Framework FAQs
      Back to home
      2. Framework FAQs

      ISO 27001: 2022 A.8.30 Outsourced development

      This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.30 Outsourced development.

      ISO 27001: 2022 Control Description

      The organization shall direct, monitor and review the activities related  to outsourced system development.

      Purpose

      To ensure that the necessary information security measures required by the organisation are implemented in outsourced system development.

      Guidance on implementation

      When outsourcing system development, the organisation must clearly communicate and agree on its security requirements and expectations with the external provider. It is also essential to continuously monitor and review the outsourced work to ensure it meets these agreed-upon standards. The following factors should be considered across the entire external supply chain:

      1. Licensing Agreements and Intellectual Property
        Ensure that licensing agreements, code ownership, and intellectual property rights related to the outsourced work are clearly defined and understood.
      2. Contractual Security Requirements
        Include specific requirements in contracts for secure design, coding, and testing practices to ensure that the development process adheres to security standards.
      3. Threat Modelling
        Provide external developers with the organisation’s threat model to ensure they consider potential security risks during development.
      4. Acceptance Testing
        Establish acceptance testing procedures to verify the quality and accuracy of the deliverables, ensuring they meet the organisation's standards.
      5. Security and Privacy Assurance
        Require evidence that the outsourced work meets minimum acceptable levels of security and privacy capabilities, such as assurance reports.
      6. Testing for Malicious Content
        Ensure that thorough testing is conducted to prevent the presence of malicious content, whether intentional or unintentional, in the delivered product.
      7. Vulnerability Testing
        Verify that sufficient testing has been performed to detect and mitigate known vulnerabilities in the software.
      8. Escrow Agreements
        Consider escrow agreements for the software source code, which can be vital if the supplier goes out of business.
      9. Right to Audit
        Include a contractual right to audit the development processes and controls used by the external provider.
      10. Secure Development Environment
        Define and enforce security requirements for the external provider's development environment.
      11. Compliance with Legislation
        Ensure that the outsourced development complies with applicable laws and regulations, such as those concerning personal data protection.