ISO 27001 - Annex A.14 - System Acquisition Development and Maintenance

Dec 15, 2023by Maya G

Annex A.14 of the ISO 27001 standard sets out the requirements for system acquisition, development and maintenance. The standard requires that organizations put in place procedures and controls to ensure that information systems are developed and maintained in a secure way.

ISO 27001 Annex A.14 System Acquisition Development and Maintenance, ISO 27001, ISO 27001 Documentation toolkit, ISO 27001 ISMS

Organizations should consider the security risks associated with systems development and maintenance activities and put in place controls to mitigate those risks. This could include controls such as code signing and code repositories.

In addition, the standard requires that organisations have a process in place for the acquisition of third-party software and systems. This process should take into account the security risks associated with the use of third-party products and services.

The requirements of Annex A.14 are an important part of the ISO 27001 standard, and organisations should consider it when planning and implementing their information security management system.

What is Annex A.14 (ISO 27001)?

Annex A.14 of the ISO/IEC 27001 standard helps businesses to understand how to manage the confidentiality of information assets and comply with applicable security policies. The standard is based on the requirement that businesses take a risk-management approach to information security.

Annex A.14 provides guidance on how to select and implement security controls that protect information assets from unauthorized access. The annex also includes guidance on how to develop and implement security policies, and how to train personnel on security procedures.

The standard is important for businesses that want to ensure the confidentiality of their information assets. Annex A.14 can help businesses to identify and mitigate risks to their information assets, and to comply with applicable security policies.

What is the objective of Annex A.14?

Annex A.14 of the ISO 27001 standard defines the requirements for an information security management system (ISMS). The objective of Annex A.14 is to ensure that the ISMS is implemented and operated effectively, and that it continually improves in line with the changing security landscape.

Annex A.14 sets out the requirements for an ISMS in terms of its scope, policies, objectives, processes, and controls. It also includes guidance on how to conduct a risk assessment and select appropriate controls.

Annex A.14 of the ISO 27001 standard specifies the objective of information security awareness and education. The awareness and education program is designed to ensure that all employees and other individuals who have access to the organization's information are aware of the importance of preserving the confidentiality, integrity, and availability of that information.

Annex A.14.1: Security requirements of information systems:

Annex A.14.1 of ISO 27001 sets out the security requirements of information systems. These requirements are essential for any organization that wants to ensure the confidentiality, integrity, and availability of its information.

The requirements cover a wide range of topics, including security policy, risk assessment, security control objectives, and implementation considerations.

This Annex is an important part of the ISO 27001 standard and should be reviewed carefully by all organizations that are seeking to implement an information security management system.

Annex A.14.2: Security in development and support processes

Annex A.14.2 of ISO 27001 provides guidance on how to manage security in development and support processes. The objective of this annex is to ensure that information security controls are designed and implemented during the development and support of products and services.

This annex contains guidance on the following topics:

  1. The development and support process
  2. The security development life cycle
  3. The security requirements for development and support
  4. The management of security risks during development and support
  5. The management of security issues during development and support
  6. The security of third-party development and support services
  7. The security of open-source software
  8. The security of in-house developed software
  9. The security of cloud-based solutions
  10. The security of mobile solutions
  11. The security of Internet of Things solutions
  12. The security of robotic solutions
  13. The security of additive manufacturing solutions

Annex A.14.3: Test data

Annex A.14.3 of the ISO 27001 standard defines the requirements for test data. This data is used to test the effectiveness of the organization’s information security controls.

The annex defines three types of test data:

  • This data is used to test the correct functioning of controls.
  • This data is used to test the realistic effectiveness of controls.
  • This data is used to assess the potential impact of a security incident. 

Organisations must carefully select the test data they use to ensure that it is fit for purpose. This data must be appropriate for the controls being tested and must be representative of the type of data the organization deals with on a day-to-day basis.

What is system acquisition development and maintenance?

The system acquisition, development and maintenance (SADM) process is a key component of any successful information security management system (ISMS). It is the process of designing, creating, testing and maintaining a system that meets the requirements of an organisation.

Organisations need to have a clear understanding of their SADM process in order to ensure that their systems are secure and fit for purpose. This process should be regularly reviewed and updated in line with changes in the organisation’s security requirements.

In order to develop and maintain an information security management system (ISMS), you need to understand what system acquisition, development, and maintenance is. This process includes all activities from the acquisition of goods and services to the development, implementation, and operation of systems.

The goal of system acquisition, development, and maintenance is to ensure that the system meets the needs of the user and the organization. This process includes the following steps:

  1. Identify the users and their needs
  2. Identify the requirements of the system
  3. Design the system
  4. Implement the system
  5. Test the system
  6. Deploy the system
  7. Operate and maintain the system

 What are the Annex A.14 controls?

A.14.1.1 Information Security Requirements Analysis & Specification

The information security requirements analysis and specification standard (A.14.1.1) from the International Organization for Standardization (ISO) provides guidance for selection and application of appropriate security controls within an information security management system (ISMS).

The standard includes a requirements specification template that can be used to identify and document security requirements for an organisation's information assets, including specific system components and processes. The template can be used as part of a security controls gap analysis or during a full ISO 27001 audit.

A.14.1.1 also includes guidance on how to select relevant security controls from ISO 27002, and how to gentlemen customized requirements based on the unique needs of an organisation. This standard is an important tool for organisations seeking to implement or improve their information security management systems.

 A.14.1.2 Securing Application Services on Public Networks :

A.14.1.2 Securing Application Services on Public Networks(ISO 27001) is a process of classifying data and then protecting it while it is being transmitted over public networks. The goal is to make sure that only authorized users can access the data and that the data is not tampered with in transit.

This process is important for any organization that transmits sensitive or confidential data over public networks. It is especially important for organizations that are required to comply with regulations such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).

ISO 27001 Documentation toolkit, ISO 27001 ISMS

A.14.1.3 Protecting Application Services Transactions

In any organizations, application services transactions must be protected, which is often A.14.1.3 in ISO 27001. Because these transactions may contain sensitive or confidential data, it is crucial that they are protected from unauthorized access, alteration, or destruction.

There are many ways in which application services transactions can be protected, and the most effective approach will vary depending on the specific organization and transactions in question. However, some common methods of protection include encryption, access control, and activity logs.

To ensure that application services transactions are properly protected, it is important for organizations to carefully assess their risks and put in place the appropriate controls. This article provides an overview of the risks associated with application services transactions and some of the measures that can be taken to protect them.

A.14.2.1 Secure Development Policy

The A.14.2.1 security development policy is a requirement of the ISO 27001 standard and states that:"The organization develops and maintains security policies and procedures for software development, acquisition and maintenance that address security risks and controls."

In order to comply with this requirement, organizations must establish a secure development policy that covers all aspects of software development, from inception to retirement. The policy should be proportionate to the risks faced by the organization and its software development lifecycle.

The A.14.2.1 security development policy is a requirement of the ISO 27001 standard and is intended to help organizations protect the confidentiality, integrity and availability of the software and data.

A.14.2.2 System Change Control Procedures

The purpose of A.14.2.2 System Change Control Procedures (ISO 27001) is to ensure that changes to the system are authorised, tested, implemented and documented. This is to ensure that the system continues to function as intended and that any risks associated with the change are identified and managed.

Any change to the system, whether it be a configuration change, software upgrade or new functionality, must go through a formal change control process. This process should be followed regardless of the size or type of change.

The A.14.2.2 System Change Control Procedure (ISO 27001) details the steps that must be taken in order to ensure that changes to the system are controlled and managed in a consistent and effective manner.

A.14.2.3 Technical Review of Applications After Operating Platform Changes

The A.14.2.3 Technical Review of Applications After Operating Platform Changes (ISO 27001) standard specifies the security controls for information systems that process personal data. The standard’s intention is to protect the confidentiality, integrity, and availability of personal data against unauthorized access, use, disclosure, interception, or other threats.

The standard includes requirements for:

  • establishing and maintaining a risk management program
  • conducting security audits
  • implementing security controls
  • monitoring and responding to security events

The A.14.2.3 Technical Review of Applications After Operating Platform Changes (ISO 27001) standard is an important step in ensuring the security of personal data. By implementing the requirements of this standard, organizations can help protect the people whose data they process.

 A.14.2.4 Restrictions on Changes to Software Packages

The purpose of this article is to provide an overview of the requirements of A.14.2.4, which is a section of the ISO 27001 standard. This section prescribes requirements for the control of changes to software packages.

In order to control changes to software packages, an organization needs to put in place a change management process. This process should ensure that only authorized changes are made, and that all changes are properly documented and tested before being implemented.

The requirements of A.14.2.4 are essential for ensuring the integrity of software packages and preventing unauthorized changes from being made. By putting in place an effective change management process, organizations can protect their systems and maintain compliance with the ISO 27001 standard.

A.14.2.5 Secure System Engineering Principles

The end goal of any organization should be to protect its information assets against security threats. In order to achieve this, it is important to follow certain secure system engineering principles. The A.14.2.5 security standard from ISO 27001 is a good starting point. This standard provides a set of principles that should be followed in order to ensure the safety of information assets.

The A.14.2.5 security standard covers various topics, such as system design, development, testing, and deployment. It also covers security management, risk assessment, and security controls.

 The principles shall address the organizational approach to system security, including:

  • The organizational culture for system security
  • The management responsibility for system security
  • The assignment of security roles and responsibilities
  • The need for system security throughout the life cycle
  • The use of security controls to achieve system security
  • The continuous improvement of system security

A.14.2.6 Secure Development Environment

The standard A.14.2.6 of ISO 27001 requires organizations to establish, implement, and maintain a secure development environment for information security. This standard is important for any organization that develops software or applications, as it helps to ensure that these products are secure from the start.

There are a number of elements that make up a secure development environment, and these must be tailored to the needs of the organization. However, some of the most important elements include secure coding practices, secure development tools, and application security testing.

 Implementing a secure development environment can be a challenge, but it is essential for any organization that wants to protect its information assets.

A.14.2.7 Outsourced Development

Organizations outsource various aspects of their business activities in order to focus on their core strengths and to reduce costs. The process of sourcing services from an external provider is known as outsourcing.

When outsourcing, it is important to consider the impact that this may have on the security of your information assets. For example, if you outsource the development of a software application, the provider will need to have access to your systems and data. This could potentially lead to a data breach if the provider’s systems are not secure.

In order to mitigate the risks associated with outsourcing, it is important to have a robust outsourcing policy in place. This policy should be aligned with your organization’s security policy and should be reviewed on a regular basis.

 The standard for information security management, ISO 27001, provides guidance on how to outsource in a secure manner. Clause 14.2.7 of ISO 27001 specifically addresses the issue of outsourced development.

A.14.2.8 System Security Testing

A.14.2.8 System security testing is a process of verifying the security controls in an Information system to ensure they are functioning as intended. The purpose of this testing is to identify any security vulnerabilities that may exist in the system which could be exploited by an attacker.

System security testing can be divided into two main categories:

  1. Black box testing: Testing is conducted without any knowledge of the internal workings of the system.
  2. White box testing: Testing is conducted with the knowledge of the internal workings of the system.

A.14.2.8 System security testing is an important part of the ISO 27001 certification process and should be conducted by a qualified professional.

 A.14.2.9 System Acceptance Testing

The A.14.2.9 System Acceptance Testing (SAT) process is a formal testing process used to verify that a system meets specified requirements. It is typically performed by the system provider (i.e., the organization that developed the system) and is often a required deliverable before the system can be accepted by the customer.

The ISO 27001 standard requires that SAT be conducted prior to commissioning new or modified information systems. The objectives of SAT are to:

  • demonstrate that the system meets or exceeds the specified requirements
  • verify that the system is fit for its intended purpose
  • provide evidence that the system is ready for transitioning to the operational environment.

The SAT process typically consists of three phases:

  • the test planning phase,
  • the test execution phase, and
  • the test closure phase.

A.14.3.1 Protection of Test Data

A.14.3.1 Protection of Test Data is a requirement of ISO 27001. It refers to the security of data that is used for testing purposes. This data is often sensitive and can be used to compromise systems if it falls into the wrong hands.

There are a number of measures that can be taken to protect test data. These include encrypting the data, storing it in a secure location, and ensuring that only authorized personnel have access to it. taking these measures will help to ensure that your test data is protected and secure.

Why is system acquisition development and maintenance important for your organisation?

Any organization that wants to improve its security posture should consider system acquisition development and maintenance (ISO 27001). By implementing this standard, your organization can mitigate cyber risks more effectively and establish a more robust cyber security program.

The standard provides a framework for developing, acquiring, and maintaining systems in a secure manner. It covers all aspects of system development, including requirements gathering, design, implementation, testing, and deployment.

Organizations that implement ISO 27001 can reap many benefits, such as improved security, reduced costs, and enhanced customer confidence. However, the standard is not without its challenges.

 Conclusion :

The life cycle of an information system includes information security as a critical component. You should consider using InfoSec controls along the way, from choosing to buy a new system to creating and managing that system. It promotes safer business procedures and safeguards your sensitive data.

ISO 27001 Documentation Toolkit, ISO 27001