G2 Consulting

Why develop securely?

By implementing secure practices in internal development processes, or by demanding that
suppliers implement them in their processes, not only is the information itself better protected, but
organizations can achieve benefits like:
• reduced rework costs: security practices enforce more rigorous planning and scenario
evaluation, leading to better defined systems requirements and more suitable solutions.
• reduced incident costs: better planned systems and security controls minimize the
occurrence and impact of incidents.
• reduced maintenance downtime: security practices enforce more control over the
development and implementation of changes, so less time is needed to perform them, and
fewer problems arise.
• reduced liability: the adoption of secure practices is viewed as a due diligence effort to
prevent the realization of risks, which can minimize penalties in legal actions.

• As for development teams, benefits would be:

• increased requirements control: requirement changes must be evaluated and formalized
before implementation.
• clear verification and validation criteria: requirements must be associated with measurable
results to be achieved.
• better justifications for resources: clear results to be achieved help support demands for
resources (e.g., competences, equipment, environments, etc.).

You should note that the degree by which secure development practices may be enforced must
balance the need for security of the system and the productivity of the processes, or you may end
up changing a security problem into a productiity problem in your development processes. A
recommended tool to help find the right balance is the risk assessment table.
SDLC: System or Software Development Life Cycle?
The acronym SDLC can be attributed either to system or software when considering the
development life cycle. In brief, SDLC covers the following structured processes:
• Planning: thinking about and organizing all activities required to develop the system or
software
• Analysis: gaining a better understanding of what is expected from the system or software
• Design: defining the solution to be implemented
• Implementation: executing the activities required to create the system or software and
make it available to users
• Operation: the effective use of the system or software

India: C 905 Krishna Appra Saphire, Vaibhav Khand, Indirapuram. Ghaziabad. UP. India
1 .No. 16, First Floor, 70 HK Bld, Y M Road, Masjid Bunder, West Mumbai, India
UAE: Spark International FZE, PO Box 16111, RAK FTZ, RAK-UAE.
Algeria: No: 2 Etage Batimet Billayat, Cite Eyalarsa, SETIF, ALGERIA.
 G2 Consulting

• Maintenance: making changes to the system or software to ensure it does not become
obsolete
• Disposition: discarding the system or software

The fundamental difference regarding the term “System/Software” is that the system development
life cycle comprises not only software, but also hardware, data, people, processes, procedures,
facilities, and materials. ISO (International Organization for Standardization) has some standards
covering both the system (ISO/IEC/IEEE 15288:2015 and ISO/IEC TR 90005:2008) and software
(ISO/IEC 12207:2008 and ISO/IEC 90003:2014) approaches.

Applying ISO 27001 in the SDLC

ISO 27001 has a set of recommended security objectives and controls, described in Annex A.14
and detailed in ISO 27002section 14, to ensure that information security is an integral part of the
systems lifecycle, including the development lifecycle, while also covering the protection of data
used for testing. By considering the following controls in SDLC processes, you can make them
more robust, and with this, enhance the effectiveness of the developed information systems
regarding information protection:
ISO 27001 security controls Rationale for application in a SDLC

A.14.2.5 – Secure system engineering

principles
Guidelines that drive the need for secure
A.14.2.1 – Secure development policy
development according to perceived
A.14.2.4 – Restrictions on changes to
business risks. Here you can define
software packages
general objectives and practices, and the
A.14.2.6 – Secure development
levels of enforcement most suitable for
environment
your SDLC framework.
A.14.2.8 – System security testing
A.14.3.1 – Protection of test data

A.14.1.1 – Information security These controls can be applied to ensure

requirements analysis and specification
A.14.1.2 – Securing application services
on public networks
A.14.1.3 – Protecting application
services transactions
that system’s security requirements are
considered during system or software
analysis and design. Controls A.14.1.2
and A.14.1.3 provides specific situations
from A.14.1.1.

India: C 905 Krishna Appra Saphire, Vaibhav Khand, Indirapuram. Ghaziabad. UP. India
2 .No. 16, First Floor, 70 HK Bld, Y M Road, Masjid Bunder, West Mumbai, India
UAE: Spark International FZE, PO Box 16111, RAK FTZ, RAK-UAE.
Algeria: No: 2 Etage Batimet Billayat, Cite Eyalarsa, SETIF, ALGERIA.
 G2 Consulting

ISO 27001 security controls Rationale for application in a SDLC

A.14.2.2 – System change control

These controls can be applied to ensure
procedures
formal control of changes and that the
A.14.2.3 – Technical review of
desired results were achieved and no
applications after operating platform
negative impact resulted from the
changes
changes.
A.14.2.9 – System acceptance testing

This control can be applied to enforce

A.14.2.7 – Outsourced development secure development practices even by
the organization’s suppliers.

For more information about secure system engineering principles, see: What are secure
engineering principles in ISO 27001:2013 control A.14.2.5?
The ISO 27001 series also has a set of standards to support security management concepts and
help implement security controls specified to ISO 27002 regarding application security. These are
the standards: ISO/IEC 27034-1:2011, ISO/IEC 27034-2:2015, and ISO/IEC 27034-6:2016.

Secure processes deliver secure results

As information systems grow in complexity and criticality, more vulnerability points appear, and all
a wrongdoer, or careless user, needs to cause havoc on business operations is a single point
(e.g., an exploitable code, a disabled security function, an ill-planned user demand, a forgotten
patch, etc.), and traditional development practices are not able to keep up proper security levels.

By adopting SDLC together with A.14 controls from ISO 27001 to securely develop information
systems, an organization can make sure it covers the most common threats and, by treating
security as a process, be systematically and continuously working on maintaining security levels
and keeping its information and systems away from harm, while reaping the benefits of improved
processes.

India: C 905 Krishna Appra Saphire, Vaibhav Khand, Indirapuram. Ghaziabad. UP. India
3 .No. 16, First Floor, 70 HK Bld, Y M Road, Masjid Bunder, West Mumbai, India
UAE: Spark International FZE, PO Box 16111, RAK FTZ, RAK-UAE.
Algeria: No: 2 Etage Batimet Billayat, Cite Eyalarsa, SETIF, ALGERIA.