在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
14.2.5 System development procedures
系統發展程序
Control 控制措施
Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.
系統安全的工程原則宜建立、文件化、維持並適用於任何資訊系統實作的努力。
Implementation guidance實作指引
Secure information system engineering procedures based on security engineering principles should be established, documented and applied to in-house information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. New technology should be analysed for security risks and the design should be reviewed against known attack patterns.
These principles and the established engineering procedures should be regularly reviewed to ensure that they are effectively contributing to enhanced standards of security within the engineering process. They should also be regularly reviewed to ensure that they remain up-to-date in terms of combating any new potential threats and in remaining applicable to advances in the technologies and solutions being applied.
The established security engineering principles should be applied, where applicable, to outsourced information systems through the contracts and other binding agreements between the organization and the supplier to whom the organization outsources. The organization should confirm that the rigour of suppliers’ security engineering principles is comparable with its own.

新版的ISO 27001/27002建議要建立系統安全的工程原則, 包括安全要被在所有架構階層中被設計, 要定期審查以確保持續關注新的潛在威脅. 包括委外時, 要將相關要求納入協議中... 等