Ensuring Security from Development to Deployment: ISO 27002 Control 8.29 Explained

Cyber criminals are constantly inventing new ways and are improving their strategies to infiltrate corporate networks and gain access to sensitive information assets.

For example, cyber attackers may exploit a vulnerability related to the authentication mechanism in the source code to intrude into networks. Furthermore, they may also attempt to manipulate end-users on the client side into performing actions to infiltrate networks, gain access to data or carry out ransomware attacks.

If an application, software, or IT system is deployed in the real world with vulnerabilities, this would expose sensitive information assets to the risk of compromise.

Therefore, organisations should establish and implement an appropriate security testing procedure to identify and remedy all vulnerabilities in IT systems before they are deployed to the real world.

Purpose of Control 8.29

Control 8.29 enables organisations to verify that all information security requirements are satisfied when new applications, databases, software, or code are put into operation by establishing and applying a robust security testing procedure.

This helps organisations to detect and eliminate vulnerabilities in the code, networks, servers, applications, or other IT systems before they are used in the real world.

Attributes of Control 8.29

Control 8.29 is preventive in nature. It requires organisations to subject new information systems and their new/updated versions to a security testing process before they are released into the production environment.

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive #Confidentiality #Identify #Application Security #Protection
#Integrity #Information Security Assurance
#Availability #System and Network Security



Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



Ownership of Control 8.29

Considering that Control 8.29 involves establishment, maintenance and implementation of a security testing procedure that will apply to all new information systems whether developed in-house or by external parties, the Information Security Officer should be responsible for compliance.

General Guidance on Compliance

Organisations should incorporate security testing into the testing process for all systems and they must ensure that all new information systems and their new/updated versions satisfy the information security requirements when they are in the production environment.

Control 8.29 lists three elements that should be included in the security testing process:

  1. Security functions such as user authentication as defined in Control 8..5, access restriction as prescribed in Control 8.3, and cryptography as addressed in Control 8.24.
  2. Secure coding as described in Control 8.28.
  3. Secure configurations as prescribed in Controls 8.9, 8.20, 8.22. This may cover firewalls and operating systems.

What Should a Test Plan Include?

When designing security testing plans, organisations should take into account the level of criticality and nature of the information system at hand.

Security testing plan should cover the following:

  • Establishment of a detailed schedule for the activities and the testing to be conducted.
  • Inputs and outputs expected to occur under a given set of conditions.
  • Criteria to assess the results.
  • If appropriate, decisions to take actions based upon the results.



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



In-House Development

When IT systems are developed by the in-house development team, this team should carry out the initial security testing to ensure the IT system satisfies security requirements.

This initial testing should then be followed by an independence acceptance testing in accordance with Control 5.8.

In relation to the in-house development, the following should be considered:

  • Carrying out code review activities to detect and eliminate security flaws, including expected inputs and conditions.
  • Carrying out vulnerability scanning to detect insecure configurations and other vulnerabilities.
  • Carrying out penetration tests to detect insecure code and design.

Outsourcing

Organisations should follow a strict acquisition process when they outsource development or when they purchase IT components from external parties.

Organisations should enter into an agreement with their suppliers and this agreement should address the information security requirements as prescribed in Control 5.20.

Furthermore, organisations should ensure that the products and services they purchase are in compliance with the information security standards.

Supplementary Guidance on Control 8.29

Organisations can create multiple test environments to carry out various testing such as functional, non-functional, and performance testing.

Furthermore, they can create virtual test environments and then configure these environments to test the IT systems in various operational settings.

Control 8.29 also notes that effective security testing requires organisations to test and monitor the testing environments, tools, and technologies.

Lastly, organisations should take into account the level of sensitivity and criticality of data when determining the number of layers of meta-testing.




Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo



Changes and Differences from ISO 27002:2013

27002:2022/8.29 replaces 27002:2013/(14.2.8 and 14.2.9)

Structural Changes

Whereas the 2022 Version addresses secure testing under one single Control, the 2013 version referred to secure testing in two separate controls; System Security Testing in Control 14.2.8 and System Acceptance Testing in Control 14.2.9

Control 8.29 Brings More Comprehensive Requirements

In contrast to the 2013 version, the 2022 Version includes more detailed requirements and recommendations on the following:

  • Security testing plan and what it should include.
  • Criteria for security testing for in-house development of IT systems.
  • Security testing process and what it should entail.
  • Use of multiple test environments.

The 2013 Version Was More Detailed in Relation to Acceptance Testing

Contrary to the 2022 Version, the 2013 version was more prescriptive for system acceptance testing. It included requirements such as security testing on received components and the use of automated tools.

New ISO 27002 Controls

New Controls


Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures


People Controls


Physical Controls


How ISMS.online Helps

ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.

Get in touch and book a demo.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!