VOICECOM

Control of Software and Systems Development

Internal document
 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Software and Systems Development Date : 26/09/2020
Page : 2/5

Public Internal Confidential Top Secret

1 Introduction
2 Scope
This procedure sets out VOICECOM’s arrangements for ensuring secure software and
systems development.

3 Revision History
Revision Date Record of Changes Approved By
0.1 09.26.2020 Initial Issue

4 Control of hardcopy versions

The digital version of this document is the most recent version. It is the responsibility of the
individual to ensure that any printed version is the most recent version. The printed version
of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
the <Document Controller> and provided with a document reference number and revision in
the fields below:
Document Ref. Rev. Uncontrolled Copy X Controlled Copy

5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27001:2013 Information security management systems Clauses:
A.14.2.1 Secure development policy
A.14.2.2 System change control procedures
A.14.2.4 Restrictions on changes to software
packages
A.14.2.5 Secure system engineering
principles
A.14.2.6 Secure development environment
A.14.2.7 Outsourced development
A.14.2.8 System security testing
A.14.2.9 System acceptance testing
A 14.3.1 Protection of test data
Add as required when developing this
procedure

6 Terms and Definitions

Control of Software and Systems Development Page 2 of 5

 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Software and Systems Development Date : 26/09/2020
Page : 3/5

Public Internal Confidential Top Secret

 “staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.

 “we” and “our” refer to VOICECOM

7 Responsibilities
The <IT Manager> is responsible for all aspects of the implementation and management of
this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of this policy, within the
scope of their responsibilities, and must ensure that all staff under their control understand
and undertake their responsibilities accordingly.

8 Secure Software and Systems Development Procedure

We ensure that information security is designed and implemented within the development
lifecycle of information systems.
The rules and processes that we apply to the development of software and systems are
designed to ensure that:

 changes to systems within the development lifecycle are controlled by the use of
formal change control procedures including documentation, specification, testing,
quality control, and managed implementation

 modifications to software packages are limited to necessary changes and all changes
that are made are strictly controlled

 principles for engineering secure systems have been established, documented,

maintained and applied to every information system implementation effort

 an appropriately protected secure development environment has been established

for system development and integration efforts that cover the entire system
development lifecycle

 all outsourced system development activities are supervised and monitored

 testing of security functionality is carried out during development

 acceptance testing programs and related criteria are established for new information
systems, upgrades and new versions

 data used for testing is protected

9 Software and Systems Development Procedure

If you do not develop or integrate software or systems then you do not require this
procedure.

Control of Software and Systems Development Page 3 of 5

 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Software and Systems Development Date : 26/09/2020
Page : 4/5

Public Internal Confidential Top Secret

A principal objective of 27001 as regards software and systems development is that

information security is designed and implemented within the entire development lifecycle of
information systems.
To demonstrate that this is the case you need to integrate your existing software and system
development procedures with this ISMS procedure. For example, you could transfer (or write
anew) details of your development procedures and processes into this document,
embedding the control objectives and controls set out in Annex A 14 “System acquisition,
development and maintenance” and “Test Data”, as listed below and any other relevant
27001 requirements.
A.14.2.1 Secure development policy
Control: Rules for the development of software and systems must be established and
applied to developments within the organisation.
A.14.2.2 System change control procedures
Control: Changes to systems within the development lifecycle must be controlled by the use
of formal change control procedures.
A.14.2.4 Restrictions on changes to software packages
Control: Modifications to software packages must be discouraged, limited to necessary
changes and all changes must be strictly controlled.
A.14.2.5 Secure system engineering principles
Control: Principles for engineering secure systems must be established, documented,
maintained and applied to any information system implementation efforts.
A.14.2.6 Secure development environment
Control: organisations must establish and appropriately protect secure development
environments for system development and integration efforts that cover the entire system
development lifecycle.
A.14.2.7 Outsourced development
Control: The organisation must supervise and monitor the activity of outsourced system
development.
A.14.2.8 System security testing
Control: Testing of security functionality must be carried out during development.
A.14.2.9 System acceptance testing
Control: Acceptance testing programs and related criteria must be established for new
information systems, upgrades and new versions.
A 14.3 Test Data
Control: Test data must be selected carefully, protected and controlled

Control of Software and Systems Development Page 4 of 5

 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Software and Systems Development Date : 26/09/2020
Page : 5/5

Public Internal Confidential Top Secret

The provided ISMS Procedure “Acquisition, Development and Maintenance of Information

Systems” references this procedure in 2.5 and provides objectives and suggested controls in
2.5 to 2.13 for inclusion into this procedure. When this procedure is complete, cross check
that 2.5 to 2.13 and this procedure fully align.
Further advice can be found in ISO 27002.
Remember to base your procedure on the PDCA cycle and include in your procedure any
other development requirements from elsewhere in 27001, for example planning,
measurement, documentation and records etc.

10 Records
Records retained in support of this procedure are listed in the Controlled ISMS Records
Register and controlled according to the Control of Management System Records
Procedure.

Control of Software and Systems Development Page 5 of 5