This article provides an overview of how important it is to  develop security policies in line with your systems development lifecycle as part of  ISO 27002 compliance.

The objective of Security requirements of information systems is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

The objective of security in development and support processes is to ensure that information security is designed and implemented within the development lifecycle of information systems.

Security requirements of information systems:

  1. Information security requirements analysis and specification – the information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems.
  2. Securing application services on public networks – information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
  3. Protecting application services transactions – Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Security in development and support processes:

  1. Secure development policy – rules for the development of software and systems should be established and applied to developments within the organisation.
  2. System change control procedures – changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.
  3. Technical review of applications after operating platform changes – when operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organisational operations or security.
  4. Restrictions on changes to software packages – modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.
  5. Secure system engineering principles – principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.
  6. Secure development environment – organisations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
  7. Outsourced development – the organisation should supervise and monitor the activity of outsourced system development.
  8. System security testing – testing of security functionality should be carried out during development.
  9. System acceptance testing – acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.

Test data:

  1. Protection of test data – test data should be selected carefully, protected and controlled.

For more information please contact Morland-Austin at