ISO 27001 Annex A Control 8.25

ISO 27001 control 8.25 Secure development life cycle

The basics

ISO 27001 control A.8.25 Secure development life cycle requires companies to define rules for secure planning, development, testing, deployment, maintenance, and disposal of software and systems. This is important because if any part of the life cycle is not carefully designed from the security point of view, it could become a source of vulnerability.

Documentation

ISO 27001 control A.8.25 Secure development life cycle can be documented:

  • For smaller and mid-sized companies by writing a Secure Development Policy.
  • For larger companies by writing a Procedure for Secure Software Development.

These documents are not mandatory, but are recommended.

Implementation

In order to comply with control A.8.25 Secure development life cycle you might implement the following:

  • Technology — the technology to enable a secure development lifecycle will be mainly based on software applications. Companies of all sizes will probably be able to use the same office applications used in their daily activities (e.g., Word and Excel) to write policies for planning secure services, architectures, software, and systems. Small companies can use tools installed locally on their developers’ computers to build, test, and review codes according to defined policies, while bigger companies may use specialized development tools that allow collaborative development.
  • Organization/processes — you should set up a process for defining rules, standards, and techniques for defining systems requirements, designing solutions, coding, testing, deploying, and maintaining applications, as well as for securely decommissioning them. You can document those processes through a Secure Development Policy or a Procedure for Secure Software Development.
  • People — make employees aware of why developing systems and applications in a secure way is needed, and train developers on how to specify, test, and review code.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.25 Secure development life cycle: if security rules are integrated into the software lifecycle process, i.e., from the software conception to software retirement.