The basics
ISO 27001 control A.8.29 Security testing in development and acceptance requires companies to define a testing process in order to verify that security requirements are implemented in the software as specified.
Documentation
ISO 27001 control A.8.29 Security testing in development and acceptance can be documented:
- for smaller and mid-sized companies by writing a Secure Development Policy
- for larger companies by writing a Secure Testing and Acceptance Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.29 Security testing in development and acceptance, you might implement the following:
- Technology — the technology to enable security testing might include tools for automating test scripts, and also for generating automatic reports. Small companies may use tools installed locally on their developers’ computers, while bigger companies may use centralized software that manages security tests in a shared way.
- Organization/processes — you should set up a process for defining test methodologies to be applied, how to plan and execute testing activities, identifying expected inputs and outputs, and acceptance criteria to evaluate testing results and accept systems. You can document those processes through a Secure Development Policy or a Secure Testing and Acceptance Procedure.
- People — make employees aware of why security testing is important, and train developers on how to plan and execute tests, and how to review and evaluate test results.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding secure control A.8.29 Security testing in development and acceptance: if the software is tested against the security requirements to ensure security is implemented as specified.
