When to use this
Use this list when preparing an internal audit, supplier review, or acceptance review for outsourced development.
Related controls
Evidence request table
| Evidence requested | Supplier response | Received? | Reviewed by | Gap/action |
|---|---|---|---|---|
| Secure development policy/standard | TBD | TBD | TBD | TBD |
| Secure coding standard | TBD | TBD | TBD | TBD |
| Developer training evidence | TBD | TBD | TBD | TBD |
| Code review evidence | TBD | TBD | TBD | TBD |
| Security test results | TBD | TBD | TBD | TBD |
| Vulnerability remediation tracker | TBD | TBD | TBD | TBD |
| Malware/covert-channel check evidence | TBD | TBD | TBD | TBD |
| Open-source component and licence inventory | TBD | TBD | TBD | TBD |
| Subcontractor list and controls | TBD | TBD | TBD | TBD |
| Acceptance sign-off pack | TBD | TBD | TBD | TBD |
- Template
- Iso27001
- Supplier security
- Audit
Note Metadata
Aliases: Outsourced Development Evidence Request List
Source: 90 Templates/Supplier Development Evidence Request List.md
Related Notes
- A.8.30 Audit Evidence Pack
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.30 - Outsourced Development
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- Templates MOC