For the purposes of ISO 27002, Control 8.4 defines “source code” as the underlying code, specifications and plans used to create applications, programs, and processes that are the property of the organisation itself.
When discussing access to source code, Control 8.4 attaches an equal amount of importance to developmental tools (compilers, test environments etc).
Managing source code represents a unique risk to any organisation that has the need to store it. Elements of business critical source code include production data, protected configuration details and aspects of an organisation’s IP.
Control 8.4 is a preventative control that modifies risk by establishing a set of underlying data access principles (in accordance with an organisations wider set of access controls) that govern read/write access to:
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity and Access Management #Application Security #Secure Configuration | #Protection |
Control 8.4 deals with an organisation’s ability to control access to business critical data relating to source code, development tools and commercially sensitive information such as software libraries.
As such, ownership should reside with the Chief Information Security Officer (or organisational equivalent), who holds responsibility for the organisation’s overall information and data security practices.
Control 8.4 advocates for a source code management system that allows organisations to centrally administer access to and their amendment of source code across its ICT estate.
Control 8.4 asks organisations to consider access to source code along a set of strict read and/or write privileges, based on the nature of the source code, where it’s being accessed from, and who is accessing it.
When seeking to control access to source code, organisations should:
27002:2022-8.4 replaces 27002:2014-9.4.5 (Access to source code), and contains three main differences in its approach to establishing a source code management system (a concept that is absent from 27002:2014-9.4.5)
ISMS.Online simplifies the process of implementing ISO 27002 by providing all the necessary resources, information, and tools at one place. It allows you to create an ISMS with just a few clicks of your mouse, which would otherwise take a long time if done manually.
Want to see it in action?
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |