Content library
NSM ICT Security Principles (Norway)
2.1.8: Maintain the software code developed/used by the organisation

Requirement description

Maintain the software code developed/used by the organisation. a) Sustain a development process which includes methodical security assessments of the code. b) Be especially aware of code with particular security significance e.g. code for i) access control, ii) traffic encryption, iii) logging, iv) parsing user input, v) buffer overflow etc. c) When using open-source code and commercial tool kits, the organisation should regularly check for new versions (ideally automatically). d) Security checks of the organisation’s own code should also be automated where appropriate when using DevOps/DevSecOps. Particularly security-relevant code (cf. previous item) should be quality-assured.

How to fill the requirement

NSM ICT Security Principles (Norway)

2.1.8: Maintain the software code developed/used by the organisation

Task name
Priority
Status
Theme
Policy
Other requirements
Keeping open-source software up to date
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Update and patch management
1
requirements

Examples of other requirements this task affects

2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Keeping open-source software up to date
1. Task description

Organisations should regularly check for new versions of used open-source code. Ideally, this process is automated. New versions of open-source code can often contain new security functions, security patches, etc.

Guidelines for secure development
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
23
requirements

Examples of other requirements this task affects

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava
NIS2 Croatia
9.3 §: Tietojärjestelmien hankinta ja kehittäminen
Kyberturvallisuuslaki
30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information
NIS2 Belgium
2.1.5: Use a secure software development method
NSM ICT-SP
2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Guidelines for secure development
1. Task description

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

  • safety requirements of the development environment
  • instructions for secure coding of the programming languages used
  • safety requirements at the design stage of properties or projects
  • secure software repositories
  • version control security requirements
  • the skills required from developers to avoid, discover and fix vulnerabilities
  • compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Automated secure code deployment and release
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
3
requirements

Examples of other requirements this task affects

2.1.5: Use a secure software development method
NSM ICT-SP
2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Automated secure code deployment and release
1. Task description

The organization must define the means for a secure software deployment strategy. Means should be automated if possible.

Keeping licensed software up to date
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Update and patch management
6
requirements

Examples of other requirements this task affects

SUM-02: Keeping licensed software up to date
Cyber Essentials
Article 9b: Prevention
DORA
2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
12.1: Ensure Network Infrastructure is Up-to-Date
CIS 18
2.2: Ensure Authorized Software is Currently Supported
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Keeping licensed software up to date
1. Task description

The organization has to make sure that all licensed software are updated with in 14 days of the update coming live when:

  • The update fixes vulnerabilities that are considered critical or high risk
  • Supplier does not release details about the severity of the vulnerability
Regular critical code identification and verification
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
17
requirements

Examples of other requirements this task affects

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava
NIS2 Croatia
9.3 §: Tietojärjestelmien hankinta ja kehittäminen
Kyberturvallisuuslaki
30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information
NIS2 Belgium
2.1.5: Use a secure software development method
NSM ICT-SP
2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Regular critical code identification and verification
1. Task description

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.