ISO 27001:2022 Annex A 8.27 – Secure System Architecture and Engineering Principles

• See ISO 27002:2022 Control 8.27 for more information.
• See ISO 27001:2013 Annex A 14.2.5 for more information.

ISO 27001:2022 Control 8.27 – Strengthening System Security from the Ground Up

ISO 27001:2022 Annex A 8.27 specifies that organisations must implement secure system architecture and engineering principles to ensure that the design, implementation and management of the information system are appropriate to the organisation’s security requirements. This includes the establishment of secure system architectures, engineering principles and secure design practices.

The intricate structures of contemporary information systems, combined with the ceaselessly shifting cyber security risk environment, make information systems more prone to existing and potential security threats.

Annex A 8.27 outlines how organisations can protect their information systems from security threats through the implementation of secure system engineering principles during all stages of the information system life-cycle.

Purpose of ISO 27001:2022 Annex A 8.27

Annex A 8.27 facilitates organisations to secure information systems during the phases of design, deployment and operation, via the establishment and implementation of secure system engineering principles that system engineers must adhere to.

Ownership of Annex A 8.27

The Chief Information Security Officer is to be held accountable for erecting, sustaining, and putting into action the rules that govern safe engineering of information systems.

General Guidance on ISO 27001:2022 Annex A 8.27 Compliance

ISO 27001:2022 Annex A 8.27 underscores the necessity for organisations to embed security into the entirety of their information systems, including business processes, applications and data architecture.

Secure engineering practices should be implemented for all tasks associated with information systems, regularly reviewed and updated to account for emerging threats and attack patterns.

Annex A 8.27 also applies to systems created by external providers, in addition to those developed and run internally.

Organisations should guarantee that the practices and standards of service providers are in line with their secure engineering protocols.

ISO 27001:2022 Annex A 8.27 necessitates secure system engineering principles to address the following eight topics:

1. Methods of user authentication.
2. Secure session control guidance.
3. Procedures for sanitising and validating data.
4. Security measures for protecting information assets and systems against known threats are analysed comprehensively.
5. Security measures analysed for their ability to identify, eliminate, and respond to security threats.
6. Analysing the security measures applied to specific business activities, such as information encryption.
7. Where and how security measures will be implemented. A specific Annex A security control may be integrated within the technical infrastructure as part of this process.
8. The way in which different security measures work together and operate as a combined system.

Guidance on Zero Trust Principle

Organisations should bear in mind these zero-trust principles:

• Based on the assumption that the organisation’s systems are already compromised and that the defined perimeter security of its network cannot provide adequate protection.
• A policy of “verification before trust” should be adopted when it comes to granting access to information systems. This ensures that access is granted only after scrutiny, making sure that the right people have it.
• Ensuring requests made to information systems are safeguarded with end-to-end encryption provides assurance.
• Verification mechanisms are implemented assuming access requests from external, open networks to information systems.
• Implement least privilege and dynamic access control consistent with ISO 27001:2022 Annex A 5.15, 5.18, and 8.2. This must encompass authentication and authorisation of sensitive info and info systems taking into account contextual aspects such as user identities (ISO 27001:2022 Annex A 5.16) and information classification (ISO 27001:2022 Annex A 5.12).
• Authenticate the identity of the requester and verify authorisation requests to access information systems according to authentication information in ISO 27001:2022 Annex A 5.17, 5.16 and 8.5.

What Should Secure System Engineering Techniques Cover?

Your organisation should keep in mind the following:

• Incorporating secure architecture principles such as “security by design”, “defence in depth”, “fail securely”, “distrust input from external applications”, “assume breach”, “least privilege”, “usability and manageability” and “least functionality” is paramount.
• Conducting a security-oriented design review to detect any information security issues and making sure that security measures are established and meet the security needs.
• Documenting and acknowledging security measures that fail to meet requirements is essential.
• System hardening is essential for the security of any system.

What Criteria to Consider When Designing Secure Engineering Principles?

Organisations should take into account the following points when setting up secure system engineering principles:

• The requirement to coordinate Annex A Controls with particular security architecture is indispensable.
• An organisation’s existing technical security infrastructure, including public key infrastructure, identity management, and data leakage prevention.
• Can the organisation construct and sustain the technology chosen.
• The cost and the time needed to fulfil security requisites, taking into account their complexity, must be considered.
• Adhering to current best practices is essential.

Guidance on Application of Secure System Engineering Principles

ISO 27001:2022 Annex A 8.27 states that organisations can utilise secure engineering principles when setting up the following:

• Fault tolerance and other resilience strategies are essential. They help ensure that systems remain operational despite the occurrence of unexpected events.
• Segregation through virtualisation is one technique that can be utilised.
• Tamper-proofing, ensure that systems remain secure and impervious to malicious interference.

Secure virtualisation technology can reduce the risk of interception between applications running on the same device.

It is emphasised that tamper resistance systems can detect both logical and physical manipulation of information systems, preventing unauthorised access to data.

Changes and Differences From ISO 27001:2013

ISO 27001:2022 Annex A 8.27 replaces ISO 27001:2013 Annex A 14.2.5 in the revised 2022 standard.

The 2022 version contains more extensive demands than the 2013 version, such as:

• In comparison to 2013, the 2022 version furnishes guidance on what secure engineering principles ought to comprise.
• As opposed to the 2013 iteration, the 2022 version considers the criteria that organisations should take into account when constructing secure system engineering principles.
• The 2022 version provides guidance on the zero trust principle, which was not included in the 2013 version.
• The 2022 edition of the document includes recommendations for secure engineering techniques, such as “security by design,” which was not present in the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

Our step-by-step checklist makes ISO 27001 implementation a breeze. Our complete compliance solution for ISO/IEC 27001:2022 will guide you through the process from start to finish.

Upon logging in, you can expect up to 81% progress.

This solution is totally comprehensive and straightforward.

Reach out now to book a demonstration.