According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally

provided processes, products or services that are relevant to the information security management

system are controlled. This includes developing and entering into licensing agreements that cover

code ownership and intellectual property rights, and implementing appropriate contractual

requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which

indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT

Manager explains that the encryption and pseudonymization functions failed because they slowed

down the system and service performance, and that an extra 150% of resources are needed to cover

this. However, this does not justify the acceptance of the test results by the Service Manager, who is

not authorised to approve the test according to the software security management procedure. The

Service Manager should have consulted with the IT Manager, who is the owner of the process, and

followed the procedure for handling nonconformities and corrective actions. The Service Manager’s

decision to continue the service based on access control alone exposes the organisation to the risk of

compromising the confidentiality, integrity, and availability of personal data processed by the mobile

app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the

processes needed to meet information security requirements, and to implement the actions

determined in Clause 6.1. The organisation shall also control planned changes and review the

consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12

In this case, the organisation has not controlled the planned change of the mobile app from version

1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to

frequent ransomware attacks. The IT Manager explains that the developer performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. However, this is not sufficient to ensure that the change is properly assessed,

tested, documented, and approved before deployment. The IT Manager should have followed the

change management process and procedure, and verified that the updated software meets the

security requirements and does not introduce any new vulnerabilities or risks. The IT Manager’s

reliance on his 20 years of information security experience and the developer’s verbal guarantee is

not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC)

with clause 8.1.

Reference:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and

IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2