The technological infrastructure of an organisation plays a pivotal role in maintaining the security, integrity, and availability of information. Section 8 of Annex A in ISO 27001:2022, titled "Technological Controls," focuses on the essential safeguards that need to be implemented to protect the technological assets and systems that are the backbone of modern organisations.
This section of Annex A addresses the risks associated with user endpoint devices, network security, software development, and information systems management, ensuring that organisations can effectively defend against ever-evolving cyber threats.
The controls within this section are designed to fortify every aspect of an organisation's technological environment—from managing user access and securing data to implementing rigorous software development practices and ensuring robust network security.
By embedding controls into the organisation's information security management system (ISMS), businesses can create a resilient infrastructure that prevents unauthorised access and data breaches and ensures continuity and reliability in the face of disruptions.
Section 8 emphasises the importance of integrating security into every phase of the technology lifecycle, advocating for proactive measures such as secure coding practices, vulnerability management, and comprehensive monitoring.
Additionally, it underscores the need for stringent controls over privileged access, cryptography, critical systems and network management.
Adhering to these technological controls can significantly reduce risk exposure and protect organisations' most valuable digital assets against internal and external threats.
8.1 User Endpoint Devices
Purpose
User endpoint devices, such as laptops, desktops, mobile phones, and tablets, are often the first point of interaction with an organisation's information systems.
Protecting these devices is critical as they can store, process, and access sensitive information. This control ensures adequate security measures are in place to protect user endpoint devices from unauthorised access, malware, and other threats that could compromise the organisation's data.
Implementation
Organisations should implement security measures such as encryption, strong authentication mechanisms, and endpoint security software (e.g., antivirus, anti-malware) to protect user endpoint devices.
Devices should be configured to lock automatically after a period of inactivity, and users should be required to use strong, unique passwords.
Regular updates and patches should be applied to the operating systems and installed software to address known vulnerabilities.
Additionally, organisations should establish policies for the secure use of endpoint devices, especially outside the organisation's premises, and ensure that employees are trained to recognise and avoid security risks.
8.2 Privileged Access Rights
Purpose
Privileged access rights provide users with elevated permissions to perform tasks that could significantly impact the organisation's information systems. This control is designed to restrict and manage the allocation of these rights to reduce the risk of intentional or accidental misuse, which could lead to security breaches or data loss.
Implementation
To manage privileged access rights, organisations should implement the principle of least privilege, granting users only the minimum level of access necessary to perform their job functions.
A formal process should be in place for requesting, approving, and assigning privileged access, and all privileged activities should be logged and monitored.
Access rights should be regularly reviewed and adjusted, particularly when an employee's role changes or leaves the organisation.
Multi-factor authentication (MFA) should be used to secure accounts with privileged access, and privileged users should be given additional training on the importance of safeguarding their credentials.
8.3 Information Access Restriction
Purpose
Restricting access to information ensures that only authorised personnel can view or modify sensitive data, reducing the risk of breaches and unauthorised access. This control ensures that access to information and other associated assets is limited based on the established access control policies within the organisation.
Implementation
To implement this control, organisations should establish and enforce access control policies that define who can access specific information and under what conditions.
Access should be granted based on roles and responsibilities, ensuring users can only access the information necessary for their job functions.
Access controls should be enforced through technical measures such as role-based access control (RBAC), access control lists (ACLs), and encryption.
Regular audits should be conducted to ensure that access rights are correctly assigned and that any unauthorised access attempts are detected and addressed promptly.
8.4 Access to Source Code
Purpose
Source code is a critical asset in software development. It contains the intellectual property and logic that drives software applications.
Unauthorised access to source code can lead to significant security risks, including the introduction of vulnerabilities or intellectual property theft. This control ensures that read and write access to source code, development tools, and software libraries are appropriately managed.
Implementation
To protect access to source code, organisations should implement access controls that limit who can view and modify code repositories. This can be achieved using version control systems (VCS) with integrated access management features, such as Git with branch protection rules.
Only authorised developers should have write access to the source code, and changes should be reviewed through a formal peer review process before being merged.
Additionally, audit logs should be maintained to track all changes to the source code, and regular security reviews should be conducted to ensure no vulnerabilities have been introduced.
Sensitive components of the code should be encrypted or otherwise protected to prevent unauthorised access.
8.5 Secure Authentication
Purpose
Secure authentication is essential for verifying the identity of users before granting access to information systems. This control ensures robust authentication technologies and procedures are implemented to prevent unauthorised access and protect sensitive data.
Implementation
Organisations should adopt multi-factor authentication (MFA) wherever possible to implement secure authentication. MFA combines something the user knows (e.g., a password) with something they have (e.g., a token) or something they are (e.g., biometric data).
Password policies should enforce strong, complex passwords that are regularly changed and not reused across multiple accounts.
Authentication systems should be configured to detect and block brute force attacks and failed login attempts should be logged and monitored for signs of suspicious activity.
Organisations should also consider using single sign-on (SSO) solutions to streamline the authentication process and reduce the risk of user credential fatigue.
8.6 Capacity Management
Purpose
Capacity management ensures that the organisation's information systems can handle current and future demands without compromising performance or security. This control focuses on monitoring and adjusting resource use to ensure systems remain operational and responsive under varying loads.
Implementation
Organisations should regularly monitor their information systems' performance and resource usage to implement capacity management, including CPU, memory, storage, and network bandwidth.
Monitoring software and performance analytics tools can help track system load and identify potential bottlenecks before they affect performance.
Based on these insights, organisations should plan for future capacity needs, scaling resources up or down to meet anticipated demand. This may involve provisioning additional hardware, optimising existing resources, or moving to cloud-based solutions that offer greater flexibility.
Capacity management should be an ongoing process, with regular reviews and adjustments made to align with business growth and changes in usage patterns.
8.7 Protection Against Malware
Purpose
Malware poses a significant threat to information systems, capable of causing data loss, theft, and operational disruption. This control ensures that effective measures are in place to protect against malware infections, supported by appropriate user awareness.
Implementation
To protect against malware, organisations should deploy comprehensive endpoint protection solutions that include antivirus, anti-malware, and anti-spyware capabilities. These solutions should be configured to update automatically with the latest threat definitions and to perform regular scans of all devices.
Users should be trained to recognise and avoid common malware vectors, such as phishing emails, suspicious downloads, and unsecured websites.
Network security measures, such as firewalls and intrusion detection systems (IDS), should be used to prevent the spread of malware within the organisation's infrastructure.
In the event of a malware infection, incident response procedures should be in place to contain and eradicate the threat and recover any affected systems.
8.8 Management of Technical Vulnerabilities
Purpose
Attackers can exploit technical vulnerabilities in software and hardware to gain unauthorised access to information systems. This control focuses on identifying, evaluating, and addressing technical vulnerabilities to reduce the organisation's exposure to threats.
Implementation
To manage technical vulnerabilities, organisations should establish a vulnerability management program that includes regular scanning of information systems for known vulnerabilities.
Tools such as vulnerability scanners and penetration testing should be used to identify weaknesses in systems, applications, and network configurations.
Once identified, vulnerabilities should be prioritised based on their severity and the potential impact on the organisation, and remediation efforts should be promptly initiated. This may involve applying patches, reconfiguring systems, or turning off vulnerable services.
Organisations should also stay informed about newly discovered vulnerabilities by subscribing to security bulletins and vendor advisories, and they should ensure that their systems are regularly updated to address these issues.
8.9 Configuration Management
Purpose
Configuration management is essential for maintaining the integrity and security of information systems by ensuring that configurations are consistently applied, documented, and monitored. This control ensures that hardware, software, services, and network configurations are properly managed to prevent security misconfigurations and unauthorised changes.
Implementation
To implement configuration management, organisations should establish a baseline configuration for all systems, which includes security settings, access controls, and system hardening measures.
Configuration changes should be documented and managed through a formal change control process to ensure that all modifications are approved, tested, and rolled out consistently across the environment.
Tools such as configuration management databases (CMDB) and automation scripts can enforce and monitor configurations, ensuring that systems comply with the established baseline.
Regular audits should be conducted to verify configurations are applied correctly and detect unauthorised changes. Configuration management processes should be continuously reviewed and updated to adapt to security requirements and technological changes.
8.10 Information Deletion
Purpose
Information must be securely deleted to prevent unauthorised access or recovery when it is no longer required. This control ensures that data stored in information systems, devices, or other storage media is irretrievably erased when no longer needed, thereby protecting the organisation from potential data breaches.
Implementation
Organisations should establish policies and procedures that specify when and how data should be deleted to implement secure information deletion. These procedures should include data wiping tools that overwrite information on storage media multiple times, making it impossible to recover.
Physical destruction of storage media, such as shredding or degaussing, may be required for highly sensitive information.
Information deletion processes should be documented, and logs should be maintained to provide evidence that data has been securely deleted.
Employees should be trained on the importance of secure deletion and using the approved tools and techniques. Regular audits should be conducted to ensure compliance with the information deletion policy.
8.11 Data Masking
Purpose
Data masking obscures sensitive information, making it accessible for authorised use while preventing exposure to the actual data. This control ensures that data masking is applied according to the organisation's policies and business requirements, protecting sensitive information in non-production environments or when sharing data with third parties.
Implementation
To implement data masking, organisations should identify which data requires masking based on its sensitivity and the context in which it will be used.
Data masking tools should be used to replace sensitive data elements with fictitious or scrambled values while maintaining the data's usability for testing, development, or analysis.
Masking techniques should follow the organisation's data protection and access control policies.
The organisation should ensure that masked data cannot be easily reverse-engineered to reveal the original information.
Regular reviews should be conducted to evaluate the effectiveness of data masking processes and to update them as necessary to address new threats or changes in data handling practices.
8.12 Data Leakage Prevention
Purpose
Data leakage prevention (DLP) controls are designed to detect and prevent unauthorised transmission or exposure of sensitive information outside the organisation's control. This control ensures that measures are in place to protect against data leakage across systems, networks, and devices that process, store, or transmit sensitive information.
Implementation
Organisations should deploy DLP solutions that monitor and control the flow of sensitive information across the network, endpoints, and cloud environments to implement DLP. Based on predefined policies, these solutions should be configured to detect and block attempts to transmit sensitive data through email, file sharing, or removable media.
Organisations should define and enforce policies that specify which data types are sensitive and how they should be handled.
Alerts should be generated for potential data leakage incidents, and incidents should be investigated and addressed promptly.
Employees should be trained on data handling best practices and the importance of preventing data leakage.
Regular audits and reviews should be conducted to ensure the effectiveness of DLP controls and to update them as needed.
8.13 Information Backup
Purpose
Information backup is critical for ensuring that data can be recovered during data loss, corruption, or a security incident. This control ensures that backup copies of information, software, and systems are maintained, regularly tested, and securely stored according to the organisation's backup policy.
Implementation
To implement effective information backup, organisations should develop a backup policy that specifies the frequency, scope, and retention period for backups.
Backup processes should be automated to ensure consistency and minimise human error risk.
Backups should be stored in secure, geographically separate locations to protect against localised disasters.
Backups should be regularly tested to verify their integrity and ensure that data can be restored in case of an incident.
Encryption should be used to protect backup data, both in transit and at rest, to prevent unauthorised access.
Organisations should also maintain detailed records of backup activities and regularly review their backup policy to ensure it meets current business needs and security requirements.
8.14 Redundancy of Information Processing Facilities
Purpose
Redundancy is essential for ensuring the availability of information processing facilities in the event of a hardware failure, network disruption, or other incidents. This control ensures redundancy is built into the organisation's critical systems to meet availability requirements and minimise downtime.
Implementation
To implement redundancy, organisations should identify critical information processing facilities and assess the potential impact of their failure on business operations.
Based on this assessment, redundancy should be incorporated into these systems, such as using redundant servers, network paths, power supplies, and storage devices.
Load balancing and failover mechanisms should be configured to automatically redirect traffic or workloads to backup systems in the event of a failure.
Regular testing of redundancy measures should be conducted to ensure that they function as intended and that systems can continue operating without interruption.
Documentation should be maintained to detail the redundancy architecture and to guide response efforts during an incident.
8.15 Logging
Purpose
Logging is critical for maintaining an audit trail of activities within the organisation's information systems. This trail can be used to detect and investigate security incidents and ensure compliance with legal and regulatory requirements. This control ensures that logs are produced, stored, protected, and analysed to provide visibility into system activities.
Implementation
Organisations should establish policies defining what types of activities should be logged to implement effective logging, including user actions, system events, exceptions, and faults.
Logs should be timestamped and securely stored in a centralised logging system protected against tampering and unauthorised access.
Logging should be configured to capture sufficient detail to support forensic investigations and compliance audits without overwhelming the system with excessive data.
Logs should be regularly reviewed and analysed for signs of suspicious activity or anomalies, and any identified issues should be promptly investigated.
The organisation should also ensure that log retention policies comply with legal and regulatory requirements and that logs are securely archived for the required duration.
8.16 Monitoring Activities
Purpose
Monitoring activities are essential for detecting and responding to real-time security incidents. This control ensures that networks, systems, and applications are continuously monitored for abnormal behaviour, allowing the organisation to take appropriate actions to mitigate potential threats.
Implementation
Organisations should deploy security information and event management (SIEM) systems that collect and analyse data across the network, endpoints, and applications to implement monitoring. These systems should be configured to detect suspicious behaviour patterns, such as unusual login attempts, data exfiltration, or unauthorised access.
Monitoring should be conducted 24/7, with automated alerts sent to the security team when potential incidents are detected.
The organisation should also establish procedures for responding to monitoring alerts, including investigating the incident, containing the threat, and restoring normal operations.
Regular reviews should be conducted to ensure that monitoring tools are effectively tuned to detect current threats and that response processes are efficient and effective.
8.17 Clock Synchronisation
Purpose
Clock synchronisation is essential for ensuring that the timestamps in logs and other records across the organisation's information systems are accurate and consistent. This control ensures that the clocks of all systems are synchronised to approved time sources, which is crucial for correlating events during investigations and audits.
Implementation
To implement clock synchronisation, organisations should configure all information processing systems to synchronise their clocks with a reliable and approved time source, such as a Network Time Protocol (NTP) server.
Time synchronisation settings should be consistently applied across all systems, including servers, workstations, network devices, and security appliances.
The organisation should regularly verify that clocks are synchronised correctly and promptly address discrepancies.
Documentation should specify the time sources used and ensure that all systems adhere to the synchronisation policy.
Accurate clock synchronisation is also vital for meeting compliance requirements and ensuring the integrity of logs and audit trails.
8.18 Use of Privileged Utility Programs
Purpose
Privileged utility programs are powerful tools that can override system and application controls, making them potential targets for misuse or exploitation. This control ensures that such programs are restricted and tightly controlled to prevent unauthorised access or changes to critical systems.
Implementation
Organisations should implement strict access controls that limit authorised personnel's use to manage privileged utility programs.
Access should be granted based on the principle of least privilege, ensuring that only those with a legitimate need can use these tools.
All activities involving privileged utilities should be logged and monitored to detect unauthorised or suspicious use.
Organisations should consider using alternative methods or tools that provide the necessary functionality without the same level of risk.
Additionally, regular reviews of access to privileged utility programs should ensure that only current and authorised personnel have access, and any unnecessary access should be promptly revoked.
8.19 Installation of Software on Operational Systems
Purpose
Installing software on operational systems poses a significant security risk if not managed properly, as it can introduce vulnerabilities, conflicts, or unauthorised changes. This control ensures that software installation is securely managed, reducing the risk of compromising the operational environment's integrity, availability, or confidentiality.
Implementation
Organisations should establish a formal process for evaluating, approving, and deploying software on operational systems to implement secure software installation procedures. This process should include security assessments to identify vulnerabilities or conflicts with existing systems.
Software should only be installed by authorised personnel, and installations should be documented and tracked to maintain an accurate inventory of installed applications.
Configuration management tools can help automate and enforce software installation policies, ensuring consistency and compliance with security standards.
Additionally, organisations should test software installations in a controlled environment before deploying them to production systems to prevent disruptions and security issues.
8.20 Network Security
Purpose
Network security is crucial for protecting the flow of information within and between systems. It ensures that data is transmitted securely and that the network infrastructure is protected from unauthorised access and attacks. This control focuses on securing network devices and connections to protect the information in systems and applications.
Implementation
To implement network security, organisations should deploy security measures such as firewalls, intrusion detection/prevention systems (IDS/IPS), and virtual private networks (VPNs) to protect the network perimeter and internal segments.
Network devices like routers, switches, and access points should be configured with strong security settings, including encryption, access controls, and regular firmware updates.
The organisation should segment its network to isolate critical systems and sensitive data from less secure areas, reducing the risk of lateral movement by attackers.
Monitoring tools should be used to continuously scan the network for signs of intrusion or suspicious activity.
Network security policies should be documented, regularly reviewed, and updated to address emerging threats and technological advancements.
8.21 Security of Network Services
Purpose
The security of network services is essential for ensuring that the services provided are reliable, secure, and available to authorised users. This control ensures that network services' security mechanisms, service levels, and requirements are clearly defined, implemented, and monitored.
Implementation
To secure network services, organisations should first identify all network services, such as DNS, email, web hosting, and file sharing.
Security requirements for each service should be established based on the sensitivity and criticality of the information it handles.
Service level agreements (SLAs) with service providers should include specific security commitments, such as uptime guarantees, response times, and data protection measures.
Regular monitoring should be conducted to ensure that network services comply with security requirements and that any issues are promptly addressed.
The organisation should also implement redundancy and failover mechanisms to maintain service availability in case of disruptions.
Security audits and vulnerability assessments should be regularly performed to identify and mitigate risks associated with network services.
8.22 Segregation of Networks
Purpose
Segregating networks is a critical security measure for limiting the spread of attacks and ensuring that sensitive information is isolated from less secure parts of the network. This control ensures that different information services, users, and information systems are segregated within the organisation’s networks to protect critical assets.
Implementation
To implement network segregation, organisations should design their network architecture to separate different types of traffic and systems based on their security requirements. This can be achieved using VLANs, subnets, and firewalls that control traffic between network segments.
Sensitive systems, such as databases and financial systems, should be placed in isolated segments with strict access controls, while less critical systems may reside in more open segments.
Access between segments should be limited to the minimum necessary, and all traffic should be monitored for signs of unauthorised access or anomalies.
Network segmentation should be documented, and regular reviews should be conducted to ensure the segregation remains effective as the network evolves.
8.23 Web Filtering
Purpose
Web filtering is essential for managing access to external websites and reducing exposure to malicious content. By controlling which websites users can access, organisations can prevent infections from malware, phishing attacks, and other online threats, thereby protecting their information systems and data.
Implementation
Organisations should deploy web filtering solutions that block access to known malicious or inappropriate websites to implement web filtering. These solutions can be integrated with the organisation's security infrastructure, such as firewalls or secure web gateways, to enforce browsing policies.
Web filtering should be configured to allow access to necessary business sites while blocking categories of sites that pose security risks, such as sites hosting malware, phishing pages, or adult content.
Regular updates to the web filtering rules and categories should be applied to adapt to new threats.
Additionally, organisations should monitor web traffic to detect attempts to access blocked sites and to identify potential security incidents. Employees should be informed about the organisation’s web filtering policies and the reasons behind them.
8.24 Use of Cryptography
Purpose
Cryptography is critical for protecting information's confidentiality, integrity, and authenticity in transit and at rest. This control ensures that cryptographic techniques, including managing cryptographic keys, are effectively implemented to secure sensitive data against unauthorised access and tampering.
Implementation
Organisations should establish a cryptographic policy that defines the standards for encryption algorithms, key lengths, and key management practices to implement cryptography.
Encryption should be applied to sensitive data stored on devices, transmitted over networks, or backed up.
Cryptographic keys should be securely generated, stored, and distributed using approved key management systems. Key lifecycles should be managed to ensure that keys are rotated, archived, or destroyed as necessary.
Access to cryptographic keys should be restricted to authorised personnel, and all cryptographic operations should be logged and monitored for signs of misuse.
The organisation should regularly review and update its cryptographic practices to align with the latest security standards and to address new threats.
8.25 Secure Development Life Cycle
Purpose
The secure development life cycle (SDLC) integrates security into every software and system development phase, from initial design to deployment and maintenance. This control ensures that security considerations are embedded into the development process, reducing the risk of introducing vulnerabilities into the organisation's systems.
Implementation
Organisations should establish secure coding standards and guidelines for developers to follow during the development process to implement an SDLC.
Security requirements should be defined at the beginning of each project and incorporated into the design and architecture of the system.
Developers should receive regular training on secure coding practices and common vulnerabilities, such as those listed in the OWASP Top Ten.
Security testing, including code reviews, static analysis, and penetration testing, should be conducted throughout development to identify and remediate vulnerabilities before the system goes into production.
Post-deployment, the organisation should continue monitoring and updating the system to address new security issues.
8.26 Application Security Requirements
Purpose
Defining and implementing security requirements during application development or acquisition is essential for ensuring that the resulting software is secure and resilient against threats. This control ensures that security is considered from the outset, reducing the risk of vulnerabilities and security flaws in the final product.
Implementation
To implement application security requirements, organisations should establish a process for identifying, specifying, and approving security requirements at the beginning of each software development or acquisition project. These requirements should be based on the organisation's risk assessment, regulatory obligations, and best practices for secure software development.
Security requirements should be documented and integrated into the project’s overall requirements management process.
During development, the application should be tested to ensure that it meets the specified security requirements, and any deviations should be addressed before the application is deployed.
For acquired software, the organisation should evaluate the vendor’s security practices and ensure that the software complies with the organisation’s security standards.
8.27 Secure System Architecture and Engineering Principles
Purpose
Secure system architecture and engineering principles are essential for building resilient systems against attacks and can protect information confidentiality, integrity, and availability. This control ensures that security is considered at the architectural level and throughout the engineering process, resulting in inherently secure systems.
Implementation
To implement secure system architecture and engineering principles, organisations should establish a set of security design principles that guide the development of all information systems.
These principles should include concepts such as defence in depth, least privilege, secure defaults, and fail-safe mechanisms.
Security considerations should be incorporated into the overall system design during the architecture and design phases, including selecting technologies, network topology, and data flow.
Security architecture reviews should be conducted to identify potential weaknesses and ensure the system meets the organisation's security requirements.
Engineering teams should be trained on secure design principles, and security should be a key criterion in all design decisions.
8.28 Secure Coding
Purpose
Secure coding practices are essential for preventing the introduction of vulnerabilities during software development. This control ensures that developers adhere to secure coding principles, reducing the risk of security flaws in their software.
Implementation
Organisations should establish coding standards to implement secure coding practices that address common security vulnerabilities, such as input validation, authentication, access control, and error handling.
Developers should receive training on these standards and how to avoid common coding mistakes that can lead to security issues.
Secure coding checklists should be used during code reviews to ensure security considerations are properly addressed.
Automated tools, such as static code analysers, should be used to scan code for vulnerabilities and to enforce coding standards.
Organisations should also implement a process for keeping secure coding practices up-to-date with the latest threats and best practices, ensuring that their development teams always work with the most current security knowledge.
8.29 Security Testing in Development and Acceptance
Purpose
Security testing is a critical component of the development process. It ensures that software and systems are thoroughly evaluated for vulnerabilities before deployment. This control ensures that security testing is integrated into the development life cycle, ensuring the final product is secure.
Implementation
Organisations should define and integrate security testing processes into the development life cycle to implement security testing. These processes should include a range of testing methods, such as static and dynamic code analysis, penetration testing, and vulnerability scanning, to identify potential security flaws.
Security tests should be conducted at various stages of development, including unit testing, integration testing, and acceptance testing, to catch vulnerabilities early and ensure they are remediated before deployment.
Automated testing tools should be used where possible to increase coverage and efficiency.
The results of security tests should be documented, and any identified issues should be tracked and resolved before the software is approved for production.
Regular reviews of the security testing process should be conducted to ensure its effectiveness and to incorporate new testing techniques as they become available.
8.30 Outsourced Development
Purpose
Outsourcing system development introduces additional risks, as the organisation must rely on external parties to produce secure software. This control ensures that the organisation actively manages and monitors the security of outsourced development activities to protect its information assets.
Implementation
Organisations should establish clear security requirements and expectations in contracts with external developers to manage outsourced development securely. These requirements should cover secure coding practices, access controls, incident response, and compliance with relevant standards and regulations.
The organisation should conduct regular security reviews and audits of the outsourced development process to meet security requirements.
This may include code reviews, penetration testing, and vendor development environment assessments.
Communication channels should be established to ensure security issues are promptly reported and addressed.
Additionally, the organisation should retain the right to review and approve any third-party components or libraries used in the development process to ensure they meet security standards.
8.31 Separation of Development, Test, and Production Environments
Purpose
Separating development, testing, and production environments is critical for preventing unintended changes or disruptions in production systems and maintaining software and data integrity. This control ensures that these environments are isolated from one another to reduce the risk of security incidents.
Implementation
To implement this control, organisations should establish separate environments for development, testing, and production, each with access controls, resources, and data.
Access to each environment should be restricted to authorised personnel only, with stricter controls applied to the production environment.
Changes in the development environment should be thoroughly tested in the test environment before being deployed to production, ensuring that they do not introduce security vulnerabilities or disrupt operations.
Automation tools, such as continuous integration and continuous deployment (CI/CD) pipelines, can help enforce the separation of environments and ensure that only approved code is promoted to production.
Regular audits should be conducted to verify that environment separation is maintained and access controls are effective.
8.32 Change Management
Purpose
Change management is essential for ensuring that modifications to information processing facilities and information systems are controlled and secure. This control ensures that changes are properly assessed, approved, and documented to prevent unintended consequences and maintain system security and stability.
Implementation
To implement change management, organisations should establish a formal change management process that includes submitting, reviewing, appraising, and implementing changes.
All changes should be assessed for their potential impact on security, performance, and compliance and approved by relevant stakeholders before implementation.
Changes should be tested in a controlled environment to identify and address any issues before they are applied to production systems. Detailed records of all changes, including the rationale for the change, the implementation steps, and the testing results, should be maintained.
Emergency changes should be subject to additional scrutiny, with a post-implementation review to assess their impact.
Regular reviews of the change management process should be conducted to ensure its effectiveness and identify improvement opportunities.
8.33 Test Information
Purpose
Test information, such as test data and test environments, must be protected to prevent unauthorised access, data breaches, and the introduction of security vulnerabilities. This control ensures that test information is appropriately selected, protected, and managed throughout the testing process.
Implementation
Organisations should establish policies for selecting and protecting test information to implement this control, ensuring that it represents real-world scenarios without exposing sensitive data.
Test environments should be isolated from production environments to prevent the accidental disclosure or modification of production data.
When using real data for testing purposes, it should be anonymised or masked to protect privacy and confidentiality.
Access to test environments and test data should be restricted to authorised personnel only, and all test activities should be logged and monitored for signs of unauthorised access or misuse.
After testing, test information should be securely deleted or archived, and the test environment should be restored to its original state to prevent residual data from being accessed.
8.34 Protection of Information Systems During Audit Testing
Purpose
Audit testing involves assessing the security and functionality of information systems, which can introduce risks if not managed properly. This control ensures that audit tests and other assurance activities are planned and agreed upon between the tester and management to protect operational systems and data.
Implementation
Organisations should establish procedures for planning and conducting audit tests to protect information systems. These procedures should include obtaining management approval for the audit's scope, timing, and methods and identifying any potential risks to operational systems.
The organisation should ensure that audit activities are conducted in a controlled environment, with measures to prevent disruptions to business operations.
Any tools or techniques used during the audit should be tested in a non-production environment to confirm their safety and reliability.
Management should document and review the audit results, and any identified issues should be addressed promptly.
The organisation should also conduct a post-audit review to assess the audit's impact and make any necessary adjustments to the audit process.
Comments