ISO 27002 Security Testing in Development and Acceptance – Control 8.29

Home / ISO 27002 Explained / ISO 27002 Security Testing in Development and Acceptance – Control 8.29

ISO 27002 Security Testing in Development and Acceptance

“Security Testing in Development and Acceptance,” is a crucial control within the ISO 27002 framework. It emphasises the importance of rigorously testing software before its release to the production environment to ensure that it meets all established security requirements. By proactively identifying and mitigating vulnerabilities during the development lifecycle, organisations can significantly reduce the risk of security breaches, data loss, and other adverse consequences

What is ISO 27002:2022 Control 8.29?

ISO 27002 Control 8.29, “Security Testing in Development and Acceptance,” is a control within the ISO 27002 framework. It mandates that organisations thoroughly test software before its release to the production environment to ensure compliance with information security requirements and provides implementation guidance on how to implement ISO 27001 Annex A 8.29.

Definition of ISO 27002 Control 8.29

ISO 27002 defines ISO 27002 Control 8.29 as – Development, testing and production environments should be separated and secured.

Purpose of ISO 27002 Control 8.29

This control acts as a preventive measure, helping to identify and mitigate security vulnerabilities early in the development lifecycle. By conducting rigorous security testing, organisations can significantly reduce the risk of security breaches and data loss in production systems.

Ownership of ISO 27002 Control 8.29

The Information Security Officer, in close collaboration with domain experts, is responsible for:

  • Establishing and maintaining effective security testing controls and procedures.
  • Ensuring the proper implementation and oversight of these security testing activities.

Compliance Guidance

This checklist outlines key steps for implementing effective security testing within the software development lifecycle, as required by ISO 27002 Control 8.20.

Define and Integrate Security Testing:

Develop a comprehensive security testing strategy aligned with the overall development process.
Integrate security testing throughout the entire SDLC.
Provide training to development teams on security best practices.

Conduct Thorough Testing:

Perform regular code reviews to identify and address vulnerabilities.
Utilise automated vulnerability scanning tools.
Conduct penetration testing to simulate real-world attacks.

Promote Secure Development Practices:

Encourage and enforce secure coding practices.
Leverage secure development frameworks and libraries.

Secure Configuration Management:

Implement a secure configuration management process to ensure systems and applications are configured correctly.

Acceptance Testing for Security:

Integrate security testing into the acceptance testing process.

Continuous Improvement:

Continuously monitor and analyse security testing activities.
Identify and address areas for improvement.

Documentation and Communication:

Document all security testing activities and communicate results effectively to stakeholders.

Addressing Challenges:

The checklist also addresses common challenges such as:

  • Resource constraints: Ensuring adequate resources and expertise for security testing.
  • False positives: Dealing with false alarms from vulnerability scanning tools.
  • Keeping up-to-date: Staying current with the latest vulnerabilities and security threats.
  • Developer motivation: Encouraging developer participation in code reviews.
  • By addressing these challenges and implementing the recommendations outlined in the checklist, organisations can significantly improve their software security posture and reduce the risk of security breaches.

Supplementary Guidance on ISO 27002 Control 8.29

Diverse Testing Needs: Different types of testing (e.g., functional, performance) require specific environments with unique configurations to accurately simulate real-world scenarios.

Virtualisation: Utilising virtual environments allows for flexible and efficient creation of various testing scenarios.

Monitoring and Maintenance: Regular monitoring and testing of the test environments themselves is crucial to ensure their effectiveness. This includes monitoring the tools and technologies used within these environments.

Layered Testing: The need for multiple layers of testing (meta-testing) should be evaluated based on the sensitivity of the systems and data involved.

Key takeaway: By establishing and effectively managing diverse test environments, organisations can significantly improve the quality, reliability, and security of their software products.

Changes and Differences to ISO 27002:2013

ISO 27002:2022/8.29 consolidates the previous 2013 version’s separate controls for System Security Testing (14.2.8) and System Acceptance Testing (14.2.9) into a single, more comprehensive control.

Key Changes:

Broader Scope: The 2022 version provides more detailed guidance on various aspects of security testing, including:

Testing Plan: Requirements for a comprehensive security testing plan.
In-house Development: Specific criteria for security testing when developing systems in-house.

Testing Process: Detailed recommendations for the security testing process itself.

Test Environments: The importance of utilising multiple test environments.

Reduced Emphasis on Acceptance Testing: While the 2013 version provided more specific guidance on system acceptance testing, the 2022 version offers a more holistic approach to security testing throughout the development lifecycle.

These changes reflect a shift towards a more integrated and comprehensive approach to security testing within the ISO 27002 framework.

ISO 27002 Control 8.29 FAQ

What is the difference between ISO 27001 Annex A 8.29 and ISO 27002 Control 8.29?

ISO 27001 Annex A 8.29 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.29 is the implementation guidance for the control.

Is Security Testing in Development and Acceptance required for ISO 27001 certification?

Yes, Security Testing in Development and Acceptance is a required information security control for ISO 27001 certification, if you do software development.

ISO 27002 Control 8.29 Attributes Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentifyApplication SecurityProtection
IntegritySystem and Network Security
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools