The basics
ISO 27001 control A.8.30 Outsourced development requires companies to carefully manage development activities performed by external parties. This is important because if outsourced software development is not controlled from a security point of view, the resulting software could have various vulnerabilities.
Documentation
ISO 27001 control A.8.30 Outsourced development can be documented:
- for smaller and mid-sized companies by writing a Secure Development Policy
- for larger companies by writing an Outsourced Development Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.30 Outsourced development you might implement the following:
- Technology — the technology to enable the management of outsourced development in most cases will be already available by the provider (e.g., monitoring reports, real-time dashboards, etc.). Some companies might only need to upgrade their services to a version with more features, while in some cases, they will need to change the outsourced developer if it does not have the required management capabilities.
- Organization/processes — you should set up a process for defining the minimum requirements to be included in service agreements with outsourced developers, and a process for monitoring and reviewing development progress. You can document those processes through a Secure Development Policy or an Outsourced Development Procedure.
- People — make employees aware of why managing outsourced development is needed, and train them on how to direct, monitor and review their outsourced developers.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.30 Outsourced development: if software development performed by external parties is considering proper practice and security rules.
