{"id":7208,"date":"2015-08-31T20:53:53","date_gmt":"2015-08-31T20:53:53","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=7208"},"modified":"2025-07-10T17:22:27","modified_gmt":"2025-07-10T17:22:27","slug":"what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2015\/08\/31\/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5\/","title":{"rendered":"What are secure engineering principles in ISO 27001:2013 control A.14.2.5?"},"content":{"rendered":"<p>In my days of programming (big hosts and green\/amber terminals, matrix printers&#8230;) we didn&#8217;t think so much about information security, and especially not about secure engineering. Functional specifications were very simple, and acceptance criteria for the final product were: it had to look fairly nice, calculations (if any) had to be correct, reports with few selection criteria worked quickly\u2026 and few others.<\/p>\n<p>Everything changed with PCs, and especially with the Internet.<\/p>\n<p>In shopping centers, banks, airports, hospitals, nuclear sites, etc. various types of computer programs, through various types of networks, are handling data, monitoring, and even managing processes. We can use a vast number of online services that are available globally and 24\/7. It\u2019s great \u2013 if we are all good guys (not too sloppy ones) and Mother Nature treats us nicely.<\/p>\n<p>Confidentiality, integrity, and availability (CIA) of information is mandatory, and that\u2019s where secure engineering principles will help.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Secure engineering and secure engineering principles<\/h2>\n<p><strong>Secure engineering<\/strong> is actually how you will apply security while developing your IT projects. In order to do that, you should take into account threats from natural disasters and humans. These may include: earthquakes, tornadoes, floods, misuse, and malicious human behavior (find more threats and vulnerabilities in <a href=\"https:\/\/advisera.com\/27001academy\/knowledgebase\/threats-vulnerabilities\/\" rel=\"noopener noreferrer\" target=\"_blank\">Catalogue of threats &amp; vulnerabilities<\/a>.<\/p>\n<p>To assure management of those treats, high-level rules are defined to apply security. These are your secure engineering principles. For example, most of the projects deal with information. So, your principle will be \u201cAssure information protection in processing, transit, and storage.\u201d Based on principles, procedures will be developed that define activities in detail. For the mentioned example, you will define, e.g., a <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" rel=\"noopener noreferrer\" target=\"_blank\">backup procedure<\/a>\u00a0and clearly state that incremental backup should be done every day, and full backup done during the weekend. Also, you will define responsibilities and how to control whether the procedure is followed.<\/p>\n<p>It\u2019s important to know that principles apply to every phase of your development projects, and to all architectural layers of your final products (business, data, applications, and technology).<\/p>\n<p style=\"padding-top: 15px;\"><img decoding=\"async\" alt=\"ISO 27001 A.14.2.5 \u2013 What are secure engineering principles?\" class=\"aligncenter size-full wp-image-22315\" height=\"628\" src=\"\/wp-content\/uploads\/\/sites\/5\/2015\/08\/principles-engineering.jpg\" width=\"1000\" srcset=\"\/wp-content\/uploads\/sites\/5\/2015\/08\/principles-engineering.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2015\/08\/principles-engineering-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2015\/08\/principles-engineering-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>Requirements of ISO 27001:2013 \u2013 control A.14.2.5<\/h2>\n<p>To help you with the implementation of secure system engineering principles, a new control is introduced in Annex A: A.14.2.5 \u2013 Secure system engineering principles. Control is not defined with many details, but in general,\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" rel=\"noopener noreferrer\" target=\"_blank\">ISO 27001<\/a>\u00a0requires you to establish (i.e., define), document, apply (i.e., use them in real life), and regularly review your principles.<\/p>\n<p>As you can see, the standard is not very specific; so, in order to implement that <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" rel=\"noopener noreferrer\" target=\"_blank\">control<\/a>, you can start with addressing the biggest threats.<\/p>\n<p>So, you should introduce your principles to your people and make sure that they are followed. If you have outsourced partners, you should get them to apply those principles or to apply principles comparable to yours. You can do that by using contracts or some other regulatory means. If you are planning to use some new technologies, they should be analyzed for security risks (like known attack patterns).<\/p>\n<h2>A few hints on how to approach<\/h2>\n<p>Recently, I audited one ICT company (consulting, developing, implementations services) that defines secure principles in the most desirable way: easy to understand and operationally manageable.<\/p>\n<p>Due to the fact that control A.14.2.5 is applicable, they took an interesting approach. During several brainstorming sessions with key employees (from the legal department, account managers, system architects, developers, testers, consultants from the implementation team, help desk guys) secure engineering principles emerged. During those sessions, they analyzed their current situation and assessed the biggest threats during development of their ICT projects, grouped them, and defined an approach of how to manage them. Of course, the detailed approach was defined in procedures and work instructions. To gain a customer view, on their last session they brought in the CIO of their biggest customer.<\/p>\n<p>To test the defined principles (it was really testing of the procedures and templates defined) they documented an \u201cinternal audit\u201d for one old application, using quality assurance checklists for each development stage.<\/p>\n<p>So, since security engineering principles (a document with \u201cpolitical\u201d statements) are your guidelines for building information security into all architectural layers, in order to have them implemented in a real-world environment they have to be followed by a procedure that is easily understandable by all affected people. If we take the previously mentioned principle \u201cAssure information protection in processing, transit, and storage\u201d and apply it to application development, it would be as follows:<\/p>\n<ul>\n<li>business layer \u2013 e.g., based on user authentication level; only particular users can see personal data<\/li>\n<li>data layer \u2013 e.g., only logging in with a strong database <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=password-policy\" rel=\"noopener noreferrer\" target=\"_blank\">password<\/a>\u00a0for database maintenance activities is allowed<\/li>\n<li>applications \u2013 e.g., application encryption is used for data export and import<\/li>\n<li>technology \u2013 e.g., open-source software and state-of-the-art hardware and network infrastructure provided by selected vendors are used<\/li>\n<\/ul>\n<h2>Measure, Measure, Measure, Cut \u2013 M3C1 (Measure three times cut once)<\/h2>\n<p>It\u2019s difficult to create a cookbook on how to define secure engineering principles. It really depends on lots of different factors, and it\u2019s different for each company. Maybe the most important thing is that they are understandable for your employees and that everybody in the cycle gets \u201csomething for themselves.\u201d<\/p>\n<p>Prior to final approval of your documentation that defines secure engineering principles, try to apply it to some existing or old project to make sure that added value can be achieved. Don\u2019t rush with it \u2013 define something that will help you and assure added value for your customer.<br \/>\nSo, before you approve your principles \u2013 Measure, Measure, Measure and then Cut.<\/p>\n<p><em>To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses,\u00a0<\/em><a href=\"https:\/\/advisera.com\/conformio\/\" rel=\"noopener noreferrer\" target=\"_blank\">sign up for a 14-day free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my days of programming (big hosts and green\/amber terminals, matrix printers&#8230;) we didn&#8217;t think so much about information security, and especially not about secure engineering. Functional specifications were very simple, and acceptance criteria for the final product were: it had to look fairly nice, calculations (if any) had to be correct, reports with few &#8230;<\/p>\n","protected":false},"author":44,"featured_media":22315,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[841,842,843],"class_list":["post-7208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-270012013","tag-secure-engineering-principles","tag-a-14-2-5"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=7208"}],"version-history":[{"count":1,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7208\/revisions"}],"predecessor-version":[{"id":104382,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7208\/revisions\/104382"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/22315"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=7208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=7208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=7208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}