demand, a forgotten patch, etc.), and traditional development practices are not able to keep up proper security levels.
By adopting SDLC together with A.14 controls from ISO 27001 to securely develop information systems, an organization can make sure it covers the most common threats and, by treating security as a process, be systematically and continuously working on maintaining security levels and keeping its information and systems away from harm, while reaping the benefits of improved processes.
To learn more about secure development of information systems according to ISO 27001, try our free online training ISO 27001:2013 Foundations Course.