在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
14.2.6 Secure development environment
安全開發環境
Control 控制措施
Organizations should establish and appropriately protect secure development environment for system development and integration efforts that covers the entire system development lifecycle.
組織宜建立及適當保護包含整個系統開發生命週期中會使用到的系統開發與整合的安全開發環境
Implementation guidance實作指引
A secure development environment includes people, processes and technology associated with system development and integration.
Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:
a) sensitivity of data to be processed, stored and transmitted by the system;
b) applicable external and internal requirements, e.g. from regulations or policies;
c) security controls already implemented by the organization that support system development;
d) trustworthiness of personnel working in the environment (see 7.1.1);
e) the degree of outsourcing associated with system development;
f ) the need for segregation between different development environments;
g) control of access to the development environment;
h) monitoring of change to the environment and code stored therein;
i) backups are stored at secure offsite locations;
j) control over movement of data from and to the environment.
Once the level of protection is determined for a specific development environment, organizations should document corresponding processes in secure development procedures and provide these to all individuals who need them.
新版的ISO 27001/27002提及要建立安全的開發環境, 並且涵蓋整個系統開發生命週期. 包含可能會處理, 儲存或傳輸的敏感資料; 人員的誠信, 外包的比例 ... 等.