Information Systems Acquisition, Development, and Maintenance

The “Information Systems Acquisition, Development, and Maintenance” security clause has a total of 16 controls in 6 control objectives. The controls in this clause cover the validity of information and data, cryptography, protection of systems test and operational data as well as source code, safeguards that should be considered in software development, and the identification and control of technical vulnerabilities.

This clause was developed to help make managers aware of the importance of including information security in the business process and that security should be included in the design and acquisition stages of a project and not as an afterthought. This clause suggests that information security should be a normal part of the business justification process.