UnixTime

Research Note

ISO 27001 A.8.29 - Security Testing in Development and Acceptance

Security testing should be planned, performed, recorded, and used as part of development and acceptance. It should not be left until the final days before go-live.

On this page

Requirement

Requirement lens

This control asks whether security testing processes are defined and implemented in the development lifecycle.

“Security testing processes shall be defined and implemented in the development life cycle.”

Plain-language meaning

Security testing should be planned, performed, recorded, and used as part of development and acceptance. It should not be left until the final days before go-live.

Testing can apply to new systems, changed systems, subsystems, devices, applications, infrastructure, and integrations.

Why this matters

If security testing happens only at the end, vulnerabilities and inappropriate functionality can remain embedded in the system and become expensive to fix. Early and repeated testing finds problems while they are still manageable.

Acceptance criteria should define what security evidence is required before a system is approved for operational use.

Implementation guidance

Implementer focus

Define security acceptance criteria before testing starts. Otherwise testing becomes a late-stage opinion, not a control.

1. Define security testing process

Define when security testing occurs, which methods apply, who performs testing, what evidence is retained, and who approves acceptance.

2. Select testing methods by risk

Testing may include security requirements testing, vulnerability scanning, penetration testing, automated source code testing, dependency testing, manual code review, formal analysis, configuration testing, and abuse-case testing.

3. Test during development

Use ongoing testing to remove vulnerabilities early. Do not rely only on final acceptance testing.

4. Define acceptance criteria

Security acceptance criteria should cover access control, defective input handling, regression tests, security controls, secure configuration, user training, operational readiness, and unresolved vulnerabilities.

5. Involve relevant stakeholders

Operations, users, product owners, security, and other stakeholders should be involved where their role affects secure operation or acceptance.

Audit guidance

Auditor focus

Trace a system from security test plan to test execution, findings, remediation, retest, user/operations involvement, and final acceptance sign-off.

Auditors should verify:

  • security testing process is defined;
  • testing frequency and depth are risk-based;
  • security acceptance criteria are defined;
  • testing occurs during development and before operational use;
  • regression, defective input, access control, and security control tests are considered;
  • findings are recorded, remediated, retested, or risk-accepted;
  • operations and users are consulted where secure operation depends on them;
  • required training is considered before acceptance;
  • final acceptance is authorized and recorded.

Evidence examples

Evidence quality

Strong evidence proves security testing is planned, risk-based, executed, remediated, and used for acceptance decisions.

Evidence What it proves
Security test plan Testing process is defined
Security acceptance criteria Go-live security expectations are known
Test results Tests were performed
Finding/remediation tracker Issues are resolved
Retest evidence Fixes were verified
Acceptance sign-off Authorized role accepted residual risk
User/operations training record Secure operation readiness was considered

Strong evidence

  • Test scope and frequency trace to risk.
  • Testing occurs throughout development.
  • Acceptance criteria are documented before acceptance.
  • Defective input and access control tests are included.
  • Findings are closed or risk-accepted before go-live.
  • Users and operations are involved where needed.

Weak evidence

  • Security testing happens only after development is complete.
  • No written acceptance criteria exist.
  • Functional testing is treated as security testing.
  • Findings are accepted informally.
  • Regression or abuse-case testing is missing.
  • Users are not trained to operate security controls.

Common failures

Implementation watchouts

A.8.29 fails when security testing is a one-time gate instead of a lifecycle process.

Failure Why it matters
No security test plan Testing is inconsistent
No acceptance criteria Go-live decision is subjective
Late testing only Vulnerabilities are expensive to fix
No retesting Fixes may not work
Functional-only testing Security flaws remain
User bypass not considered Controls fail in real operation

Exam traps

Exam focus

A.8.29 is about security testing processes in development and acceptance, not general functional testing.

Trap Correct interpretation
Testing new functionality is enough Security tests, regression, defective input, and control tests matter
Final penetration test is enough Testing should occur through the lifecycle
Findings can be ignored if go-live is urgent Findings need remediation, retest, or risk acceptance
Acceptance is only business sign-off Security acceptance criteria and authorization matter
User testing is only usability Users may try to bypass controls; secure use should be tested/trained

KB-ready summary

Mentor takeaway

A.8.29 makes security testing part of development and acceptance. Strong implementation proves tests are risk-based, repeated, documented, remediated, retested, and used in go-live decisions.

  • Define security testing process.
  • Set acceptance criteria.
  • Test throughout development.
  • Track and retest findings.
  • Include users and operations where secure use matters.
  • Record final security acceptance.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Security testing
  • Secure development
  • Audit

Note Metadata

Aliases: A.8.29, Security Testing in Development and Acceptance

Source: 05 Annex A Technological Controls/A.8.29 Security Testing in Development and Acceptance.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.