ISO 27001 8.27 Secure System Architecture and Engineering Principles Requirement:

"Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities."[1]

ISO 27001 8.27 Secure System Architecture and Engineering Principles Requirement Explanation:

NIST Special Publication 800-160 covers the topic of security engineering. It contains a list of "security design principles" the organization can select and follow. Document a policy requiring the implementation of the security engineering principles you selected from NIST SP 800-160. Here are a few from NIST SP 800-160 that you can use: "Reduced Complexity: the system design should be as simple and small as possible. A small and simple design will be more understandable more analyzable and less prone to error. Least Privilege: each component should be allocated sufficient privileges to accomplish its specified functions but no more. Trusted Communication Channels: restrict access to communication channels and employ end-to-end protections for the data transmitted over the communication channel. Continuous Protection: all components and data used to enforce the security policy must have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. Accountability and Traceability: it must be possible to trace security-relevant actions (i.e. subject-object interactions) to the entity on whose behalf the action is being taken. Secure Defaults: the default configuration of a system (to include its constituent subsystems components and mechanisms) reflects a restrictive and conservative enforcement of security policy. Repeatable and Documented Procedures: the techniques and methods employed to construct a system component should permit the same component to be completely and correctly reconstructed at a later time. Secure System Modification: system modification must maintain system security with respect to the security requirements and risk tolerance of stakeholders. Sufficient Documentation: personnel with responsibility to interact with the system should be provided with adequate documentation and other information such that they contribute to rather than detract from system security. Defense in Depth: security architectures are to be constructed through the application of multiple mechanisms to create a series of barriers to prevent delay or deter an attack by an adversary."

References:

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.