---
tags:
  - iso27001/2022/EN
---

## 8.25 Secure development life cycle

| Control type | Information security properties           | Cybersecurity concepts | Operational capabilities                           | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- |
| #Preventive  | #Confidentiality #Integrity #Availability | #Protect               | #Application_security #System_and_network_security | #Protection      |

  

**Control**

  

Rules for the secure development of software and systems should be established and applied. **Purpose**

  

To ensure information security is designed and implemented within the secure development life cycle of software and systems.

  

**Guidance**

  

Secure development is a requirement to build up a secure service, architecture, software and system. To achieve this, the following aspects should be considered:

  

a\) separation of development, test and production environments (see >8.31>);

  

b\) guidance on the security in the software development life cycle:

  

1\) security in the software development methodology (see >8.28and >8.27>);

  

2\) secure coding guidelines for each programming language used (see >8.28>);

  

c\) security requirements in the specification and design phase (see >5.8>);

  

d\) security checkpoints in projects (see >5.8>);

  

e\) system and security testing, such as regression testing, code scan and penetration tests (see >8.29>);

  

f\) secure repositories for source code and configuration (see >8.4and >8.9>);

  

g\) security in the version control (see >8.32>);

  

h\) required application security knowledge and training (see >8.28>);

  

i\) dev elopers’ capability for preventing, finding and fixing vulnerabilities (see >8.28>);

  

j\) licensing requirements and alternatives to ensure cost-effective solutions while avoiding future licensing issues (See >5.32>).

  

If development is outsourced, the organization should obtain assurance that the supplier complies with the organization’s rules for secure development (see >8.30>).

  

**Other information**

  

Development can also take place inside applications, such as office applications, scripting, browsers and databases.