richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.30-Outsourced-development.md

2.7 KiB
Raw Blame History

8.30 Outsourced development

Control type Information security properties Cybersecurity concepts Operational capabilities Security domains
#Preventive #Detective #Confidentiality
#Integrity #Availability		 #Identify #Protect
#Detect		 #System_and_network_security #Application_security #Supplier_relationships_security #Governance_and_Ecosystem #Protection

Control The organization should direct, monitor and review the activities related to outsourced system development.

Purpose To ensure information security measures required by the organization are implemented in outsourced system development.

Guidance Where system development is outsourced, the organization should communicate and agree requirements and expectations, and continually monitor and review whether the delivery of outsourced work meets these expectations. The following points should be considered across the organizations entire external supply chain:

a) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see 5.32);

b) contractual requirements for secure design, coding and testing practices (see 8.25 to 8.29 );

c) provision of the threat model to consider by external developers;

d) acceptance testing for the quality and accuracy of the deliverables (see 8.29);

e) provision of evidence that minimum acceptable levels of security and privacy capabilities are established (e.g. assurance reports);

f) provision of evidence that sufficient testing has been applied to guard against the presence of malicious content (both intentional and unintentional) upon delivery;

g) provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities;

h) escrow agreements for the software source code (e.g. if the supplier goes out of business);

i) contractual right to audit development processes and controls;

j) security requirements for the development environment (see 8.31);

k) taking consideration of applicable legislation (e.g. on protection of personal data).

Other information Further information on supplier relationships can be found in the ISO/IEC 27036 series.