This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.29 Security testing in development and acceptance.
ISO 27001: 2022 Control Description
Security testing processes shall be defined and implemented in the development life cycle.
Purpose
To validate if information security requirements are met when applications or code are deployed to the production environment.
Guidance on implementation
New information systems, upgrades and new versions should be thoroughly tested and verified during the development processes. Security testing should be an integral part of the testing for systems or components.
Security testing should be conducted against a set of requirements, which can be expressed as functional or non-functional. Security testing should include testing of:
a) security functions [e.g. user authentication, access restriction and use of cryptography];
b) secure coding;
c) secure configurations including that of operating systems, firewalls and other security components.
Test plans should be determined using a set of criteria. The extent of testing should be in proportion to the importance, nature of the system and the potential impact of the change being introduced.
The test plan should include:
a) detailed schedule of activities and tests;
b) inputs and expected outputs under a range of conditions;
c) criteria to evaluate the results;
d) decision for further actions as necessary.
The organisation can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security related defects.
For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected. The following should be considered:
a) performing code review activities as a relevant element for testing for security flaws, including un- anticipated inputs and conditions;
b) performing vulnerability scanning to identify insecure configurations and system vulnerabilities;
c) performing penetration testing to identify insecure code and design.
For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements. Products and services should be evaluated against these criteria before acquisition. Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organisation’s environment and that the tests are reliable .
Other information
Multiple test environments can be established, which can be used for different kinds of testing (e.g. functional and performance testing). These different environments can be virtual, with individual configurations to simulate a variety of operating environments.
Testing and monitoring of test environments, tools and technologies also needs to be considered to ensure effective testing. The same considerations apply to monitoring of the monitoring systems deployed in development, test and production settings.
Judgement is needed, guided by the sensitivity of the systems and data, to determine how many layers of meta-testing are useful.