ISO 27002 Outsourced Development – Control 8.30

Home / ISO 27002 Explained / ISO 27002 Outsourced Development – Control 8.30

ISO 27002 Outsourced Development

Outsourcing IT and software development offers benefits like cost savings and increased flexibility. However, it also introduces security risks.

External providers may have inadequate security controls, such as weak network security or insufficient data encryption. This can lead to data breaches, compromising the confidentiality, integrity, and availability of your information.

Since outsourcing reduces direct control over the development process, it’s crucial to ensure that external providers adhere to your organisation’s information security requirements.

What is ISO 27002:2022 Control 8.30?

ISO 27002 Control 8.30 Outsourced Development provides implementation guidance on how to implement ISO 27001 Annex A 8.30.

Definition of ISO 27002 Control 8.30

ISO 27002 defines ISO 27002 Control 8.30 as – The organisation must actively oversee the development of outsourced systems, including directing, monitoring, and reviewing all related activities.

Purpose of ISO 27002 Control 8.30

This is a preventive and detective control designed to ensure outsourced system development adheres to the organisation’s information security requirements.

Ownership of ISO 27002 Control 8.30

The Chief Information Security Officer (CISO) is responsible for establishing and implementing procedures and controls that ensure all information security requirements are effectively communicated to, agreed upon by, and complied with by external suppliers.

Compliance Guidance

Organisations must continuously check that outsourced development work meets their information security requirements.

Control 8.30 provides guidance on outsourcing development, including these key factors:

Contracts: Agreements should address ownership of code and intellectual property rights.

Security Requirements: Contracts should include requirements for secure design and coding, as outlined in Controls 8.25 and 8.29.

Threat Modelling: Establish a threat model for third-party developers to follow.

Acceptance Testing: Conduct thorough acceptance testing to ensure the quality and accuracy of the work.

Security Evidence: Obtain evidence that the delivered system meets minimum privacy and security standards. This may involve reviewing assurance reports.

Malicious Content Protection: Verify that sufficient testing has been performed to protect against malicious content.

Vulnerability Testing: Ensure adequate testing has been conducted to identify and address vulnerabilities.

Escrow Agreements: Implement escrow agreements for the software source code to protect against supplier disruptions (e.g., if the supplier goes out of business).

Audit Rights: Include the right to audit the development processes and controls of the third-party supplier.

Development Environment: Establish and enforce security requirements for the supplier’s development environment.

Legal Compliance: Consider all applicable laws and regulations related to outsourcing

Supplementary Guidance on ISO 27002 Control 8.30

For further guidance on managing supplier relationships, refer to ISO/IEC 27036.

Changes and Differences to ISO 27002:2013

The 2022 version of ISO 27002 retains the same level of control to its predecessor.

ISO 27002:2022/8.30 essentially replaces 27002:2013/(14.2.7) with no significant change.

ISO 27002 Control 8.30 FAQ

What is the difference between ISO 27001 Annex A 8.30 and ISO 27002 Control 8.30?

ISO 27001 Annex A 8.30 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.30 is the implementation guidance for the control.

Is ISO 27002 Outsourced Development Control 8.30 required for ISO 27001 certification?

Yes, ISO 27002 Outsourced Development Control 8.30 is a required information security control for ISO 27001 certification IF you outsource your development to a third party supplier.

ISO 27002 Control 8.30 Attributes Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectApplication SecurityProtection
IntegritySystem and Network Security
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools