在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
14.2.1 Secure development policy
安全開發政策
Control 控制措施
Rules for the development of software and systems should be established and applied to developments within the organization.
宜建立適用於組織內開發之軟體與系統開發規則
Implementation guidance實作指引
Secure development is a requirement to build up a secure service, architecture, software and system.
Within a secure development policy, the following aspects should be put under consideration:
a) security of the development environment;
b) guidance on the security in the software development lifecycle:

1. security in the software development methodology;
2. secure coding guidelines for each programming language used;
   c) security requirements in the design phase;
   d) security checkpoints within the project milestones;
   e) secure repositories;
   f ) security in the version control;
   g) required application security knowledge;
   h) developers’ capability of avoiding, finding and fixing vulnerabilities.
   Secure programming techniques should be used both for new developments and in code re-use scenarios where the standards applied to development may not be known or were not consistent with current best practices. Secure coding standards should be considered and where relevant mandated for use.
   Developers should be trained in their use and testing and code review should verify their use.
   If development is outsourced, the organization should obtain assurance that the external party complies with these rules for secure development (see 14.2.7).

新版的ISO 27001/27002建議要建立安全開發政策, 包括安全的開發環境, 軟體開發生命週期的安全指南, 設計階段的安全需求, 專案里程碑的安全檢核點, 安全責任, 版本控制的安全性, 需要的應用程式安全知識, 開發人員避免, 發現及修復弱點的能力.