Cyber criminals are constantly inventing new ways and are improving their strategies to infiltrate corporate networks and gain access to sensitive information assets.
For example, cyber attackers may exploit a vulnerability related to the authentication mechanism in the source code to intrude into networks. Furthermore, they may also attempt to manipulate end-users on the client side into performing actions to infiltrate networks, gain access to data or carry out ransomware attacks.
If an application, software, or IT system is deployed in the real world with vulnerabilities, this would expose sensitive information assets to the risk of compromise.
Therefore, organisations should establish and implement an appropriate security testing procedure to identify and remedy all vulnerabilities in IT systems before they are deployed to the real world.
Control 8.29 enables organisations to verify that all information security requirements are satisfied when new applications, databases, software, or code are put into operation by establishing and applying a robust security testing procedure.
This helps organisations to detect and eliminate vulnerabilities in the code, networks, servers, applications, or other IT systems before they are used in the real world.
Control 8.29 is preventive in nature. It requires organisations to subject new information systems and their new/updated versions to a security testing process before they are released into the production environment.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Application Security #Information Security Assurance #System and Network Security | #Protection |
Considering that Control 8.29 involves establishment, maintenance and implementation of a security testing procedure that will apply to all new information systems whether developed in-house or by external parties, the Information Security Officer should be responsible for compliance.
Organisations should incorporate security testing into the testing process for all systems and they must ensure that all new information systems and their new/updated versions satisfy the information security requirements when they are in the production environment.
Control 8.29 lists three elements that should be included in the security testing process:
When designing security testing plans, organisations should take into account the level of criticality and nature of the information system at hand.
Security testing plan should cover the following:
When IT systems are developed by the in-house development team, this team should carry out the initial security testing to ensure the IT system satisfies security requirements.
This initial testing should then be followed by an independence acceptance testing in accordance with Control 5.8.
In relation to the in-house development, the following should be considered:
Organisations should follow a strict acquisition process when they outsource development or when they purchase IT components from external parties.
Organisations should enter into an agreement with their suppliers and this agreement should address the information security requirements as prescribed in Control 5.20.
Furthermore, organisations should ensure that the products and services they purchase are in compliance with the information security standards.
Organisations can create multiple test environments to carry out various testing such as functional, non-functional, and performance testing.
Furthermore, they can create virtual test environments and then configure these environments to test the IT systems in various operational settings.
Control 8.29 also notes that effective security testing requires organisations to test and monitor the testing environments, tools, and technologies.
Lastly, organisations should take into account the level of sensitivity and criticality of data when determining the number of layers of meta-testing.
27002:2022/8.29 replace 27002:2013/(14.2.8 and 14.2.9)
Whereas the 2022 Version addresses secure testing under one single Control, the 2013 version referred to secure testing in two separate controls; System Security Testing in Control 14.2.8 and System Acceptance Testing in Control 14.2.9
In contrast to the 2013 version, the 2022 Version includes more detailed requirements and recommendations on the following:
Contrary to the 2022 Version, the 2013 version was more prescriptive for system acceptance testing. It included requirements such as security testing on received components and the use of automated tools.
ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.
Get in touch and book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
