Table of contents
What is ISO 27001 Outsourced Development?
ISO 27001 Annex A 8.30 Outsourced Development is an ISO 27001 control that requires us to make sure our outsourced developments, where applicable, are meeting our information security requirements.
Purpose
ISO 27001 Annex A 8.26 is a preventive control and a detective control to ensure information security measures required by the organisation are implemented in outsourced system development.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.30 as:
The organisation should direct, monitor and review the activities related to outsourced system development.
ISO27001:2022 Annex A 8.30 Outsourced Development
Implementation Guide
This is all about managing your outsourced development and making sure that it, and they, are following your requirements for information security. This will be done by telling them what you expect, getting it into agreements such as contracts and then regularly reviewing and monitoring them to ensure that it is being done.
In addition, we treat the developers as a third party for which the following will apply:
ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements
ISO 27001 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Licensing
Getting licensing right is key. You will have documented this and who owns code and intellectual property.
The following will apply: ISO 27001 Annex A 5.32 Intellectual Property Rights
Contracts
You will have contract in place and followed the contractual requirements for secure design, coding and test.
The following will apply: ISO 27001 Annex A 8.25 Secure Development Life Cycle
You will have provided them the threat model to consider.
There will be the requirement to provide evidence, and actual evidence, that sufficient testing has been conducted.
Escrow agreements where appropriate will be defined, document and evidenced.
The right to audit will be included in the contact.
Security requirements for the development environment will be in place.
The requirements of all laws and regulations will be in place.
Outsourced Development
If you outsource your development then the third party supplier controls will apply. The main thing is to ensure they meet your requirements for secure development but all relevant controls that apply to you, will apply to them.
Conclusion
Many if not all of the controls that apply to this control are covered elsewhere. Be it the experience, licensing, technical controls but consider them in the context of this clause and be able to evidence them as they apply to outsourced development.