ISO 27001:2022 Annex A Control 8.29

Security Testing in Development and Acceptance

Book a demo

photo,young,coworkers,crew,working,with,new,startup,project,in

Cyber criminals are continually devising novel methods and enhancing their tactics to breach corporate networks and acquire access to confidential data.

Cyber criminals could exploit a flaw connected to the authentication process in the source code to breach networks. Additionally, they may try and persuade end-users on the client side to do things that would allow them to gain access to data, infiltrate networks, or execute ransomware attacks.

If an application, software or IT system is deployed with vulnerabilities, this would put sensitive information at risk of being compromised.

Organisations ought to set up and execute an appropriate security testing process in order to identify and address any vulnerabilities in IT systems before they are deployed into the real world.

Purpose of ISO 27001:2022 Annex A 8.29

ISO 27001:2022 Annex A Control 8.29 allows organisations to ensure that all security requirements are met when new applications, databases, software, or code are implemented. This is done by creating and following a thorough security testing process.

Organisations can identify and remove potential weaknesses in their code, networks, servers, applications, and other IT systems prior to implementation in the real world.

Ownership of Annex A 8.29

The Information Security Officer should ensure that ISO 27001:2022 Annex A Control 8.29 is met, requiring the establishment, maintenance and implementation of a security testing procedure that covers all new information systems, regardless of whether they are created internally or by third parties.

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

General Guidance on ISO 27001:2022 Annex A 8.29 Compliance

Organisations should incorporate security testing into the testing process for all systems, guaranteeing that all new information systems, as well as their new/updated versions, satisfy information security requirements when they are in the production environment.

ISO 27001:2022 Annex A Control 8.29 outlines three elements as essential components of security testing:

  1. Ensure security through user authentication in accordance with ISO 27001:2022 Annex A 8.5, access restriction in accordance with ISO 27001:2022 Annex A 8.3, and cryptography as per ISO 27001:2022 Annex A 8.24.
  2. Ensure that code is securely written in adherence to the ISO 27001:2022 Annex A 8.28.
  3. Ensure configurations meet the requirements outlined in Annex A 8.9, 8.20, and 8.22, which may involve firewalls and operating systems.

What Should a Test Plan Include?

When devising security testing plans, organisations should consider the urgency and character of the information system involved.

This security testing plan should incorporate the following elements:

  • Form a comprehensive agenda for the undertakings and the tests to be undertaken.
  • Expected outcomes when certain conditions are met include both inputs and outputs.
  • Criteria for assessing the outcomes must be established.
  • Once the results have been obtained, decisions as to what action should be taken can be made.

In-House Development

The in-house development team ought to conduct the initial security testing to guarantee the IT system adheres to security specifications.

A first round of testing should be carried out, followed by independent acceptance testing in line with ISO 27001:2022 Annex A 5.8.

Regarding in-house development, the following should be taken into account:

  • Conducting code reviews to identify and address security issues, encompassing anticipated inputs and situations.
  • Performing vulnerability scans in order to identify insecure settings and other potential weaknesses.
  • Performing penetration tests to identify weak coding and design.

Outsourcing

Organisations ought to adhere to a rigorous acquisition procedure when they delegate development or purchase IT elements from external sources.

Organisations should enter into a contract with their suppliers that meets the information security criteria laid out in ISO 27001:2022 Annex A 5.20.

Organisations should guarantee that the goods and services they acquire are in line with the security standards for information security.

Supplementary Guidance on ISO 27001:2022 Annex A 8.29

Organisations can generate several test environments to undertake a range of tests, including functional, non-functional, and performance ones. They can create virtual test environments, configure them to test IT systems in different operational settings, and refine them accordingly.

Annex A 8.29 emphasises the need for effective security testing, which necessitates organisations to test and oversee the testing environments, tools, and technologies.

Organisations should consider the level of sensitivity and importance when deciding how many layers of meta-testing to employ.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.29 replaces ISO 27001:2013 Annex A 14.2.8 and 14.2.9 in the newest revision.

Structural Changes

ISO 27001:2022 consolidates secure testing into one control, as opposed to ISO 27001:2013, which referred to secure testing in two different controls; System Security Testing (Annex A 14.2.8) and System Acceptance Testing (Annex A 14.2.9).

ISO 27001:2022 Annex A 8.29 Brings More Comprehensive Requirements

In contrast to ISO 27001:2013, the ISO 27001:2022 revision contains more comprehensive requirements and advice on:

  • A security testing plan that should include a variety of elements.
  • Criteria for assessing security when developing IT systems in-house.
  • What should be included in the security testing process.
  • Utilising multiple test environments is essential. It ensures thoroughness and accuracy in the process.

ISO 27001:2013 Was More Detailed in Relation to Acceptance Testing

Contrary to ISO 27001:2022, ISO 27001:2013 was more detailed regarding system acceptance testing. It included security testing for incoming components and the utilisation of automated tools.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online simplifies the ISO 27001:2022 implementation process through a sophisticated cloud-based framework, which supplies documentation of information security management system processes and checklists to ensure compatibility with accepted standards.

Contact us to arrange a demonstration.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.