Today we’re going to be talking about ISO 27001 and its controls, unpacking the question of what is Annex A:14. ISO 27001 has a number of controls, which we’ve covered in previous pieces that you can access here, and here.
Information security, ISO 27001 and its controls like Annex A:14 are emerging concepts across the increasingly digitised world. They outline how to put in place an independently assessed and certified information security management system. ISO 27001:2015 helps organizations work more effectively to secure all financial and confidential data.
As we are discussing a series of ISO control under Annex A listed in ISO 27001:2015. Today we are going to understand exactly what is Annex A:14, which is centered on the security requirements of information security management systems.
ISO 27001 Controls; What is Annex A:14?
Annex A:14 System acquisition, development, and maintenance
The objective in this Annex A area is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems that provide services over public networks.
A:14:1 Security Requirements of Information systems
In this section, three controls define the vitality of securing information while complying with the information requirements. Any organization who are looking achieve ISO 270001, certification, must apply this control to protect the information secured on their systems as well as on public networks.
Annex. A:14.1.1 Information Security Requirements analysis and specification:
Requires a particular analysis that specifies the need for information security. In any development of the new system or specific change in the information. It is important to run through the business requirements by doing a risk assessment. The information security-related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.
Annex. A:14.1.2 Securing application services on public networks:
This clause covers related to the securing of application services on public networks. It means that the information circulating on public networks must be protected by applying encryption policies, multi-factor authentication use of passwords, etc. Annex:13 says that the non-disclosure or confidentiality policies and procedures must be acknowledged by either party, who are accessing the confidential information. This control protects information from unauthorized and fraudulent access.
It is important to consider confidentiality, integrity, and availability of the data.
Annex. A:14.1.3 Protecting applications services transactions
Requires the protection of application services, that are used to revolve the confidential information. Any incomplete transmission of digital signature, emails, unauthorized messages alteration, disclosure, message duplication, or replay could lead to the loss of information secured on the systems. It’s the top management’s responsibility to maintain the security of such systems and promote ongoing investigation if such factors occur
Annex A:14.2 Security and Development and Support Process
This clause has 9 controls which has also the main objective to ensure that information security implemented within the lifecycle of any progress to the information systems. A secure development policy or procedure used to protect the security and development within the systems. The processes for developing and implementing systems and system changes encourage the use of secure coding and development practices. Compliant policies will address security checkpoints during development; secure repositories; security in version control; application security knowledge; and developers’ ability to avoid vulnerabilities, then find and fix them when they occur.
Annex. A:14.2.1 Secure development policy:
Requires a set of rules of policies and procedures for any software development within the organization. Such policies will help to transmit the identification of the risks in the development and implementation within the systems. Strong initial screening in attaining these skills, lifetime management, and training of resources is essential and practices like pair programming, peer reviews, and independent quality assurance testing are all positive attributes.
Annex. A:14.2.2 System change control procedures:
Requires formal procedures that control the development lifecycle by enforcing change control policies. Any organization, who is seeking any change, must not oversee the responsibility of protecting the information and its asset. Audit logs are the best evidence to kept while undergoing such procedures. It is also mandatory, to identify any risk involved and its evaluation in the development change of lifecycles through A:14 controls.
Annex. A:14.2.3 Technical review of the application after operating platform changes:
Requires a compulsory check of all the technical changes to investigate if operating platforms have been changed. All the changes must be reviewed and tested to ensure there is no adverse impact on organizational; operations or security. It is also the major responsibility of top management which requires extra surveillance on such changes.
Annex. A:14.2.4 Restriction on changes to software package:
Requires a set of procedures which controls the external and internal access to the software systems. It also needs to place certain restrictions to prevent the adverse effects of any modifications that lead to the loss of information security.
Annex. A:14.2.5 Secure system engineering principles:
Principles for engineering secure systems must be established, documented, maintained, and applied to any information system implementation efforts. Secure software engineering principles exist at both general levels and specific to development platforms and coding languages. These principles are used to identify the hidden risks that could lead to information loss within organizations.
Annex. A:14.2.6 Secure development environment:
Organizations need to establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. These procedures prevent to allow any malicious activities to enter the systems. Such procedures involve business requirements and other internal & external requirements including legislation, regulation, contractual agreement, or policies. Any changes happen in the technical environments, then the risk must be protected and controlled.
Annex. A:14.2.7 Outsourced development:
The organization must supervise and monitor the activity of outsourced system development. For any software to be outsourced either wholly or partly to external parties, the security requirements must be specified in a contract or attached agreement. This is for to reduce the venerability of unauthorised access from outsourced system development.
Annex. A:14.2.8 System Security Testing:
Testing of the security program needs to be carried out during development. One must seek permission from the responsible and relevant authority to run any security system testing. The outcomes for such testings have to be controlled and documented at the same time.
Annex. A14.2.9 System accepting testing:
Acceptance testing programs and related criteria requires an established policy for new information systems, upgrades and new versions.Again, this acceptance entirely based on business requirements. Acceptance testing should also include security testing.
Annex.A:14.3 Test Data
Annex A.14.3 is about test data. The objective in this Annex A area is to ensure the protection of data used for testing.
Annex. A:14.3.1 Protection of Test Data:
Test data must be selected carefully, protected, and controlled. Test data should ideally be used if someone is seeking to upgrade their internal operating systems. Carefully selected and secured for the period of testing; Securely deleted when testing is complete.