130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Controls (A.14):
  • Control A.14.1.1: Information Security Requirements Analysis and Specification
  • Control A.14.1.2: Securing Application Services on Public Networks
  • Control A.14.1.3: Protecting Application Services Transactions
  • Control A.14.2.1: Secure Development Policy
  • Control A.14.2.2: System Change Control Procedures
  • Control A.14.2.3: Technical Review of Applications after Operating Platform Changes
  • Control A.14.2.4: Restrictions on Changes to Software Packages
  • Control A.14.2.5: Secure System Engineering Principles
  • Control A.14.2.6: Secure Development Environment
  • Control A.14.2.7: Outsourced Development
  • Control A.14.2.8: System Security Testing
  • Control A.14.2.9: System Acceptance Testing

Was this helpful?

  1. ISO 27001
  2. ISO 27001 Controls and Domains

10. System Acquisition, Development, and Maintenance

This category ensures that information security is integrated into the organization's systems throughout their lifecycle, including acquisition, development, and maintenance phases. It focuses on secure design principles, protecting application services, and managing vulnerabilities in systems.

Controls (A.14):

  • A.14.1.1: Information Security Requirements Analysis and Specification

  • A.14.1.2: Securing Application Services on Public Networks

  • A.14.1.3: Protecting Application Services Transactions

  • A.14.2.1: Secure Development Policy

  • A.14.2.2: System Change Control Procedures

  • A.14.2.3: Technical Review of Applications after Operating Platform Changes

  • A.14.2.4: Restrictions on Changes to Software Packages

  • A.14.2.5: Secure System Engineering Principles

  • A.14.2.6: Secure Development Environment

  • A.14.2.7: Outsourced Development

  • A.14.2.8: System Security Testing

  • A.14.2.9: System Acceptance Testing

Control A.14.1.1: Information Security Requirements Analysis and Specification

Audit Questions:

  • How are information security requirements identified and specified in new systems?

  • Are security requirements documented and integrated into the development lifecycle?

Common Non-Conformities (NC):

  • Lack of documented security requirements.

  • Inadequate integration of security into the development lifecycle.

Control A.14.1.2: Securing Application Services on Public Networks

Audit Questions:

  • What measures are in place to secure application services accessible via public networks?

  • How is data transmitted over public networks protected?

Common Non-Conformities (NC):

  • Insufficient security measures for public-facing applications.

  • Inadequate protection for data transmitted over public networks.

Control A.14.1.3: Protecting Application Services Transactions

Audit Questions:

  • How are transactions processed by application services protected?

  • Are there measures to ensure the integrity and confidentiality of transactions?

Common Non-Conformities (NC):

  • Lack of measures to protect application service transactions.

  • Transactions vulnerable to integrity or confidentiality breaches.

Control A.14.2.1: Secure Development Policy

Audit Questions:

  • Is there a secure development policy in place?

  • How is the policy communicated to developers and integrated into development processes?

Common Non-Conformities (NC):

  • No secure development policy.

  • Poor communication and integration of the policy.

Control A.14.2.2: System Change Control Procedures

Audit Questions:

  • Are there procedures for managing changes to systems?

  • How are changes evaluated for security impacts before implementation?

Common Non-Conformities (NC):

  • No change control procedures.

  • Changes implemented without security impact evaluation.

Control A.14.2.3: Technical Review of Applications after Operating Platform Changes

Audit Questions:

  • How are applications reviewed after changes to the operating platform?

  • Are there procedures to ensure compatibility and security after platform changes?

Common Non-Conformities (NC):

  • Applications not reviewed after operating platform changes.

  • Lack of procedures to ensure security and compatibility.

Control A.14.2.4: Restrictions on Changes to Software Packages

Audit Questions:

  • Are there restrictions on modifying software packages?

  • How are unauthorized changes to software packages prevented?

Common Non-Conformities (NC):

  • No restrictions on changes to software packages.

  • Unauthorized modifications to software packages.

Control A.14.2.5: Secure System Engineering Principles

Audit Questions:

  • Are secure engineering principles applied to system design and development?

  • How are these principles documented and enforced?

Common Non-Conformities (NC):

  • Lack of secure system engineering principles.

  • Poor documentation and enforcement of engineering principles.

Control A.14.2.6: Secure Development Environment

Audit Questions:

  • How is the development environment secured?

  • What measures are in place to protect development resources and data?

Common Non-Conformities (NC):

  • Inadequate security measures for the development environment.

  • Development resources and data not sufficiently protected.

Control A.14.2.7: Outsourced Development

Audit Questions:

  • How is security managed in outsourced development projects?

  • Are there agreements to ensure security requirements are met by third parties?

Common Non-Conformities (NC):

  • Poor management of security in outsourced development.

  • No agreements to ensure third-party compliance with security requirements.

Control A.14.2.8: System Security Testing

Audit Questions:

  • Are systems tested for security vulnerabilities?

  • How is security testing integrated into the development and maintenance processes?

Common Non-Conformities (NC):

  • No security testing for systems.

  • Security testing not integrated into development and maintenance.

Control A.14.2.9: System Acceptance Testing

Audit Questions:

  • Are systems subjected to acceptance testing before deployment?

  • How is security included in acceptance testing criteria?

Common Non-Conformities (NC):

  • Lack of acceptance testing for systems.

  • Security not included in acceptance testing criteria.

Previous9. Communications SecurityNext11. Supplier Relationships

Last updated 4 months ago

Was this helpful?