ISO 27001:2022 Annex A Control 8.27

Secure System Architecture and Engineering Principles

Book a demo

close,up,image,of,woman,hands,typing,on,laptop,computer

ISO 27001:2022 Annex A 8.27 specifies that organisations must implement secure system architecture and engineering principles to ensure that the design, implementation and management of the information system are appropriate to the organisation’s security requirements. This includes the establishment of secure system architectures, engineering principles and secure design practices.

The intricate structures of contemporary information systems, combined with the ceaselessly shifting cyber security risk environment, make information systems more prone to existing and potential security threats.

Annex A 8.27 outlines how organisations can protect their information systems from security threats through the implementation of secure system engineering principles during all stages of the information system life-cycle.

Purpose of ISO 27001:2022 Annex A 8.27

Annex A 8.27 facilitates organisations to secure information systems during the phases of design, deployment and operation, via the establishment and implementation of secure system engineering principles that system engineers must adhere to.

Ownership of Annex A 8.27

The Chief Information Security Officer is to be held accountable for erecting, sustaining, and putting into action the rules that govern safe engineering of information systems.

Jump to Topic

General Guidance on ISO 27001:2022 Annex A 8.27 Compliance

ISO 27001:2022 Annex A 8.27 underscores the necessity for organisations to embed security into the entirety of their information systems, including business processes, applications and data architecture.

Secure engineering practices should be implemented for all tasks associated with information systems, regularly reviewed and updated to account for emerging threats and attack patterns.

Annex A 8.27 also applies to systems created by external providers, in addition to those developed and run internally.

Organisations should guarantee that the practices and standards of service providers are in line with their secure engineering protocols.

ISO 27001:2022 Annex A 8.27 necessitates secure system engineering principles to address the following eight topics:

  1. Methods of user authentication.

  2. Secure session control guidance.

  3. Procedures for sanitising and validating data.

  4. Security measures for protecting information assets and systems against known threats are analysed comprehensively.

  5. Security measures analysed for their ability to identify, eliminate, and respond to security threats.

  6. Analysing the security measures applied to specific business activities, such as information encryption.

  7. Where and how security measures will be implemented. A specific Annex A security control may be integrated within the technical infrastructure as part of this process.

  8. The way in which different security measures work together and operate as a combined system.

Guidance on Zero Trust Principle

Organisations should bear in mind these zero-trust principles:

  • Based on the assumption that the organisation’s systems are already compromised and that the defined perimeter security of its network cannot provide adequate protection.

  • A policy of “verification before trust” should be adopted when it comes to granting access to information systems. This ensures that access is granted only after scrutiny, making sure that the right people have it.

  • Ensuring requests made to information systems are safeguarded with end-to-end encryption provides assurance.

  • Verification mechanisms are implemented assuming access requests from external, open networks to information systems.

  • Implement least privilege and dynamic access control consistent with ISO 27001:2022 Annex A 5.15, 5.18, and 8.2. This must encompass authentication and authorisation of sensitive info and info systems taking into account contextual aspects such as user identities (ISO 27001:2022 Annex A 5.16) and information classification (ISO 27001:2022 Annex A 5.12).

  • Authenticate the identity of the requester and verify authorisation requests to access information systems according to authentication information in ISO 27001:2022 Annex A 5.17, 5.16 and 8.5.

What Should Secure System Engineering Techniques Cover?

Your organisation should keep in mind the following:

  • Incorporating secure architecture principles such as “security by design”, “defence in depth”, “fail securely”, “distrust input from external applications”, “assume breach”, “least privilege”, “usability and manageability” and “least functionality” is paramount.

  • Conducting a security-oriented design review to detect any information security issues and making sure that security measures are established and meet the security needs.

  • Documenting and acknowledging security measures that fail to meet requirements is essential.

  • System hardening is essential for the security of any system.

What Criteria to Consider When Designing Secure Engineering Principles?

Organisations should take into account the following points when setting up secure system engineering principles:

  • The requirement to coordinate Annex A Controls with particular security architecture is indispensable.

  • An organisation’s existing technical security infrastructure, including public key infrastructure, identity management, and data leakage prevention.

  • Can the organisation construct and sustain the technology chosen.

  • The cost and the time needed to fulfil security requisites, taking into account their complexity, must be considered.

  • Adhering to current best practices is essential.

Guidance on Application of Secure System Engineering Principles

ISO 27001:2022 Annex A 8.27 states that organisations can utilise secure engineering principles when setting up the following:

  • Fault tolerance and other resilience strategies are essential. They help ensure that systems remain operational despite the occurrence of unexpected events.

  • Segregation through virtualisation is one technique that can be utilised.

  • Tamper-proofing, ensure that systems remain secure and impervious to malicious interference.

Secure virtualisation technology can reduce the risk of interception between applications running on the same device.

It is emphasised that tamper resistance systems can detect both logical and physical manipulation of information systems, preventing unauthorised access to data.

Changes and Differences From ISO 27001:2013

ISO 27001:2022 Annex A 8.27 replaces ISO 27001:2013 Annex A 14.2.5 in the revised 2022 standard.

The 2022 version contains more extensive demands than the 2013 version, such as:

  • In comparison to 2013, the 2022 version furnishes guidance on what secure engineering principles ought to comprise.

  • As opposed to the 2013 iteration, the 2022 version considers the criteria that organisations should take into account when constructing secure system engineering principles.

  • The 2022 version provides guidance on the zero trust principle, which was not included in the 2013 version.

  • The 2022 edition of the document includes recommendations for secure engineering techniques, such as “security by design,” which was not present in the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

Our step-by-step checklist makes ISO 27001 implementation a breeze. Our complete compliance solution for ISO/IEC 27001:2022 will guide you through the process from start to finish.

Upon logging in, you can expect up to 81% progress.

This solution is totally comprehensive and straightforward.

Reach out now to book a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more