ISO 27001:2022 A 8.29 Security testing in development and acceptance

Security testing is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.Cyber criminals are constantly inventing new ways and are improving their strategies to infiltrate corporate networks and gain access to sensitive information assets. If an application, software, or IT system is deployed in the real world with vulnerabilities, this would expose sensitive information assets to the risk of compromise. Therefore, organisations should establish and implement an appropriate security testing procedure to identify and remedy all vulnerabilities in IT systems before they are deployed to the real world. Organisations to verify that all information security requirements are satisfied when new applications, databases, software, or code are put into operation by establishing and applying a robust security testing procedure. This helps organisations to detect and eliminate vulnerabilities in the code, networks, servers, applications, or other IT systems before they are used in the real world.


Security testing processes should be defined and implemented in the development life cycle.


To validate if information security requirements are met when applications or code are deployed to the production environment.

ISO 27002 Implementation Guidance

New information systems, upgrades and new versions should be thoroughly tested and verified during the development processes. Security testing should be an integral part of the testing for systems or components. Security testing should be conducted against a set of requirements, which can be expressed as functional or non-functional. Security testing should include testing of:

  1. security functions [e.g. user authentication, access restriction and use of cryptography ];
  2. secure coding ;
  3. secure configurations including that of operating systems, firewalls and other security components.

Test plans should be determined using a set of criteria. The extent of testing should be in proportion to the importance, nature of the system and the potential impact of the change being introduced. The test plan should include:

  1. detailed schedule of activities and tests;
  2. inputs and expected outputs under a range of conditions;
  3. criteria to evaluate the results;
  4. decision for further actions as necessary.

The organization can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security related defects. For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected. The following should be considered:

  1. performing code review activities as a relevant element for testing for security flaws, including un-anticipated inputs and conditions;
  2. performing vulnerability scanning to identify insecure configurations and system vulnerabilities;
  3. performing penetration testing to identify insecure code and design.

For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements. Products and services should be evaluated against these criteria before acquisition. Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable.

Other information

Multiple test environments can be established, which can be used for different kinds of testing (e.g. functional and performance testing). These different environments can be virtual, with individual configurations to simulate a variety of operating environments.Testing and monitoring of test environments, tools and technologies also needs to be considered to ensure effective testing. The same considerations apply to monitoring of the monitoring systems deployed in development, test and production settings. Judgement is needed, guided by the sensitivity of the systems and data, to determine how many layers of meta-testing are useful.

Security Testing is a type of Software Testing that uncovers vulnerabilities of the system and determines that the data and resources of the system are protected from possible intruders. It ensures that the software system and application are free from any threats or risks that can cause a loss. Security testing of any system is focused on finding all possible loopholes and weaknesses of the system which might result in the loss of information or repute of the organization. Security testing is a type of software testing that focuses on evaluating the security of a system or application. The goal of security testing is to identify vulnerabilities and potential threats, and to ensure that the system is protected against unauthorized access, data breaches, and other security-related issues.The goal of security testing is to:

  • To identify the threats in the system.
  • To measure the potential vulnerabilities of the system.
  • To help in detecting every possible security risks in the system.
  • To help developers in fixing the security problems through coding.
  • The goal of security testing is to identify vulnerabilities and potential threats in a system or application, and to ensure that the system is protected against unauthorized access, data breaches, and other security-related issues. The main objectives of security testing are to:
  • Identify vulnerabilities: Security testing helps identify vulnerabilities in the system, such as weak passwords, unpatched software, and misconfigured systems, that could be exploited by attackers.
  • Evaluate the system’s ability to withstand an attack: Security testing evaluates the system’s ability to withstand different types of attacks, such as network attacks, social engineering attacks, and application-level attacks.
  • Ensure compliance: Security testing helps ensure that the system meets relevant security standards and regulations
  • Provide a comprehensive security assessment: Security testing provides a comprehensive assessment of the system’s security posture, including the identification of vulnerabilities, the evaluation of the system’s ability to withstand an attack, and compliance with relevant security standards.
  • Help organizations prepare for potential security incidents: Security testing helps organizations understand the potential risks and vulnerabilities that they face, enabling them to prepare for and respond to potential security incidents.
  • Identify and fix potential security issues before deployment to production: Security testing helps identify and fix security issues before the system is deployed to production. This helps reduce the risk of a security incident occurring in a production environment.

Major Focus Areas in Security Testing:

  • Network Security
  • System Software Security
  • Client-side Application Security
  • Server-side Application Security
  • Authentication and Authorization: Testing the system’s ability to properly authenticate and authorize users and devices. This includes testing the strength and effectiveness of passwords, usernames, and other forms of authentication, as well as testing the system’s access controls and permission mechanisms.
  • Network and Infrastructure Security: Testing the security of the system’s network and infrastructure, including firewalls, routers, and other network devices. This includes testing the system’s ability to defend against common network attacks such as denial of service (DoS) and man-in-the-middle (MitM) attacks.
  • Database Security: Testing the security of the system’s databases, including testing for SQL injection, cross-site scripting, and other types of attacks.
  • Application Security: Testing the security of the system’s applications, including testing for cross-site scripting, injection attacks, and other types of vulnerabilities.
  • Data Security: Testing the security of the system’s data, including testing for data encryption, data integrity, and data leakage.
  • Compliance: Testing the system’s compliance with relevant security standards and regulations, such as HIPAA, PCI DSS, and SOC2.
  • Cloud Security: Testing the security of cloud-

Testing of security functionality needs to be carried out during development. Specific testing of security functionality for any development must be carried out and signed-off by an appropriate authority with security competency and responsibility. Security testing expected outcomes should be documented before testing commences and should be based on business requirements for security. The auditor will want to see that there is evidence that security-specific testing has been carried out in any development that is security-relevant. Acceptance testing programs and related criteria must be established for new information systems, upgrades and new versions. For acceptance testing, the tests and the criteria for demonstrating a successful test should be designed and developed based on business requirements prior to tests being carried out. Acceptance testing should also include security testing. The auditor will be looking for evidence that shows acceptance testing criteria and methods were designed according to business requirements and include provisions for security acceptance testing.

Basic principles of security testing:

  • Confidentiality
  • Integrity
  • Authentication
  • Authorization
  • Availability
  • Non-repudiation

Organisations should incorporate security testing into the testing process for all systems and they must ensure that all new information systems and their new/updated versions satisfy the information security requirements when they are in the production environment.

  • Security functions such as user authentication , access restriction , and cryptography.
  • Secure coding .
  • Secure configurations as prescribed . This may cover firewalls and operating systems.

When designing security testing plans, organisations should take into account the level of criticality and nature of the information system at hand. Security testing plan should cover the following:

  • Establishment of a detailed schedule for the activities and the testing to be conducted.
  • Inputs and outputs expected to occur under a given set of conditions.
  • Criteria to assess the results.

If appropriate, decisions to take actions based upon the results.

When IT systems are developed by the in-house development team, this team should carry out the initial security testing to ensure the IT system satisfies security requirements. This initial testing should then be followed by an independence acceptance testing .In relation to the in-house development, the following should be considered:

  • Carrying out code review activities to detect and eliminate security flaws, including expected inputs and conditions.
  • Carrying out vulnerability scanning to detect insecure configurations and other vulnerabilities.
  • Carrying out penetration tests to detect insecure code and design.

Types of Security Testing:

  1. Vulnerability Scanning: Vulnerability scanning is performed with the help of automated software to scan a system to detect the known vulnerability patterns.
  2. Security Scanning: Security scanning is the identification of network and system weaknesses. Later on it provides solutions for reducing these defects or risks. Security scanning can be carried out in both manual and automated ways.
  3. Penetration Testing: Penetration testing is the simulation of the attack from a malicious hacker. It includes an analysis of a particular system to examine for potential vulnerabilities from a malicious hacker that attempts to hack the system.
  4. Risk Assessment: In risk assessment testing security risks observed in the organization are analyzed. Risks are classified into three categories i.e., low, medium and high. This testing endorses controls and measures to minimize the risk.
  5. Security Auditing: Security auditing is an internal inspection of applications and operating systems for security defects. An audit can also be carried out via line-by-line checking of code.
  6. Ethical Hacking: Ethical hacking is different from malicious hacking. The purpose of ethical hacking is to expose security flaws in the organization’s system.
  7. Posture Assessment: It combines security scanning, ethical hacking and risk assessments to provide an overall security posture of an
  8. Application security testing: Application security testing is a type of testing that focuses on identifying vulnerabilities in the application itself. It includes testing the application’s code, configuration, and dependencies to identify any potential vulnerabilities.
  9. Network security testing: Network security testing is a type of testing that focuses on identifying vulnerabilities in the network infrastructure. It includes testing firewalls, routers, and other network devices to identify potential vulnerabilities.
  10. Social engineering testing: Social engineering testing is a type of testing that simulates phishing, baiting, and other types of social engineering attacks to identify vulnerabilities in the system’s human element.
  11. Tools such as Nessus, OpenVAS, and Metasploit can be used to automate and simplify the process of security testing. It’s important to ensure that security testing is done regularly and that any vulnerabilities or threats identified during testing are fixed immediately to protect the system from potential attacks. organization.

Organisations should follow a strict acquisition process when they outsource development or when they purchase IT components from external parties. Organisations should enter into an agreement with their suppliers and this agreement should address the information security requirements .Furthermore, organisations should ensure that the products and services they purchase are in compliance with the information security standards. Organisations can create multiple test environments to carry out various testing such as functional, non-functional, and performance testing. Furthermore, they can create virtual test environments and then configure these environments to test the IT systems in various operational settings. Effective security testing requires organisations to test and monitor the testing environments, tools, and technologies. Organisations should take into account the level of sensitivity and criticality of data when determining the number of layers of meta-testing.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

One thought on “ISO 27001:2022 A 8.29 Security testing in development and acceptance

  1. I am getting excellent guidance in understanding ISMS requirements. I am finding that all the requirements explained are related to Information technology. I am ambiguous whether ISO:27001 can be applied industries other than IT like engineering companies involved in manufacturing , trading, service oriented industries etc. I would be very thankful if you clarify my doubt.
    Thanking you

Leave a Reply