How to integrate ISO 27001 controls into the system/software development life cycle (SDLC)

Updated: March 27, 2023, according to the ISO 27001 2022 revision.

Information security is only as good as the processes related to it, yet we find many organizations concerned only about whether security features exist and are active in their information systems, and not how they are developed, implemented, maintained, and improved.

As a result, many information systems fail to protect information, not because of a lack of security features, but because poor development, implementation, maintenance, or improvement practices have led features to not work properly, or to be easily bypassed, causing damage against which businesses were counting on being protected.

This article will present how a structured development process (SDLC – System or Software Development Life Cycle), and ISO 27001 security controls for systems acquisition, development, and maintenance can together help increase the security of information systems development processes, benefiting not only information security, but organizations and those involved in development processes as well.

The most important ISO 27001 controls for improving the security of SDLC:
  • A.8.25 – Secure development lifecycle
  • A.8.26 – Application security requirements
  • A.8.27 – Secure system architecture and engineering principles
  • A.8.29 – Security testing in development and acceptance

Why develop securely?

By implementing secure practices in internal development processes, or by demanding that suppliers implement them in their processes, not only is the information itself better protected, but organizations can achieve benefits like:

  • reduced rework costs: security practices enforce more rigorous planning and scenario evaluation, leading to better defined systems requirements and more suitable solutions.
  • reduced incident costs: better planned systems and security controls minimize the occurrence and impact of incidents.
  • reduced maintenance downtime: security practices enforce more control over the development and implementation of changes, so less time is needed to perform them, and fewer problems arise.
  • reduced liability: the adoption of secure practices is viewed as a due diligence effort to prevent the realization of risks, which can minimize penalties in legal actions.

As for development teams, benefits would be:

  • increased requirements control: requirement changes must be evaluated and formalized before implementation.
  • clear verification and validation criteria: requirements must be associated with measurable results to be achieved.
  • better justifications for resources: clear results to be achieved help support demands for resources (e.g., competences, equipment, environments, etc.).

You should note that the degree by which secure development practices may be enforced must balance the need for security of the system and the productivity of the processes, or you may end up changing a security problem into a productivity problem in your development processes. A recommended tool to help find the right balance is the risk assessment table.


SDLC: System or Software Development Life Cycle?

The acronym SDLC can be attributed either to system or software when considering the development life cycle. In brief, SDLC covers the following structured processes:

  • Planning: thinking about and organizing all activities required to develop the system or software
  • Analysis: gaining a better understanding of what is expected from the system or software
  • Design: defining the solution to be implemented
  • Implementation: executing the activities required to create the system or software and make it available to users
  • Operation: the effective use of the system or software
  • Maintenance: making changes to the system or software to ensure it does not become obsolete
  • Disposition: discarding the system or software

The fundamental difference regarding the term “System/Software” is that the system development life cycle comprises not only software, but also hardware, data, people, processes, procedures, facilities, and materials. ISO (International Organization for Standardization) has some standards covering both the system (ISO/IEC/IEEE 15288:2015 and ISO/IEC TR 90005:2008) and software (ISO/IEC 12207:2008 and ISO/IEC 90003:2014) approaches.

Applying ISO 27001 in the SDLC

ISO 27001 has a set of recommended security objectives and controls, described in sections A.5 and A.8 of Annex A and detailed in ISO 27002, to ensure that information security is an integral part of the systems lifecycle, including the development lifecycle, while also covering the protection of data used for testing. By considering the following controls in SDLC processes, you can make them more robust, and with this, enhance the effectiveness of the developed information systems regarding information protection:

Applying ISO 27001 in SDLC processes
ISO 27001 security controls Rationale for application in a SDLC
A.8.25 – Secure development lifecycle
A.8.27 – Secure system architecture and engineering principles
A.8.29 – Security testing in development and acceptance
A.8.31 – Separation of development, test, and production environments
A.8.32 – Change management
A.8.33 – Test information
Guidelines that drive the need for secure development according to perceived business risks. Here you can define general objectives and practices, and the levels of enforcement most suitable for your SDLC framework.
A.5.8 – Information security in project management
A.8.26 – Application security requirements
These controls can be applied to ensure that systems’ security requirements are considered during system or software analysis and design. Control A.8.26 provides specific situations from A.5.8.
A.8.32 – Change management
A.8.29 – Security testing in development and acceptance
These controls can be applied to ensure formal control of changes and that the desired results were achieved, and no negative impact resulted from the changes.
A.8.30 – Outsourced development This control can be applied to enforce secure development practices even by the organization’s suppliers.

The ISO 27001 series also has a set of standards to support security management concepts and help implement security controls specified to ISO 27002 regarding application security. These are the standards: ISO/IEC 27034-1:2011, ISO/IEC 27034-2:2015, and ISO/IEC 27034-6:2016.

Secure processes deliver secure results

As information systems grow in complexity and criticality, more vulnerability points appear, and all a wrongdoer, or careless user, needs to cause havoc on business operations is a single point (e.g., an exploitable code, a disabled security function, an ill-planned user demand, a forgotten patch, etc.), and traditional development practices are not able to keep up proper security levels.

By adopting SDLC together with A.14 controls from ISO 27001 to securely develop information systems, an organization can make sure it covers the most common threats and, by treating security as a process, be systematically and continuously working on maintaining security levels and keeping its information and systems away from harm, while reaping the benefits of improved processes.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.