When to use this
Use this checklist before signing or renewing a development contract, statement of work, or supplier delivery plan.
Related controls
- A.8.30 Outsourced Development
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.8.25 Secure Development Life Cycle
Checklist
- Development scope is defined.
- Information and system sensitivity is documented.
- Secure development requirements are included.
- Secure coding standards are referenced.
- Security testing requirements are included.
- Vulnerability remediation timelines are defined.
- IP ownership and licence obligations are defined.
- Open-source and third-party component rules are defined.
- Audit rights or assurance evidence requirements are defined.
- Developer training or competence expectations are defined.
- Subcontractor approval and flow-down requirements are defined.
- Acceptance criteria include security evidence.
Requirements table
| Requirement | Applies? | Contract/SOW reference | Owner | Evidence expected |
|---|---|---|---|---|
| Secure coding | TBD | TBD | TBD | TBD |
| Security testing | TBD | TBD | TBD | TBD |
| Vulnerability remediation | TBD | TBD | TBD | TBD |
| IP/licence control | TBD | TBD | TBD | TBD |
| Audit/assurance | TBD | TBD | TBD | TBD |
- Template
- Iso27001
- Supplier security
- Outsourced development
Note Metadata
Aliases: Supplier Development Security Requirements Checklist
Source: 90 Templates/Outsourced Development Security Requirements Checklist.md
Related Notes
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- A.8.30 Audit Evidence Pack
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.30 - Outsourced Development
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- Templates MOC