This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.27 Secure system architecture and engineering principles.
ISO 27001: 2022 Control Description
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
Purpose
To ensure information systems are securely designed, implemented, and operated throughout their development life cycle.
Guidance on implementation
Secure system engineering principles should be established, documented, and applied to all information system development activities. Security must be built into every layer of the system architecture, including business, data, applications, and technology. When introducing new technology, assess the security risks and review the design against known attack patterns.
Key Areas to Address:
- Security Engineering Principles:
- These principles guide secure user authentication, session control, and data validation.
- Analyse the security controls needed to protect information and systems from identified threats.
- Assess how security controls can prevent, detect, or respond to security incidents.
- Identify specific security controls required for certain business processes, like encryption and integrity checking.
- Determine where and how to apply these controls, ensuring they integrate with the security architecture and technical infrastructure.
- Understand how different security controls work together to form a cohesive defence system.
- Integration with Security Architecture:
- Incorporate security architecture principles such as “security by design,” “defence in depth,” “least privilege,” and “fail securely.”
- Review security designs to identify vulnerabilities and ensure controls meet security requirements.
- Document any security controls that don’t fully meet the requirements, particularly when safety requirements take precedence.
- Implement system hardening to reduce vulnerabilities.
- Zero Trust Principles:
- Assume that the organisation’s systems may already be breached; don’t rely solely on network perimeter security.
- Adopt a “never trust, always verify” approach for all system access.
- Ensure that all requests to access systems are encrypted end-to-end.
- Treat every request as though it’s from an open, external network, even if it originates from within the organisation.
- Use “least privilege” and dynamic access control, verifying each access request based on factors like user identity, device information, and data classification.
- Always authenticate and authorise requests rigorously, enforcing strong authentication practices.
- Outsourced Development:
- Apply the organisation’s secure engineering principles to outsourced development through contracts and agreements.
- Ensure that suppliers follow security practices that align with the organisation’s security needs.
- Regular Reviews and Updates:
- Continuously review security engineering principles and procedures to ensure they enhance security standards effectively.
- Regularly update these principles to address new threats and incorporate advancements in technology.
Additional Considerations
Secure engineering principles should also cover techniques such as:
- Fault Tolerance and Resilience: Build systems that can withstand failures and continue to operate securely.
- Segregation: Use methods like virtualisation or containerisation to isolate different applications or services.
- Tamper Resistance: Implement tamper detection and resistance techniques for both physical and logical assets. These methods should ensure that any tampering attempts are recorded and that data can be securely destroyed if compromised.