ISO 27001 Annex A Control 8.27

ISO 27001 control 8.27 Secure system architecture and engineering principles

The basics

ISO 27001 control A.8.27 Secure system architecture and engineering principles requires companies to define principles and methods for engineering secure systems. This is important because if the security architecture of the information system is set properly, there are much higher chances that the developed software will have fewer vulnerabilities.

Documentation

ISO 27001 control A.8.27 Secure system architecture and engineering principles can be documented:

  • for smaller and mid-sized companies – through a Secure Development Policy
  • larger companies might have a Policy for Secure System Architecture and Engineering Principles.

This control must be documented.

Implementation

In order to comply with control A.8.27 Secure system architecture and engineering principles you might implement the following:

  • Technology — the technology to enable the implementation of secure system architecture and engineering principles may include software (e.g., coded components), hardware (e.g., network devices, and redundant servers), and networks (e.g., segregated networks). Companies of all sizes need to plan secure architecture and engineering of their systems based on the results of risk assessment and identified security requirements.
  • Organization/processes — you should set up a process for establishing, documenting, maintaining, applying, and reviewing architecture and engineering principles embedded into the company’s information systems. You can document those processes through a Secure Development Policy or a Policy for Secure System Architecture and Engineering Principles.
  • People — make employees aware of why adopting principles for secure architecture and engineering of information systems is needed, and train developers on how to apply, implement and review them in their developed systems.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.27 Secure system architecture and engineering principles: if principles and methods for engineering secure systems are integrated into the software lifecycle process.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.