Ensuring Security from Development to Deployment: ISO 27002 Control 8.29 Explained
Cyber criminals are constantly inventing new ways and are improving their strategies to infiltrate corporate networks and gain access to sensitive information assets.
For example, cyber attackers may exploit a vulnerability related to the authentication mechanism in the source code to intrude into networks. Furthermore, they may also attempt to manipulate end-users on the client side into performing actions to infiltrate networks, gain access to data or carry out ransomware attacks.
If an application, software, or IT system is deployed in the real world with vulnerabilities, this would expose sensitive information assets to the risk of compromise.
Therefore, organisations should establish and implement an appropriate security testing procedure to identify and remedy all vulnerabilities in IT systems before they are deployed to the real world.
Purpose of Control 8.29
Control 8.29 enables organisations to verify that all information security requirements are satisfied when new applications, databases, software, or code are put into operation by establishing and applying a robust security testing procedure.
This helps organisations to detect and eliminate vulnerabilities in the code, networks, servers, applications, or other IT systems before they are used in the real world.
Attributes of Control 8.29
Control 8.29 is preventive in nature. It requires organisations to subject new information systems and their new/updated versions to a security testing process before they are released into the production environment.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Application Security | #Protection |
| #Integrity | #Information Security Assurance | |||
| #Availability | #System and Network Security |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Control 8.29
Considering that Control 8.29 involves establishment, maintenance and implementation of a security testing procedure that will apply to all new information systems whether developed in-house or by external parties, the Information Security Officer should be responsible for compliance.
General Guidance on Compliance
Organisations should incorporate security testing into the testing process for all systems and they must ensure that all new information systems and their new/updated versions satisfy the information security requirements when they are in the production environment.
Control 8.29 lists three elements that should be included in the security testing process:
- Security functions such as user authentication as defined in Control 8..5, access restriction as prescribed in Control 8.3, and cryptography as addressed in Control 8.24.
- Secure coding as described in Control 8.28.
- Secure configurations as prescribed in Controls 8.9, 8.20, 8.22. This may cover firewalls and operating systems.
What Should a Test Plan Include?
When designing security testing plans, organisations should take into account the level of criticality and nature of the information system at hand.
Security testing plan should cover the following:
- Establishment of a detailed schedule for the activities and the testing to be conducted.
- Inputs and outputs expected to occur under a given set of conditions.
- Criteria to assess the results.
- If appropriate, decisions to take actions based upon the results.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
In-House Development
When IT systems are developed by the in-house development team, this team should carry out the initial security testing to ensure the IT system satisfies security requirements.
This initial testing should then be followed by an independence acceptance testing in accordance with Control 5.8.
In relation to the in-house development, the following should be considered:
- Carrying out code review activities to detect and eliminate security flaws, including expected inputs and conditions.
- Carrying out vulnerability scanning to detect insecure configurations and other vulnerabilities.
- Carrying out penetration tests to detect insecure code and design.
Outsourcing
Organisations should follow a strict acquisition process when they outsource development or when they purchase IT components from external parties.
Organisations should enter into an agreement with their suppliers and this agreement should address the information security requirements as prescribed in Control 5.20.
Furthermore, organisations should ensure that the products and services they purchase are in compliance with the information security standards.
Supplementary Guidance on Control 8.29
Organisations can create multiple test environments to carry out various testing such as functional, non-functional, and performance testing.
Furthermore, they can create virtual test environments and then configure these environments to test the IT systems in various operational settings.
Control 8.29 also notes that effective security testing requires organisations to test and monitor the testing environments, tools, and technologies.
Lastly, organisations should take into account the level of sensitivity and criticality of data when determining the number of layers of meta-testing.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022/8.29 replaces 27002:2013/(14.2.8 and 14.2.9)
Structural Changes
Whereas the 2022 Version addresses secure testing under one single Control, the 2013 version referred to secure testing in two separate controls; System Security Testing in Control 14.2.8 and System Acceptance Testing in Control 14.2.9
Control 8.29 Brings More Comprehensive Requirements
In contrast to the 2013 version, the 2022 Version includes more detailed requirements and recommendations on the following:
- Security testing plan and what it should include.
- Criteria for security testing for in-house development of IT systems.
- Security testing process and what it should entail.
- Use of multiple test environments.
The 2013 Version Was More Detailed in Relation to Acceptance Testing
Contrary to the 2022 Version, the 2013 version was more prescriptive for system acceptance testing. It included requirements such as security testing on received components and the use of automated tools.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.
Get in touch and book a demo.
