1. Framework FAQs

ISO 27001: 2022 A.8.30 Outsourced development

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.30 Outsourced development.

ISO 27001: 2022 Control Description

The organization shall direct, monitor and review the activities related  to outsourced system development.

Purpose

To ensure that the necessary information security measures required by the organisation are implemented in outsourced system development.

Guidance on implementation

When outsourcing system development, the organisation must clearly communicate and agree on its security requirements and expectations with the external provider. It is also essential to continuously monitor and review the outsourced work to ensure it meets these agreed-upon standards. The following factors should be considered across the entire external supply chain:

  1. Licensing Agreements and Intellectual Property
    Ensure that licensing agreements, code ownership, and intellectual property rights related to the outsourced work are clearly defined and understood.
  2. Contractual Security Requirements
    Include specific requirements in contracts for secure design, coding, and testing practices to ensure that the development process adheres to security standards.
  3. Threat Modelling
    Provide external developers with the organisation’s threat model to ensure they consider potential security risks during development.
  4. Acceptance Testing
    Establish acceptance testing procedures to verify the quality and accuracy of the deliverables, ensuring they meet the organisation's standards.
  5. Security and Privacy Assurance
    Require evidence that the outsourced work meets minimum acceptable levels of security and privacy capabilities, such as assurance reports.
  6. Testing for Malicious Content
    Ensure that thorough testing is conducted to prevent the presence of malicious content, whether intentional or unintentional, in the delivered product.
  7. Vulnerability Testing
    Verify that sufficient testing has been performed to detect and mitigate known vulnerabilities in the software.
  8. Escrow Agreements
    Consider escrow agreements for the software source code, which can be vital if the supplier goes out of business.
  9. Right to Audit
    Include a contractual right to audit the development processes and controls used by the external provider.
  10. Secure Development Environment
    Define and enforce security requirements for the external provider's development environment.
  11. Compliance with Legislation
    Ensure that the outsourced development complies with applicable laws and regulations, such as those concerning personal data protection.