ISO 27001 : Annex 14 System Acquisition, Development and Maintenance

-

ISO 27001 : Annex 14 System Acquisition , Development and Maintenance in this article is explain  A.14.1  Security Requirements of Information Systems & A.14.1.1  Information Security Requirements Analysis and Specification.

A.14.1  Security Requirements of Information Systems

Its objective is ensuring the information management for the entire lifecycle is an important part of information systems. This also includes the information systems requirements that provide services over a public network.

A.14.1.1  Information Security Requirements Analysis and Specification

Control- Information security requirements for new information systems or enhancements to existing information systems should be included

Implementation Guidance – Information security needs should be defined using various approaches such as derivation of policy and regulation enforcement criteria, threat analysis, incident assessment, and the use of thresholds of vulnerability. All stakeholders will log and review the identification results.

The business assessment of the information concerned and possible negative effects on business resulting from lack of sufficient protection should reflect information security standards and inspections.

Early stages of projects for information systems will include the definition and management of information security specifications and related processes. Early consideration of information security requirements can lead, for example, to more efficient and effective solutions at the design level.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The requirements of information security should also take into account:

  1. confidence in the claimed identity of users required to meet the requirement to obtain user authentication;
  2. Processes for access and authorization of all business users and privileged or skilled users;
  3. Inform users and managers of their roles and responsibilities;
  4. the necessary protection needs of the assets concerned, including accessibility, confidentiality, and integrity;
  5. business process specifications, such as transaction recording and monitoring, non-repudiation specifications;
  6. Requirements required by other security controls, such as logging and monitoring interfaces or data leak detection systems.

Dedicated controls should be considered for applications that deliver infrastructure through public networks or that carry out transactions.

A structured testing and procurement process must be followed if goods are purchased. Supplier contracts will meet the security requirements found. If a proposed product has no safety features, the risk identified and the associated controls should be reconsidered before the product is purchased.

The available security configuration guidance should be evaluated and implemented for the product aligned with the system ‘s final software / service stack.

Product acceptance criteria, e.g. in terms of functionality, should be defined to ensure that the security criteria identified are complied with. Before acquisition, products should be assessed according to these criteria. Further functionality should be checked in order to ensure that additional risks are not unacceptable.

Other Information – In order to identify controls to meet information security requirements, ISO / IEC 27005 and ISO 31000 provide guidance on the use of risk management processes.

Read More : https://info-savvy.com/iso-27001-annex-14-system-acquisition-development-and-maintenance/

-------------------------------------------------------------------------------------------------------------------------------------

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

Post a Comment

Popular posts from this blog

10 Secrets You Will Never Know About Cyber Security And Its Important

-
Image
Know about Cyber Security Whether you’re a techie or not, there’s a good chance that your life is very reliant on the net and its wonders. Your social media accounts are likely humming, and you recognize your way round the IOT devices you employ . All of those devices connect you to the cyber world in a method or another. Here are 12 things to understand about  cyber security . And once you are sharing such a lot of your data online daily, you may also care about your cyber security.  If you’ve always thought cyber security are a few things only big companies got to care about change your mind, now. Cyber security is as critical on a private level, because it is on a company’s level. Besides, there’s hardly any job or profession, that’s not supported technology. With  jobs or a career in mind , you need to understand what threatens your security online and what you’ll be able to do to stay your data secure. 1  You’re a target to hackers Don’t ever say...
Read more

ISO 27001 Annex : A.5 Information Security Policies

-
Image
5. 1  Management direction for information security ISO 27001 Annex : A.5 Information Security Policies, Its objective is to provide management guidance and  information security  assistance in accordance with business requirements and relevant laws and regulations. 5.1.1 Policies for Information Security Control-   A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties. Implementation Guidance-  At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals. Information security policies should meet criteria that have been created by: Business strategy; Regulations, legislation and contracts; The present and projected  information security threat  environment Related Product :   ISO 27001 Lead...
Read more

Impact Of ISO 27001 Lead Auditor

-
Image
Information Security Management System  ISO 27001   Standard is an Information Security Management System. The main objective of this standard is the organization shall establish, implement and maintain the information security system within the organization. Evaluate the information security Risk at each stage of operation and take the necessary action to reduce the information security Risk within the organization. In common business practice the ISO 27001 standard is also referred as ISMS standard. The summarized requirement details of ISO 27001 are given below: Context of The Organization The organization shall identify the internal and external issue related to  information security , including the legal, regulatory and contractual requirements. Determining the scope of information security management system and establishing the information security management system. Leadership The top management of the organization demonstrates the leadership and ...
Read more