Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

Last updated Aug 21, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Security Testing in Development and Acceptance
Implementation Guide
Implementation Checklist
Audit Checklist
FAQ
ISO 27002 Control 8.29
Related ISO 27001 Controls
Further Reading
ISO 27001 Control and Attributes Table

ISO 27001 Security Testing in Development and Acceptance

ISO 27001 Security Testing in Development and Acceptance is an ISO 27001 control that requires an organisation to test software before they put it into production to ensure that information security requirements have been met.

Purpose

ISO 27001 Annex A 8.29 is a preventive control to validate if information security requirements are met when applications or code are deployed to the production environment.

Definition

ISO 27001 defines ISO 27001 Annex A 8.29 as:

Security testing processes should be defined and implemented in the development life cycle.
ISO27001:2022 Annex A 8.29 Security Testing in Development and Acceptance

Get the ISO 27001 Certification Kit >

Implementation Guide

I am not in the business of telling you how to conduct testing. Testing is a professions in it’s own right and information security testing can require some specialist resources. What I am going to do is show you want the ISO 27001 standard expects in the implementation for you to achieve ISO 27001 certification. These are on the whole, no brainers, common sense and what you would expect but let us take a look anyway.

General

Testing is part of the software development lifecycle. There relevant clauses that you need include:

Secure Development Policy

The first step is to create, or download, your secure development policy. The ISO 27001 secure development policy set’s out what you do for information security in the context of software and systems development. It does not set out how you do it, as how you do it is covered in your processes.

The ISO 27001 Template is the quickest way to do this but you can also take a look and write it yourself.

ISO 27001 Secure Development Policy Template

Separate Environments

You are going to make sure that for the in-scope developments that you have separate development, test and live environments with the appropriate management and controls in place around this. This will include the process of promoting through those environments and the authorisations and approvals and acceptance.

Testing in a test environment should be conducted with the test environment matching as closely as possible to the production environment.

It is possible to have multiple test environments to facilitate different kinds of tests.

Further reading: ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

Testing

All secure development will have testing. It is not our place, again, to tell you how to test as again, this is a profession in its own right but there must be a level of security testing in place that looks at the three parts of information security being confidentiality, integrity and availability.

Simple testing that can be considered here would be penetration testing, vulnerability testing, regression testing, code scanning and code testing.

We conduct testing for new information systems, upgrades, patches, new versions, changes.

When conducting security testing we are testing against a set of requirements that we have defined. This can be in the form of configurations in testing systems. Baseline configurations and using the features of testing tools to enhance our capability.

Testing should consider including:

Access restrictions
Global admin restrictions
Cryptography and encryption
User authentication
Secure Configurations

Testing is always proportionate to the risk, importance and data being processed, stored or transmitted.

Test Plans

Testing is conducted against test plans. When creating test plans consideration is given to

Schedules of Activity
Schedules of Tests
Inputs and Expected Outputs
Evaluation Criteria
Follow Up Actions

Knowledge and Experience

The standard touches on this in a number of areas, having people with the right knowledge and / or experience to perform the role. This is also true of testing. Having a competency matrix and being able to point to qualifications or certifications will help. Where there are gaps a plan, such as training, should be in place but these are basic HR and people functions that are common place in any role.

Who Tests

Who conducts the test should be considered and be proportionate to the test being performed. Consider testing by the actual developer, peer review testing and also independent testing. An independent test has to be completed before go live.

Types of Testing

There are many types of testing that can be undertaken. The following is not an exhaustive list but

Code Review
Vulnerability Scanning
Penetration Testing
Peer Review
Automated Testing
Manual Testing

Documentation

Be sure to have documented evidence of tests conducted as well as of the acceptance criteria, process and sign offs.

Outsourced Development

If you outsource your development then the third party supplier controls will apply. The main thing is to ensure they meet your requirements for secure development but all relevant controls will apply to them.

Further reading: ISO 27001 Annex A 8.30 Outsourced Development

Implementation Checklist

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance Implementation Checklist:

1. Define a Security Testing Strategy

Develop a comprehensive security testing strategy that outlines the scope, objectives, and methodology for security testing throughout the development lifecycle.

Challenges

Aligning security testing with the overall development process, ensuring adequate resources and expertise.

Solutions

Integrate security testing into the software development lifecycle (SDLC), provide training to development teams on security best practices.

2. Conduct Code Reviews

Perform regular code reviews to identify and address security vulnerabilities, such as buffer overflows, SQL injection, and cross-site scripting.

Challenges

Ensuring consistent and thorough code reviews, maintaining developer motivation for code review activities.

Solutions

Implement automated code review tools, establish clear guidelines and checklists for code reviews, provide incentives for developers to participate in code reviews.

3. Perform Vulnerability Scans

Utilise automated vulnerability scanning tools to identify and assess security vulnerabilities in applications, systems, and networks.

Challenges

False positives, overwhelming number of vulnerabilities, keeping up with the latest vulnerabilities and exploits.

Solutions

Prioritise vulnerabilities based on risk, implement vulnerability management processes, utilise vulnerability scanning tools effectively.

4. Conduct Penetration Testing

Perform penetration testing to simulate real-world attacks and identify exploitable vulnerabilities.

Challenges

Cost, resource constraints, potential for disruption to operations.

Solutions

Plan and scope penetration tests carefully, utilise ethical hackers and penetration testing tools, conduct penetration tests in controlled environments.

5. Implement Secure Coding Practices

Promote and enforce secure coding practices throughout the development process, including the use of secure coding standards and guidelines.

Challenges

Ensuring developer adherence to secure coding practices, keeping up with evolving security threats.

Solutions

Provide training on secure coding best practices, integrate secure coding principles into the development process, implement code analysis tools.

6. Utilise Secure Development Frameworks and Libraries

Leverage secure development frameworks and libraries to minimise the risk of common vulnerabilities.

Challenges

Selecting appropriate frameworks and libraries, ensuring compatibility with existing systems.

Solutions

Conduct thorough research and evaluation of available options, consider the security track record of frameworks and libraries.

7. Establish a Secure Configuration Management Process

Implement a secure configuration management process to ensure that systems and applications are configured securely.

Challenges

Maintaining secure configurations over time, ensuring consistent application of security configurations.

Solutions

Utilise automated configuration management tools, implement change management controls for system configurations.

8. Conduct Acceptance Testing for Security

Include security testing as part of the acceptance testing process to ensure that the system meets security requirements before deployment.

Challenges

Ensuring adequate coverage of security requirements in acceptance testing, integrating security testing into the acceptance testing process.

Solutions

Develop clear acceptance criteria for security requirements, involve security experts in the acceptance testing process.

9. Continuously Monitor and Improve

Continuously monitor security testing activities, analyse test results, and identify areas for improvement.

Challenges

Maintaining visibility into security testing activities, keeping up with evolving security threats.

Solutions

Implement security information and event management (SIEM) systems, conduct regular security audits and assessments.

10. Document and Communicate

Document all security testing activities, including test plans, results, and remediation actions. Communicate security testing results to relevant stakeholders.

Challenges

Maintaining accurate and up-to-date documentation, ensuring effective communication of security testing results.

Solutions

Utilise a centralised repository for security testing documentation, establish clear communication channels for sharing security testing information.

Audit Checklist

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance Audit Checklist:

1. Review Security Testing Strategy

Determine if a documented and approved security testing strategy exists and if it is aligned with the organisation’s risk profile and security objectives.

Auditing Steps: Review the strategy document, interview relevant personnel, and assess its integration with the SDLC.

2. Assess Code Review Processes

Evaluate the effectiveness of code review processes, including frequency, participation, and the use of code review checklists.

Observe code review meetings, interview developers, review code review logs, and analyse the types of vulnerabilities identified.

3. Examine Vulnerability Scanning Activities

Determine the frequency and scope of vulnerability scans, the types of vulnerabilities identified, and the effectiveness of remediation efforts.

Review vulnerability scan reports, interview security personnel, and assess the organisation’s vulnerability management process.

4. Evaluate Penetration Testing Procedures

Determine the frequency, scope, and methodology of penetration testing activities, as well as the effectiveness of remediation efforts.

Review penetration testing reports, interview penetration testers, and assess the impact of identified vulnerabilities.

5. Assess Secure Coding Practices

Evaluate the extent to which secure coding practices are followed by development teams, including the use of secure coding standards and guidelines.

Interview developers, review code samples, and assess the effectiveness of secure coding training programs.

6. Review the Use of Secure Development Frameworks and Libraries

Determine whether the organisation utilises secure development frameworks and libraries, and assess the security posture of these components.

Review the selection process for frameworks and libraries, assess their security track record, and determine if they are regularly updated and patched.

7. Examine Secure Configuration Management:

Evaluate the effectiveness of secure configuration management processes, including the use of secure baselines and change control procedures.

Review system configuration documentation, interview system administrators, and assess the effectiveness of configuration management tools.

8. Assess Acceptance Testing for Security

Objective: Determine whether security requirements are adequately addressed in acceptance testing procedures and whether security testing is effectively integrated into the acceptance process.

Auditing Steps: Review acceptance test plans and results, interview testers, and assess the effectiveness of security acceptance criteria.

9. Review Security Testing Documentation

Determine the completeness and accuracy of security testing documentation, including test plans, results, and remediation actions.

Review security testing documentation, assess its completeness and accuracy, and determine if it is readily accessible to relevant personnel.

10. Evaluate Continuous Improvement

Determine whether the organisation is continuously improving its security testing processes based on lessons learned and emerging threats.

Review security testing reports, assess the implementation of improvement recommendations, and interview key personnel regarding continuous improvement initiatives.

FAQ

What is the purpose of ISO 27001 Annex A 8.29: Security Testing in Development and Acceptance?

To ensure that information systems and applications are developed and implemented with appropriate security controls in place. It focuses on identifying and mitigating security vulnerabilities throughout the software development lifecycle.

What types of security testing are covered in Annex A 8.29?

Static Testing: Code reviews, static code analysis, and threat modelling.
Dynamic Testing: Penetration testing, vulnerability scanning, and fuzzing.
Acceptance Testing: Security testing conducted during the acceptance phase to ensure that the system meets security requirements.

When should security testing be performed during the development lifecycle?

Throughout the entire development lifecycle, from design and development to testing and deployment.
Early and frequent security testing is crucial to identify and address vulnerabilities early on.

What are the key principles of secure software development?

Build Security In: Integrate security considerations into all phases of the development process.
Defence in Depth: Implement multiple layers of security controls.
Continuous Improvement: Regularly review and improve security testing processes.

How can organisations ensure that security testing is integrated into the development process?

Develop a secure software development lifecycle (S-SDLC).
Provide training to developers on secure coding practices.
Utilise automated security testing tools.
Establish clear roles and responsibilities for security testing activities.

What are the challenges of conducting effective security testing?

Resource Constraints: Limited budget and personnel for security testing.
Skill Shortages: Lack of qualified security professionals.
False Positives and False Negatives: Difficulty in accurately identifying and prioritising vulnerabilities.
Keeping Up with Evolving Threats: The constant emergence of new threats and vulnerabilities.

How can organisations address the challenges of security testing?

Utilise automated security testing tools.
Leverage third-party security expertise.
Prioritise vulnerabilities based on risk.
Continuously monitor and improve security testing processes.

What are the key considerations for acceptance testing for security?

Defining clear security acceptance criteria.
Involving security experts in the acceptance testing process.
Conducting security testing in a realistic environment.

What are the consequences of inadequate security testing?

Data breaches and loss of sensitive information.
System vulnerabilities and exploits.
Non-compliance with regulatory requirements.
Reputational damage and loss of customer trust.

How can organisations demonstrate compliance with ISO 27001 Annex A 8.29?

Documenting and implementing a secure software development lifecycle.
Conducting regular security testing activities and maintaining records of test results.
Demonstrating adherence to secure coding standards and guidelines.
Continuously improving security testing processes based on audit findings and lessons learned.

What is the difference between ISO 27001 Annex A 8.29 and ISO 27002 Control 8.29?

ISO 27001 Annex A 8.29 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.29 is the implementation guidance for the control.

Is Security Testing in Development and Acceptance required for ISO 27001 certification?

Yes, Security Testing in Development and Acceptance is a required information security control for ISO 27001 certification, if you do software development.

ISO 27002 Control 8.29

ISO 27002 Control 8.29 provides implementation guidance for ISO 27001 Security Testing in Development and Acceptance.

ISO 27001 Management of Technical Vulnerabilities: Annex A 8.8

ISO 27001 Configuration Management: Annex A 8.9

ISO 27001 Secure Coding: Annex A 8.28

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Protection of Information Systems During Audit Testing: Annex A 8.34

ISO 27001 Control and Attributes Table

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Application Security	Protection
	Integrity		System and Network Security
	Availability

Tags: Application Security Availability Confidentiality Identify Information Security Assurance Integrity Preventive Protection System and Network Security

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

Table of contents

ISO 27001 Security Testing in Development and Acceptance

Purpose

Definition

Implementation Guide

General

Secure Development Policy

Separate Environments

Testing

Test Plans

Knowledge and Experience

Who Tests

Types of Testing

Documentation

Outsourced Development

Implementation Checklist

1. Define a Security Testing Strategy

Challenges

Solutions

2. Conduct Code Reviews

Challenges

Solutions

3. Perform Vulnerability Scans

Challenges

Solutions

4. Conduct Penetration Testing

Challenges

Solutions

5. Implement Secure Coding Practices

Challenges

Solutions

6. Utilise Secure Development Frameworks and Libraries

Challenges

Solutions

7. Establish a Secure Configuration Management Process

Challenges

Solutions

8. Conduct Acceptance Testing for Security

Challenges

Solutions

9. Continuously Monitor and Improve

Challenges

Solutions

10. Document and Communicate

Challenges

Solutions

Audit Checklist

1. Review Security Testing Strategy

2. Assess Code Review Processes

3. Examine Vulnerability Scanning Activities

4. Evaluate Penetration Testing Procedures

5. Assess Secure Coding Practices

6. Review the Use of Secure Development Frameworks and Libraries

7. Examine Secure Configuration Management:

8. Assess Acceptance Testing for Security

9. Review Security Testing Documentation

10. Evaluate Continuous Improvement

FAQ

ISO 27002 Control 8.29

Related ISO 27001 Controls

Further Reading

ISO 27001 Control and Attributes Table

About the author