ISO 27001 controls: What is Annex A:14?

Explore ISO 27001 Annex A:14, focusing on system acquisition, development, and maintenance. Learn to integrate information security across your systems' lifecycle and protect your data. Continue reading for expert insights from Citation Certification on achieving ISO 27001 compliance.
ISO 27001 controls: What is Annex A:14?

Today, we’re discussing ISO 27001 and its controls, focusing on Annex A:14. ISO 27001 has several controls, and we’ve covered many of them in previous articles.


ISO/IEC 27001 is the international standard for information security management. The standard helps organisations protect, identify, and control the risks involved in their information systems to support integrated management systems.


Information security, ISO 27001, and its controls like Annex A:14 are crucial in our increasingly digitised world. They outline how to implement an independently assessed and certified information security management system. ISO 27001:2015 helps organisations work more effectively to secure all financial and confidential data.

Today, we will understand exactly what Annex A:14 is, which centres on the security requirements of information security management systems.


Annex A:14 System acquisition, development, and maintenance

The objective of this Annex A area is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems that provide services over public networks.


A:14.1 Security requirements of information systems

In this section, three controls define the importance of securing information while complying with the information requirements. Any organisation looking to achieve ISO 27001 certification must apply this control to protect information secured on their systems and public networks.


A:14.1.1 Information security requirements analysis and specification:

This requires a specific analysis that specifies the need for information security. In any development of a new system or specific change in the information, it is important to run through the business requirements by conducting a risk assessment. The information security-related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

A:14.1.2 Securing application services on public networks:

This clause covers securing application services on public networks. It means that information circulating on public networks must be protected by applying encryption policies, multi-factor authentication, and the use of passwords. Annex A:13 states that non-disclosure or confidentiality policies and procedures must be acknowledged by all parties accessing the confidential information. This control protects information from unauthorised and fraudulent access.

A:14.1.3 Protecting application services transactions:

This requires the protection of application services that handle confidential information. Incomplete transmissions, unauthorised message alterations, disclosure, message duplication, or replay could lead to the loss of information secured on the systems. It is the top management’s responsibility to maintain the security of such systems and promote ongoing investigation if such factors occur.


Annex A:14.2 Security in development and support processes

This clause has nine controls aimed at ensuring information security within the lifecycle of any progress to the information systems. A secure development policy or procedure is used to protect security and development within the systems. The processes for developing and implementing systems and system changes encourage the use of secure coding and development practices.


A:14.2.1 Secure development policy:

This requires a set of policies and procedures for any software development within the organisation. These policies help identify risks in development and implementation within the systems. Strong initial screening, lifelong management, and training of resources are essential. Practices like pair programming, peer reviews, and independent quality assurance testing are positive attributes.

A:14.2.2 System change control procedures:

This requires formal procedures that control the development lifecycle by enforcing change control policies. Organisations must not overlook the responsibility of protecting information and its assets when seeking any change. Audit logs are the best evidence to keep while undergoing such procedures. It is also mandatory to identify any risk involved and its evaluation in the development change of lifecycles through A:14 controls.

A:14.2.3 Technical review of applications after operating platform changes:

This requires a compulsory check of all technical changes to investigate if operating platforms have been changed. All changes must be reviewed and tested to ensure there is no adverse impact on organisational operations or security. This is a major responsibility of top management, which requires extra surveillance on such changes.

A:14.2.4 Restrictions on changes to software packages:

This requires a set of procedures to control external and internal access to software systems. Restrictions must be in place to prevent adverse effects from modifications that could lead to the loss of information security.

A:14.2.5 Secure system engineering principles:

Principles for engineering secure systems must be established, documented, maintained, and applied to any information system implementation efforts. Secure software engineering principles exist at both general levels and specific to development platforms and coding languages. These principles help identify hidden risks that could lead to information loss within organisations.

A:14.2.6 Secure development environment:

Organisations need to establish and appropriately protect secure development environments for system development and integration efforts covering the entire system development lifecycle. These procedures prevent malicious activities from entering the systems. Such procedures involve business requirements and other internal and external requirements, including legislation, regulations, contractual agreements, or policies. Any changes in the technical environments must be protected and controlled.

A:14.2.7 Outsourced development:

The organisation must supervise and monitor the activity of outsourced system development. For any software outsourced to external parties, security requirements must be specified in a contract or attached agreement to reduce the risk of unauthorised access.

A:14.2.8 System security testing:

Security testing must be carried out during development. Permission from the responsible and relevant authority is required to run any security system testing. The outcomes of such tests must be controlled and documented.

A:14.2.9 System acceptance testing:

Acceptance testing programs and related criteria require an established policy for new information systems, upgrades, and new versions. Acceptance testing should also include security testing.


Annex A:14.3 Test Data

This section focuses on ensuring the protection of data used for testing.


A:14.3.1 Protection of test data:

Test data must be selected carefully, protected, and controlled. Test data should be used when upgrading internal operating systems, carefully selected and secured for the testing period, and securely deleted when testing is complete.

Certification made simple

For more information on achieving ISO/IEC 27001 Information Security Management Systems certification, contact Citation Certification today.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.