General rules for reviewing and publishing code

Critical
High
Normal
Low

General rules for reviewing, approving and publishing the code have been defined and enforced.

The rules may include e.g. the following things:

  • the generated code has been validated against the general safe development guidelines of the OWASP Framework
  • the code has been reviewed by at least two people
  • the changes have been approved by a designated, authorized user prior to publication
  • the system documentation has been updated before release
  • the time of publication of the changes has been chosen in accordance with the given instructions in order to minimize disruption to business processes
  • the instructions needed by users have been updated before the code is released

The rules are intended to manage the risks associated with the release of new program code.

Connected other frameworks and requirements:
14.2.2: System change control procedures
ISO 27001
14.2.3: Technical review of applications after operating platform changes
ISO 27001
8.28: Secure coding
ISO 27001
8.32: Change management
ISO 27001

Listing authorized users for publishing code changes

Critical
High
Normal
Low

Only pre-defined, authorized users are allowed to post changes to the code.

Connected other frameworks and requirements:
12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
14.2.2: System change control procedures
ISO 27001
14.2.7: Outsourced development
ISO 27001
8.19: Installation of software on operational systems
ISO 27001

Restoration strategy

Critical
High
Normal
Low

We have agreed and recorded policies to restore an earlier version of the software before implementing the releases.

Connected other frameworks and requirements:
12.3: Backup
ISO 27001
12.5: Control of operational software
ISO 27001
12.3.1: Information backup
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
14.2.2: System change control procedures
ISO 27001

Change management procedure for significant changes to data processing services

Critical
High
Normal
Low

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • < li>Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Connected other frameworks and requirements:
14.2.2: System change control procedures
ISO 27001
14.2.4: Restrictions on changes to software packages
ISO 27001
PR.DS-6: Integrity checking
NIST CSF
8.32: Change management
ISO 27001
No items found.