Appendix E: ISO/IEC 27002:2013 Mapping (Draft)

 

ISO/IEC 27002:2013 Control

TSS-WEB

ISO/IEC 27002:2013 Control

TSS-WEB

12.1.4 Separation of development, testing and operational environments

Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

Yes

Control met by https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305/3.+Secure+Operation, “separation of environments”

14.2 Security in development and support processes

14.2.1 Secure development policy

Control: Rules for the development of software and systems should be established and applied to developments within the organization.

Yes

TSS-WEB provides a template for such a policy:

a) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment

b)

  1. https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process

  2. Not covered, see our Security Guidelines for Confluence if you need them.

c) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process

d) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process, “Security approvals”

e) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment

f) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process , “Defect tracking”

g) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/335675582/1.4+Roles

h) See “developer tests” in https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests

 

14.2.2 System change control procedures

Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

Yes

Control met by https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process, “Assessment of functional requirements and changes”.

14.2.3 Technical review of applications after operating platform changes

Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

No

Not relevant for web-based applications.

14.2.4 Restrictions on changes to software packages

Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

No

Not relevant for web-based applications.

14.2.5 Secure system engineering principles

Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.

Yes

Seehttps://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327729/8.1+General+Design+Principles

14.2.6 Secure development environment

Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:

Yes

See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets

14.2.7 Outsourced development

Control: The organization should supervise and monitor the activity of outsourced system development.

Yes

See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/294930/7.+Outsourced+Development

14.2.8 System security testing

Control: Testing of security functionality should be carried out during development.

Yes

See “custom security & developer tests” at https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests

14.2.9 System acceptance testing

Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.

Yes

See “custom security & developer tests” at https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests

14.3 Test data

14.3.1 Protection of test data

Control: Test data should be selected carefully, protected and controlled.

Yes

See “general requirement” athttps://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests