{"id":10808,"date":"2017-01-24T17:50:59","date_gmt":"2017-01-24T17:50:59","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=10808"},"modified":"2024-12-12T11:43:21","modified_gmt":"2024-12-12T11:43:21","slug":"how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc\/","title":{"rendered":"How to integrate ISO 27001 controls into the system\/software development life cycle (SDLC)"},"content":{"rendered":"<p><em>Updated: March 27, 2023, according to the ISO 27001 2022 revision.<\/em><\/p>\n<p><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&#038;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information security<\/a> is only as good as the processes related to it, yet we find many organizations concerned only about whether security features exist and are active in their information systems, and not how they are developed, implemented, maintained, and improved.<\/p>\n<p>As a result, many information systems fail to protect information, not because of a lack of security features, but because poor development, implementation, maintenance, or improvement practices have led features to not work properly, or to be easily bypassed, causing damage against which businesses were counting on being protected.<\/p>\n<p>This article will present how a structured development process (SDLC \u2013 System or Software Development Life Cycle), and <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> security controls for systems acquisition, development, and maintenance can together help increase the security of information systems development processes, benefiting not only information security, but organizations and those involved in development processes as well.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">The most important ISO 27001 controls for improving the security of SDLC:<\/div>\n<div class=\"post-featured--content\">\n<ul>\n<li>A.8.25 &#8211; Secure development lifecycle<\/li>\n<li>A.8.26 &#8211; Application security requirements<\/li>\n<li>A.8.27 &#8211; Secure system architecture and engineering principles<\/li>\n<li>A.8.29 &#8211; Security testing in development and acceptance<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2>Why develop securely?<\/h2>\n<p>By implementing secure practices in internal development processes, or by demanding that suppliers implement them in their processes, not only is the information itself better protected, but organizations can achieve benefits like:<\/p>\n<ul>\n<li>reduced rework costs: security practices enforce more rigorous planning and scenario evaluation, leading to better defined systems requirements and more suitable solutions.<\/li>\n<li>reduced incident costs: better planned systems and security controls minimize the occurrence and impact of incidents.<\/li>\n<li>reduced maintenance downtime: security practices enforce more control over the development and implementation of changes, so less time is needed to perform them, and fewer problems arise.<\/li>\n<li>reduced liability: the adoption of secure practices is viewed as a due diligence effort to prevent the realization of risks, which can minimize penalties in legal actions.<\/li>\n<\/ul>\n<p>As for development teams, benefits would be:<\/p>\n<ul>\n<li>increased requirements control: requirement changes must be evaluated and formalized before implementation.<\/li>\n<li>clear verification and validation criteria: requirements must be associated with measurable results to be achieved.<\/li>\n<li>better justifications for resources: clear results to be achieved help support demands for resources (e.g., competences, equipment, environments, etc.).<\/li>\n<\/ul>\n<p>You should note that the degree by which secure development practices may be enforced must balance the need for security of the system and the productivity of the processes, or you may end up changing a security problem into a productivity problem in your development processes. A recommended tool to help find the right balance is the <a href=\"https:\/\/staging.advisera.com\/27001academy\/documentation\/risk-assessment-table\/\" target=\"_blank\" rel=\"noopener noreferrer\">risk assessment<\/a>\u00a0table.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>SDLC: System or Software Development Life Cycle?<\/h2>\n<p>The acronym SDLC can be attributed either to system or software when considering the development life cycle. In brief, SDLC covers the following structured processes:<\/p>\n<ul>\n<li>Planning: thinking about and organizing all activities required to develop the system or software<\/li>\n<li>Analysis: gaining a better understanding of what is expected from the system or software<\/li>\n<li>Design: defining the solution to be implemented<\/li>\n<li>Implementation: executing the activities required to create the system or software and make it available to users<\/li>\n<li>Operation: the effective use of the system or software<\/li>\n<li>Maintenance: making changes to the system or software to ensure it does not become obsolete<\/li>\n<li>Disposition: discarding the system or software<\/li>\n<\/ul>\n<p>The fundamental difference regarding the term \u201cSystem\/Software\u201d is that the system development life cycle comprises not only software, but also hardware, data, people, processes, procedures, facilities, and materials. <a href=\"https:\/\/www.iso.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO<\/a> (International Organization for Standardization) has some standards covering both the system (ISO\/IEC\/IEEE 15288:2015 and ISO\/IEC TR 90005:2008) and software (ISO\/IEC 12207:2008 and ISO\/IEC 90003:2014) approaches.<\/p>\n<h2>Applying ISO 27001 in the SDLC<\/h2>\n<p>ISO 27001 has a set of recommended security objectives and controls, described in sections A.5 and A.8 of Annex A and detailed in <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener\">ISO 27002<\/a>, to ensure that information security is an integral part of the systems lifecycle, including the development lifecycle, while also covering the protection of data used for testing. By considering the following controls in SDLC processes, you can make them more robust, and with this, enhance the effectiveness of the developed information systems regarding information protection:<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"text-align: center\" colspan=\"2\"><strong>Applying ISO 27001 in SDLC processes<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center\">ISO 27001 security controls<\/td>\n<td style=\"text-align: center\">Rationale for application in a SDLC<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>A.8.25 \u2013 Secure development lifecycle<br \/>\nA.8.27 \u2013 Secure system architecture and engineering principles<br \/>\nA.8.29 \u2013 Security testing in development and acceptance<br \/>\nA.8.31 \u2013 Separation of development, test, and production environments<br \/>\nA.8.32 \u2013 Change management<br \/>\nA.8.33 \u2013 Test information<\/td>\n<td>Guidelines that drive the need for secure development according to perceived business risks. Here you can define general objectives and practices, and the levels of enforcement most suitable for your SDLC framework.<\/td>\n<\/tr>\n<tr>\n<td>A.5.8 \u2013 Information security in project management<br \/>\nA.8.26 \u2013 Application security requirements<\/td>\n<td>These controls can be applied to ensure that systems&#8217; security requirements are considered during system or software analysis and design. Control A.8.26 provides specific situations from A.5.8.<\/td>\n<\/tr>\n<tr>\n<td>A.8.32 \u2013 Change management<br \/>\nA.8.29 \u2013 Security testing in development and acceptance<\/td>\n<td>These controls can be applied to ensure formal control of changes and that the desired results were achieved, and no negative impact resulted from the changes.<\/td>\n<\/tr>\n<tr>\n<td>A.8.30 \u2013 Outsourced development<\/td>\n<td>This control can be applied to enforce secure development practices even by the organization&#8217;s suppliers.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The ISO 27001 series also has a set of standards to support security management concepts and help implement security controls specified to ISO 27002 regarding application security. These are the standards: ISO\/IEC 27034-1:2011, ISO\/IEC 27034-2:2015, and ISO\/IEC 27034-6:2016.<\/p>\n<h2>Secure processes deliver secure results<\/h2>\n<p>As information systems grow in complexity and criticality, more vulnerability points appear, and all a wrongdoer, or careless user, needs to cause havoc on business operations is a single point (e.g., an exploitable code, a disabled security function, an ill-planned user demand, a forgotten patch, etc.), and traditional development practices are not able to keep up proper security levels.<\/p>\n<p>By adopting SDLC together with A.14 controls from ISO 27001 to securely develop information systems, an organization can make sure it covers the most common threats and, by treating security as a process, be systematically and continuously working on maintaining security levels and keeping its information and systems away from harm, while reaping the benefits of improved processes.<\/p>\n<p><em>To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses,\u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated: March 27, 2023, according to the ISO 27001 2022 revision. Information security is only as good as the processes related to it, yet we find many organizations concerned only about whether security features exist and are active in their information systems, and not how they are developed, implemented, maintained, and improved. As a result, &#8230;<\/p>\n","protected":false},"author":41,"featured_media":85646,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1555,1556,1557,1558],"class_list":["post-10808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-sdlc","tag-secure-information-systems","tag-testing","tag-security-requirements"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=10808"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10808\/revisions"}],"predecessor-version":[{"id":103161,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10808\/revisions\/103161"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/85646"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=10808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=10808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=10808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}