GUEST ESSAY: The case for complying with ISO 27001 — the gold standard of security frameworks

By Matthew Sciberras

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

Updated guidance

Let’s examine how to put the latest ISO guidance into practice for better AppSec protection in enterprise systems. Doing so requires organizations to digest what the ISO 27001 revisions mean for their specific IT operations, and then figure out how best to implement the enhanced SDLC security protocols.

The new guidance is actually spelled out in both ISO 27001 and ISO 27002 – companion documents that together provide the security framework to protect all elements of the IT operation. The focus on securing the SDLC is driven by the rise in exploits that target security gaps in websites, online portals, APIs, and other parts of the app ecosystem to exfiltrate data, install ransomware, inflict reputational damage, or otherwise degrade enterprise security and the bottom line.

The revised ISO standard now stipulates more-robust cybersecurity management systems that reach all the way back into the SDLC to ensure that applications are inherently more secure as developers build them. In fact, for the first time, security testing within the SDLC is specifically required. And ISO 27001 specifies this testing should go beyond traditional vulnerability scanning toward a more multi-level and multi-methodology approach.

Achieving compliance

In seeking to secure the SDLC for ISO compliance, organizations will likely need to rely on a spectrum of testing tools working together to identify and prioritize the most critical threats. Here are 3 strategic priorities to help guide these efforts:

•Take a comprehensive, multi-level and multi-methodology approach – This includes employing multiple types of security testing in a single scan; setting up secure version control with formal rules for managing changes to existing systems; and applying security requirements to any outsourced development.

•Promote secure and agile coding practices – This includes subjecting deployed code to regression testing, code scanning, penetration, and other system testing; defining secure coding guidelines for each programming language; and creating secure repositories with restricted access to source code.

•Infuse security into application specifications and development workflow – This includes defining security requirements in the specification and design phase; scanning for vulnerable open-source software components; and employing tools that detect vulnerabilities in code that is deployed but not activated.

Comprehensive scanning

At the CTO and CIO level, these principles help guide the enterprise-wide strategy for ISO compliance. At the developer level, they will fundamentally reshape how programmers do their work day in and day out – including employing more project management tools and secure system architecture frameworks to track and mitigate risks at any stage in the SDLC.

The key throughout is to adopt a more holistic and comprehensive testing approach that aligns with the ISO 27001 requirements, since traditional vulnerability scanning is not powerful or proactive enough to secure the SDLC. The easiest way for organizations to mature their capabilities along these lines is to integrate a range of advanced AppSec testing protocols.

For example, the right AppSec partner can empower security teams with a blend of dynamic application security testing (DAST), interactive application security testing (IAST), and software composition analysis (SCA) together in a single scan. These combined testing approaches help secure all stages of development, as well as production environments, without negatively impacting delivery times.

Recent updates to the ISO 27001 standard bring a much-needed focus to securing the entire SDLC. In working to comply with the revised standard, security and development teams are realizing that a blend of multiple, complementary testing protocols is needed to catch and even prevent issues far earlier in the development process.

These efforts will help elevate security right alongside achieving the designed functionality as the ultimate goals in every DevOps project.

About the essayist: Matthew Sciberras, CISO, VP of Information Security, at Invicti Security, which supplies advanced  DAST+IAST (dynamic+interactive application security testing) solutions that helps organizations of all sizes meet ISO 27001 compliance.

February 27th, 2023