1 · Purpose
This policy establishes the requirements for secure software development policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-480 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to secure software development, giving effect to the organisational control objectives set out below.
3.1 · CAO-481 Secure Development Lifecycle
The organisation shall establish, implement and maintain effective Secure Development Lifecycle, giving effect to the organisational controls set out below.
3.1.x · CAO-481 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-482 Secure Coding
The organisation shall establish, implement and maintain effective Secure Coding, giving effect to the organisational controls set out below.
3.2.x · CAO-482 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.3 · CAO-483 Security Requirements and Architecture
The organisation shall establish, implement and maintain effective Security Requirements and Architecture, giving effect to the organisational controls set out below.
3.3.x · CAO-483 Organisational Controls
3.4 · CAO-484 Security Testing in Development
The organisation shall establish, implement and maintain effective Security Testing in Development, giving effect to the organisational controls set out below.
3.4.x · CAO-484 Organisational Controls
3.5 · CAO-485 Development Environment Security
The organisation shall establish, implement and maintain effective Development Environment Security, giving effect to the organisational controls set out below.
3.5.x · CAO-485 Organisational Controls
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
