Appendix E: ISO/IEC 27002:2013 Mapping (Draft)
ISO/IEC 27002:2013 Control | TSS-WEB |
|---|---|
12.1.4 Separation of development, testing and operational environments Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. | Yes Control met by https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305, “separation of environments” |
14.2 Security in development and support processes | |
14.2.1 Secure development policy Control: Rules for the development of software and systems should be established and applied to developments within the organization. | Yes TSS-WEB provides a template for such a policy: a) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878 b)
c) See d) See , “Security approvals” e) See f) See , “Defect tracking” g) See h) See “developer tests” in
|
14.2.2 System change control procedures Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. | Yes Control met by , “Assessment of functional requirements and changes”. |
14.2.3 Technical review of applications after operating platform changes Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. | No Not relevant for web-based applications. |
14.2.4 Restrictions on changes to software packages Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. | No Not relevant for web-based applications. |
14.2.5 Secure system engineering principles Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. | Yes See |
14.2.6 Secure development environment Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering: | Yes See |
14.2.7 Outsourced development Control: The organization should supervise and monitor the activity of outsourced system development. | Yes See |
14.2.8 System security testing Control: Testing of security functionality should be carried out during development. | Yes See “custom security & developer tests” at |
14.2.9 System acceptance testing Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. | Yes See “custom security & developer tests” at |
14.3 Test data | |
14.3.1 Protection of test data Control: Test data should be selected carefully, protected and controlled. | Yes See “general requirement” at |