Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Definition of done and testing principles

Critical
High
Normal
Low

The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.

New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.

Connected other frameworks and requirements:
14.2.9: System acceptance testing
ISO 27001
14.2.3: Technical review of applications after operating platform changes
ISO 27001
8.29: Security testing in development and acceptance
ISO 27001

Regular penetration testing

Critical
High
Normal
Low

Static scans on code are the first step in detecting risky vulnerabilities. However, once a service has been deployed, it is vulnerable to new types of attacks (e.g., cross-site scripting or authentication issues). These can be identified by penetration testing.

Connected other frameworks and requirements:
12.6.1: Management of technical vulnerabilities
ISO 27001
14.2.8: System security testing
ISO 27001
18.2.3: Technical compliance review
ISO 27001
DE.CM-8: Vulnerability scans
NIST CSF
5.36: Compliance with policies, rules and standards for information security
ISO 27001

Regular vulnerability scanning

Critical
High
Normal
Low

The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.

It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.

Connected other frameworks and requirements:
12.6.1: Management of technical vulnerabilities
ISO 27001
18.2.3: Technical compliance review
ISO 27001
14.2.8: System security testing
ISO 27001
ID.RA-1: Asset vulnerabilities
NIST CSF
PR.IP-12: Vulnerability management plan
NIST CSF
No items found.