ISO 27001:2022 Annex A 8.29 – Security Testing in Development and Acceptance

ISO 27001:2022 Annex A Control 8.29 mandates security testing throughout development and acceptance phases to identify vulnerabilities before deployment. It ensures compliance with security requirements through structured testing plans, in-house evaluations, and supplier oversight.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 31 January 2025
LinkedIn Twitter Twitter

Ensuring Secure Development: ISO 27001 Annex A 8.29 Security Testing Explained

Cyber criminals are continually devising novel methods and enhancing their tactics to breach corporate networks and acquire access to confidential data.

Cyber criminals could exploit a flaw connected to the authentication process in the source code to breach networks. Additionally, they may try and persuade end-users on the client side to do things that would allow them to gain access to data, infiltrate networks, or execute ransomware attacks.

If an application, software or IT system is deployed with vulnerabilities, this would put sensitive information at risk of being compromised.

Organisations ought to set up and execute an appropriate security testing process in order to identify and address any vulnerabilities in IT systems before they are deployed into the real world.

Purpose of ISO 27001:2022 Annex A 8.29

ISO 27001:2022 Annex A Control 8.29 allows organisations to ensure that all security requirements are met when new applications, databases, software, or code are implemented. This is done by creating and following a thorough security testing process.

Organisations can identify and remove potential weaknesses in their code, networks, servers, applications, and other IT systems prior to implementation in the real world.

Ownership of Annex A 8.29

The Information Security Officer should ensure that ISO 27001:2022 Annex A Control 8.29 is met, requiring the establishment, maintenance and implementation of a security testing procedure that covers all new information systems, regardless of whether they are created internally or by third parties.



Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


General Guidance on ISO 27001:2022 Annex A 8.29 Compliance

Organisations should incorporate security testing into the testing process for all systems, guaranteeing that all new information systems, as well as their new/updated versions, satisfy information security requirements when they are in the production environment.

ISO 27001:2022 Annex A Control 8.29 outlines three elements as essential components of security testing:

  1. Ensure security through user authentication in accordance with ISO 27001:2022 Annex A 8.5, access restriction in accordance with ISO 27001:2022 Annex A 8.3, and cryptography as per ISO 27001:2022 Annex A 8.24.
  2. Ensure that code is securely written in adherence to the ISO 27001:2022 Annex A 8.28.
  3. Ensure configurations meet the requirements outlined in Annex A 8.9, 8.20, and 8.22, which may involve firewalls and operating systems.

What Should a Test Plan Include?

When devising security testing plans, organisations should consider the urgency and character of the information system involved.

This security testing plan should incorporate the following elements:

  • Form a comprehensive agenda for the undertakings and the tests to be undertaken.
  • Expected outcomes when certain conditions are met include both inputs and outputs.
  • Criteria for assessing the outcomes must be established.
  • Once the results have been obtained, decisions as to what action should be taken can be made.

In-House Development

The in-house development team ought to conduct the initial security testing to guarantee the IT system adheres to security specifications.

A first round of testing should be carried out, followed by independent acceptance testing in line with ISO 27001:2022 Annex A 5.8.

Regarding in-house development, the following should be taken into account:

  • Conducting code reviews to identify and address security issues, encompassing anticipated inputs and situations.
  • Performing vulnerability scans in order to identify insecure settings and other potential weaknesses.
  • Performing penetration tests to identify weak coding and design.

Outsourcing

Organisations ought to adhere to a rigorous acquisition procedure when they delegate development or purchase IT elements from external sources.

Organisations should enter into a contract with their suppliers that meets the information security criteria laid out in ISO 27001:2022 Annex A 5.20.

Organisations should guarantee that the goods and services they acquire are in line with the security standards for information security.

Supplementary Guidance on ISO 27001:2022 Annex A 8.29

Organisations can generate several test environments to undertake a range of tests, including functional, non-functional, and performance ones. They can create virtual test environments, configure them to test IT systems in different operational settings, and refine them accordingly.

Annex A 8.29 emphasises the need for effective security testing, which necessitates organisations to test and oversee the testing environments, tools, and technologies.

Organisations should consider the level of sensitivity and importance when deciding how many layers of meta-testing to employ.



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.29 replaces ISO 27001:2013 Annex A 14.2.8 and 14.2.9 in the newest revision.

Structural Changes

ISO 27001:2022 consolidates secure testing into one control, as opposed to ISO 27001:2013, which referred to secure testing in two different controls; System Security Testing (Annex A 14.2.8) and System Acceptance Testing (Annex A 14.2.9).

ISO 27001:2022 Annex A 8.29 Brings More Comprehensive Requirements

In contrast to ISO 27001:2013, the ISO 27001:2022 revision contains more comprehensive requirements and advice on:

  • A security testing plan that should include a variety of elements.
  • Criteria for assessing security when developing IT systems in-house.
  • What should be included in the security testing process.
  • Utilising multiple test environments is essential. It ensures thoroughness and accuracy in the process.

ISO 27001:2013 Was More Detailed in Relation to Acceptance Testing

Contrary to ISO 27001:2022, ISO 27001:2013 was more detailed regarding system acceptance testing. It included security testing for incoming components and the utilisation of automated tools.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online simplifies the ISO 27001:2022 implementation process through a sophisticated cloud-based framework, which supplies documentation of information security management system processes and checklists to ensure compatibility with accepted standards.

Contact us to arrange a demonstration.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!