Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Definition of done and testing principles

Critical
High
Normal
Low

The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.

New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.

Connected other frameworks and requirements:
14.2.3: Technical review of applications after operating platform changes
ISO 27001
14.2.9: System acceptance testing
ISO 27001
8.29: Security testing in development and acceptance
ISO 27001

General rules for reviewing and publishing code

Critical
High
Normal
Low

General rules for reviewing, approving and publishing the code have been defined and enforced.

The rules may include e.g. the following things:

  • the generated code has been validated against the general safe development guidelines of the OWASP Framework
  • the code has been reviewed by at least two people
  • the changes have been approved by a designated, authorized user prior to publication
  • the system documentation has been updated before release
  • the time of publication of the changes has been chosen in accordance with the given instructions in order to minimize disruption to business processes
  • the instructions needed by users have been updated before the code is released

The rules are intended to manage the risks associated with the release of new program code.

Connected other frameworks and requirements:
14.2.2: System change control procedures
ISO 27001
14.2.3: Technical review of applications after operating platform changes
ISO 27001
8.28: Secure coding
ISO 27001
8.32: Change management
ISO 27001

Regular critical code identification and verification

Critical
High
Normal
Low

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.

Connected other frameworks and requirements:
14.2.3: Technical review of applications after operating platform changes
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
14.2.9: System acceptance testing
ISO 27001
8.27: Secure system architecture and engineering principles
ISO 27001
No items found.