Secure Development Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes the organization’s policy regarding the development of applications and associated components in a secure way.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: • •
A.5 Information security policies o A.5.1 Management direction for information security ▪ A.5.1.1 Policies for information security A.14 System acquisition, development and maintenance o A.14.2 Security in development and support processes ▪ A.14.2.1 Secure development policy ▪ A.14.2.7 Outsourced development ▪ A.14.2.8 System security testing o A.14.3 Test data ▪ A.14.3.1 Protection of test data
General guidance This is an important document because it covers several requirements. It sets out how you will ensure that the code you (and your suppliers) produce is as secure as possible. Note that if you have a purely COTS (Commercial Off the Shelf) package approach then many of these requirements will be inapplicable and marked as such in your Statement of Applicability.
Review frequency We would recommend that this document is reviewed annually.
Version 1
Page 2 of 16
[Insert date]
