Requirement
Requirement lens
This control asks whether security testing processes are defined and implemented in the development lifecycle.
“Security testing processes shall be defined and implemented in the development life cycle.”
Plain-language meaning
Security testing should be planned, performed, recorded, and used as part of development and acceptance. It should not be left until the final days before go-live.
Testing can apply to new systems, changed systems, subsystems, devices, applications, infrastructure, and integrations.
Why this matters
If security testing happens only at the end, vulnerabilities and inappropriate functionality can remain embedded in the system and become expensive to fix. Early and repeated testing finds problems while they are still manageable.
Acceptance criteria should define what security evidence is required before a system is approved for operational use.
Implementation guidance
Implementer focus
Define security acceptance criteria before testing starts. Otherwise testing becomes a late-stage opinion, not a control.
1. Define security testing process
Define when security testing occurs, which methods apply, who performs testing, what evidence is retained, and who approves acceptance.
2. Select testing methods by risk
Testing may include security requirements testing, vulnerability scanning, penetration testing, automated source code testing, dependency testing, manual code review, formal analysis, configuration testing, and abuse-case testing.
3. Test during development
Use ongoing testing to remove vulnerabilities early. Do not rely only on final acceptance testing.
4. Define acceptance criteria
Security acceptance criteria should cover access control, defective input handling, regression tests, security controls, secure configuration, user training, operational readiness, and unresolved vulnerabilities.
5. Involve relevant stakeholders
Operations, users, product owners, security, and other stakeholders should be involved where their role affects secure operation or acceptance.
Audit guidance
Auditor focus
Trace a system from security test plan to test execution, findings, remediation, retest, user/operations involvement, and final acceptance sign-off.
Auditors should verify:
- security testing process is defined;
- testing frequency and depth are risk-based;
- security acceptance criteria are defined;
- testing occurs during development and before operational use;
- regression, defective input, access control, and security control tests are considered;
- findings are recorded, remediated, retested, or risk-accepted;
- operations and users are consulted where secure operation depends on them;
- required training is considered before acceptance;
- final acceptance is authorized and recorded.
Evidence examples
Evidence quality
Strong evidence proves security testing is planned, risk-based, executed, remediated, and used for acceptance decisions.
| Evidence | What it proves |
|---|---|
| Security test plan | Testing process is defined |
| Security acceptance criteria | Go-live security expectations are known |
| Test results | Tests were performed |
| Finding/remediation tracker | Issues are resolved |
| Retest evidence | Fixes were verified |
| Acceptance sign-off | Authorized role accepted residual risk |
| User/operations training record | Secure operation readiness was considered |
Strong evidence
- Test scope and frequency trace to risk.
- Testing occurs throughout development.
- Acceptance criteria are documented before acceptance.
- Defective input and access control tests are included.
- Findings are closed or risk-accepted before go-live.
- Users and operations are involved where needed.
Weak evidence
- Security testing happens only after development is complete.
- No written acceptance criteria exist.
- Functional testing is treated as security testing.
- Findings are accepted informally.
- Regression or abuse-case testing is missing.
- Users are not trained to operate security controls.
Common failures
Implementation watchouts
A.8.29 fails when security testing is a one-time gate instead of a lifecycle process.
| Failure | Why it matters |
|---|---|
| No security test plan | Testing is inconsistent |
| No acceptance criteria | Go-live decision is subjective |
| Late testing only | Vulnerabilities are expensive to fix |
| No retesting | Fixes may not work |
| Functional-only testing | Security flaws remain |
| User bypass not considered | Controls fail in real operation |
Exam traps
Exam focus
A.8.29 is about security testing processes in development and acceptance, not general functional testing.
| Trap | Correct interpretation |
|---|---|
| Testing new functionality is enough | Security tests, regression, defective input, and control tests matter |
| Final penetration test is enough | Testing should occur through the lifecycle |
| Findings can be ignored if go-live is urgent | Findings need remediation, retest, or risk acceptance |
| Acceptance is only business sign-off | Security acceptance criteria and authorization matter |
| User testing is only usability | Users may try to bypass controls; secure use should be tested/trained |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.25 Secure Development Life Cycle
- A.8.26 Application Security Requirements
- A.8.28 Secure Coding
- A.8.8 Management of Technical Vulnerabilities
- A.8.9 Configuration Management
- A.8.19 Installation of Software on Operational Systems
- Security Test Plan
- Security Acceptance Criteria Checklist
- Security Test Results and Remediation Tracker
- Security Acceptance Sign-Off Record
- A.8.29 Audit Evidence Pack
- A.8.29 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.29 makes security testing part of development and acceptance. Strong implementation proves tests are risk-based, repeated, documented, remediated, retested, and used in go-live decisions.
- Define security testing process.
- Set acceptance criteria.
- Test throughout development.
- Track and retest findings.
- Include users and operations where secure use matters.
- Record final security acceptance.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Security testing
- Secure development
- Audit
Note Metadata
Aliases: A.8.29, Security Testing in Development and Acceptance
Source: 05 Annex A Technological Controls/A.8.29 Security Testing in Development and Acceptance.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.29 Audit Evidence Pack
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.29 Security Testing in Development and Acceptance
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-039 - Secure Coding and Security Testing
- EXAM-040 - Outsourced Development and Environment Separation
- ISO 27002 Annex A Control Interpretation Map
- A.8.29 Audit Checklist
- Change Request and Security Impact Assessment
- Security Acceptance Criteria Checklist
- Security Acceptance Sign-Off Record
- Security Test Plan
- Security Test Results and Remediation Tracker
- Supplier Development Evidence Request List
- Annex A Controls MOC