Development activities spread over multiple distinct environments represent a significant for organisations that deal with different data categories, and possess a need to move data between testing, development and production environments.
At each stage of the development process, PII and privacy-related assets need to be safeguarded, and afforded the same level of protection regardless of the environment they find themselves in.
ISO 27701 6.11.2 is a wide-ranging control that encompasses multiple aspects of development and testing operations.
ISO 27701 6.11.2 contains no fewer than 9 separate sub-clauses, each of which contains information from ISO 27002 that deals with aspects of development security, presented within the scope of privacy information management and PII security:
Two sub-clauses (6.11.2.1 and 6.11.2.6) contain guidance that is relevant to elements of UK GDPR legislation – we’ve provided the articles below, for your convenience.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Organisations need to ensure that the development life cycle is created with privacy protection in mind.
To achieve this, organisations should:
Robust change management procedures should be implemented that guarantee the confidentiality, integrity and availability of PII and privacy-related information, both within privacy information processing facilities and privacy information systems.
Organisational change control processes and procedures should include:
Book a tailored hands-on session
based on your needs and goals
Book your demo
See ISO 27701 Clause 6.11.2.2
See ISO 27701 Clause 6.11.2.2
Organisational system should be designed, documented, implemented and maintained with privacy protection in mind.
Engineering principles should analyse:
Engineering principles should take into account:
Secure systems engineering should encompass:
Organisation’s should default towards a ‘zero trust’ approach to security, by:
Where the organisation outsources development to third-party organisations, efforts should be made to ensure that the partner’s security principles are aligned with the organisation’s own.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
To safeguard PII and privacy-related assets, organisations need to ensure that development, testing and production environments are segregated and secured.
To achieve this, organisation’s should:
To safeguard data in development and testing environments, organisations should:
ISO makes it explicitly clear that development and testing staff pose a disproportionate risk to PII – either directly due to malicious actions, or inadvertently due to mistakes in the development process.
It is vitally important that no single employee has the ability to make amendments both to and within development and production environments without proper authorisation, including a review of the required changes and multi-step approval (see ISO 27002 Control 8.33).
Organisations should take great care to ensure the integrity and availability of PII throughout the development and testing process, including multiple live production environments, training environments and segregation of duties.
If the need arises to outsource development, organisations need to ensure that the third-parties security practices are in alignment with their own.
Organisations should clearly communicate their requirements from the outset, and continually assess the development partner’s ability to do what is expected of them.
Organisations should consider:
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Organisations need to ensure that, when code is being deployed and/or moved in any way from a development environment to the live environment, privacy protection is treated as a priority and PII is safeguarded against any loss of integrity or availability.
Testing should include:
All test plans should be directly proportional to the system they’re testing, and the scale of the change or dataset they’re targeted towards.
Testing plans should include a range of automation tools, and be comprised of:
In-house development testing should always be verified by a third-party specialist. Such tests should include:
ISO recommends that all testing should be carried out in an environment that mirrors the production environment in as many ways as is possible, to ensure an accurate and practical series of outputs with which to gauge performance on (see ISO 27002 Control 8.31).
See ISO 27701 Clause 6.11.2.8
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.11.2.1 | Secure Develpment Policy | 8.25 – Secure Development Life Cycle for ISO 27002 | Article (25) |
6.11.2.2 | System Change Control Procedures | 8.32 – Change Management for ISO 27002 | None |
6.11.2.3 | Technical Review of Applications After Operating Platform Changes | 8.32 – Change Management for ISO 27002 | None |
6.11.2.4 | Restrictions of Changes to Software Packages | 8.32 – Change Management for ISO 27002 | None |
6.11.2.5 | Secure Systems Engineering Principles | 8.27 – Secure System Architecture and Engineering Principles for ISO 27002 | Article (25) |
6.11.2.6 | Secure Development Environment | 8.31 – Separation of Development, Test and Production Environments for ISO 27002 | None |
6.11.2.7 | Outsourced Development | 8.30 – Outsourced Development for ISO 27002 | None |
6.11.2.8 | System Security Testing | 8.29 – Security Testing in Development and Acceptance for ISO 27002 | None |
6.11.2.9 | System Acceptance Testing | 8.29 – Security Testing in Development and Acceptance for ISO 27002 | None |
In order to achieve ISO 27701 you must build a Privacy Information Management System (PIMS). With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.
You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.
To achieve certification to ISO 27701 (privacy) you must first achieve certification to ISO 27001 (information security). The good news is that our platform can help you do both.
Find out more by booking a hands on demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo