Checklist of ISO/IEC 27001-A.14.2.1 Secure development policy


In today’s world, the development of software, services, and applications has become increasingly important for businesses of all sizes. 

However, with the increased use of technology comes an increased risk of cyber threats, and it is essential for organizations to have robust security measures in place. 

A.14.2.1 of the ISO/IEC 27001 standard requires that organizations have a Secure Development Policy to cover security architectures, services, and software. 

This article will provide a checklist for organizations to ensure that they have the necessary measures in place to comply with this requirement.

Sample Checklist:

  • Is there a Secure Development Policy in place that covers security architectures, services, and software?
  • Are development environments and repositories secure with access control, security, and change monitoring?
  • Do development methods include secure coding guidelines?
  • Are developers adequately trained and have the necessary knowledge about secure coding practices?
  • Are secure programming techniques used when there is code re-use, and development standards may not be fully known?
  • Are third-party developers required to comply with the organization’s Secure Development Policy?


The Secure Development Policy is an essential requirement for organizations to ensure that their software, services, and applications are developed with robust security measures in place. 

By following the checklist provided in this article, organizations can ensure that they comply with A.14.2.1 of the ISO/IEC 27001 standard. 

These measures include having a Secure Development Policy in place, ensuring that development environments and repositories are secure, using secure coding guidelines, and providing adequate training to developers. 

See also  Checklist of ISO/IEC 27001-A.14.2.8 System security testing

Additionally, organizations must ensure that third-party developers comply with their Secure Development Policy to mitigate any potential security risks.

Leave a comment

Your email address will not be published. Required fields are marked *