ISO 27001 Access To Source Code
I am going to show you what ISO 27001 Annex A 8.4 Access To Source Code is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
Table of Contents
What is ISO 27001 Annex A 8.4?
ISO 27001 Annex A 8.4 Access To Source Code is an ISO 27001 Annex A control that wants you to make sure you have controls in place around access to code.
Purpose
The purpose of ISO 27001 Annex A 8.4 Access To Source Code is to prevent the introduction of unauthorised functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.
Definition
The ISO 27001 standard defines Annex A 8.4 as:
Read and write access to source code, development tools and software libraries should be appropriately managed.
ISO 27001:2022 Annex A 8.4 Access To Source Code
Implementation Guide
Applicability
If you have source code then you want to protect access to it. If you do not then this is not in scope for you, you can update your statement of applicability to put it out of scope, add it to the risk register and accept the risk.
Documentation
If you do have source code then you already know what to do as there is nothing revolutionary in this particular control. The control is looking for documentation and maturity of process of what you already do.
Process
You are going to manage access to your source code, program code, libraries and associated software. The requirement is to stop unauthorised modification that can lead to an information security incident.
Risk Assessment
Conduct a risk assessment, understand what you have and what you need to protect and put in place appropriate controls around that.
Logging and Monitoring
It is good practice to include logging and monitoring so you have audit trails.
Digital Signatures
Digital signatures may or may not be required as part of the process of providing assurance on the integrity of the code and you may find some clients require the use of escrow services.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to pass an audit
Time needed: 1 day
How to comply with ISO 27001 Annex A 8.4
- Have policies and procedures in place
Write, approve, implement and communicate the documentation required for access to source code.
- Assess your code use and code requirements and perform a risk assessment
For each code type perform a risk assessment.
- Implement controls proportionate to the risk posed
Based on the risk assessment implement the appropriate controls to mitigate the risk.
- Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 8.4 are
1. Allowing everyone to access code
Depending on the size of teams, complexity and mix of internal and external resource the requirements for access restrictions on code can often get over looked. Be sure to understand and document the requirements, put in place processes and lock the access down based on organisation need and business risk.
2. Your code is on laptops
This common mistake actually relates to copies of your code being all over the place. It can be hard to manage code and developers and teams to maintain a single source of truth in a controlled way that protects your intellectual property and the integrity of the code base. Some people use check in and check out solutions but be aware of rogue copies of your code out in the real world and the risk it poses to you, usually in terms of that code being taken and used some where else for commercial gain without your approval or knowledge.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Identity and access management | Protection |
| Integrity | Application Security | |||
| Availability | Secure Configuration |