ISO 27001 Software Development

• Site conducted

  Select

• undefined

• Conducted on

  Date

• Auditor

• Auditees

• Objective

• Reference Document No.

• What are the legal, regulatory, business technical and security requirements applicable to Marine link? Are they documented?

• Who is the regulatory class for Marine link, if applicable?

• Do you have different environments for development and production activities? Do they have different credentials?

  Yes

  No

  N/A

• How is access management performed in Marine link? Who is the approving authority?

• How do Marine link team manage the risk of unauthorised access or changes? Any process/procedures documented?

• What type of data is used in development environment? How is it different from production data?

• What criteria is followed when selecting test data for testing purposes?

• What process is followed by Marine link to store the development code securely and manage all changes, access and version control happening around it?

• Is there any code reviewing process/matrix to ensure system and operating environment is secure?

  Yes

  No

  N/A

• What is the process? Is it documented?

  Yes

  No

  N/A

• Who's responsible and how often is it reviewed?

  Yes

  No

  N/A

• Is there any training provided to all developers regarding secure software development practices?

  Yes

  No

  N/A

• What standards are followed by Marin link when outsourcing the development activities? Any documented process, forms or checklist?

• How do you handle situations where insecure Coding practices are followed? What tools are used for analysis? Any examples?

  Yes

  No

  N/A

• Is there any documented Change management process used by Marine link? Who drives the change at organisational level?

• Any examples/demonstration of successful testing schedule?

• How often is penetration testing done and what tools are used to do this testing?

• How do Marine link decide to perform penetration testing and what matrix is used to categorise risk as major or minor?

• How is the change managed in production environment? Any documented process pre or post change?

• What type of testing phases are completed before implementing a new system/application?

• What kind of data is stored in CMDB? Is it regularly monitored data?

• How is version control done in Marine link?

• Do Marine link have documented process for decommissioning activities? is it in accordance with Change management process?

  Yes

  No

  N/A

• What are the data retention and disposal standards followed by Marine link? Are they documented?

  Yes

  No

  N/A

Documentation Checklist (SDLC)

• Can you explain the SDLC for Marine link and demonstrate using an example?

• Demonstrate any testing schedule produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any Standard Operating Procedures (SOP) produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any System Security Standard (SSP) produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any Security Risk Assessment (SRA) produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any User guide produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any Release Plan produced during SDLC.

  Compliant

  Non-Compliant

  N/A

• Demonstrate any Training Plan produced during SDLC.

  Compliant

  Non-Compliant

  N/A

undefined