What is ISO27001 Outsourced Development?

ISO27001 Annex A 8.30 Outsourced Development is an ISO27001 control that requires us to make sure our outsourced developments, where applicable, are meeting our information security requirements.

Purpose

ISO27001 Annex A 8.26 is a preventive control and a detective control to ensure information security measures required by the organisation are implemented in outsourced system development.

Definition

The ISO27001 standard defines ISO27001 Annex A 8.30 as:

The organisation should direct, monitor and review the activities related to outsourced system development.

ISO27001:2022 Annex A ISO27001 Annex A 8.30 Outsourced Development

Implementation Guide

This is all about managing your outsourced development and making sure that it, and they, are following your requirements for information security. This will be done by telling them what you expect, getting it into agreements such as contracts and then regularly reviewing and monitoring them to ensure that it is being done.

In addition, we treat the developers as a third party for which the following will apply:

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships

ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements

ISO 27001 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

Licensing

Getting licensing right is key. You will have documented this and who owns code and intellectual property.

The following will apply: ISO 27001 Annex A 5.32 Intellectual Property Rights

Contracts

You will have contract in place and followed the contractual requirements for secure design, coding and test.

The following will apply: ISO27001 Annex A 8.25 Secure Development Life Cycle

You will have provided them the threat model to consider.

There will be the requirement to provide evidence, and actual evidence, that sufficient testing has been conducted.

Escrow agreements where appropriate will be defined, document and evidenced.

The right to audit will be included in the contact.

Security requirements for the development environment will be in place.

The requirements of all laws and regulations will be in place.

Outsourced Development

If you outsource your development then the third party supplier controls will apply. The main thing is to ensure they meet your requirements for secure development but all relevant controls that apply to you, will apply to them.

Conclusion

Many if not all of the controls that apply to this control are covered elsewhere. Be it the experience, licensing, technical controls but consider them in the context of this clause and be able to evidence them as they apply to outsourced development.