This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.30 Outsourced development.
ISO 27001: 2022 Control Description
The organization shall direct, monitor and review the activities related to outsourced system development.
Purpose
To ensure that the necessary information security measures required by the organisation are implemented in outsourced system development.
Guidance on implementation
When outsourcing system development, the organisation must clearly communicate and agree on its security requirements and expectations with the external provider. It is also essential to continuously monitor and review the outsourced work to ensure it meets these agreed-upon standards. The following factors should be considered across the entire external supply chain:
- Licensing Agreements and Intellectual Property
Ensure that licensing agreements, code ownership, and intellectual property rights related to the outsourced work are clearly defined and understood. - Contractual Security Requirements
Include specific requirements in contracts for secure design, coding, and testing practices to ensure that the development process adheres to security standards. - Threat Modelling
Provide external developers with the organisation’s threat model to ensure they consider potential security risks during development. - Acceptance Testing
Establish acceptance testing procedures to verify the quality and accuracy of the deliverables, ensuring they meet the organisation's standards. - Security and Privacy Assurance
Require evidence that the outsourced work meets minimum acceptable levels of security and privacy capabilities, such as assurance reports. - Testing for Malicious Content
Ensure that thorough testing is conducted to prevent the presence of malicious content, whether intentional or unintentional, in the delivered product. - Vulnerability Testing
Verify that sufficient testing has been performed to detect and mitigate known vulnerabilities in the software. - Escrow Agreements
Consider escrow agreements for the software source code, which can be vital if the supplier goes out of business. - Right to Audit
Include a contractual right to audit the development processes and controls used by the external provider. - Secure Development Environment
Define and enforce security requirements for the external provider's development environment. - Compliance with Legislation
Ensure that the outsourced development complies with applicable laws and regulations, such as those concerning personal data protection.