ISO 27001 (2022): Secure Development and Acquisition Policy
The ISO 27001 (2022) standard focuses on information security management.
Omnicom's "Secure Development and Acquisition Policy" and "Secure Development and Acquisition Standard" are derived from and aligned with this standard, emphasizing Omnicom's commitment to the confidentiality, integrity, and availability of all systems and data.
Updates
Omnicom's Secure Development and Acquisition Policy was updated in February 2024 to comply with the ISO 27001 (2022) standard.
Overall Objective
The overall objective of Omnicom's secure development processes is to ensure that all efforts are efficient, cost-effective, coordinated, and compliant with applicable laws, regulations, governance principles, and recommendations from regulatory authorities, with ISO 27001 serving as the foundation to achieve this.
Understanding ISO/IEC 27001:2022
ISO/IEC 27001:2022 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its primary purpose is to help organizations manage their information security risks effectively.
Key Changes in the 2022 Version
The 2022 revision of ISO 27001, officially known as ISO/IEC 27001:2022, brought significant updates compared to its 2013 predecessor, primarily in Annex A (the list of information security controls). While the main clauses (4-10) of the standard saw only minor textual adjustments, the control set was thoroughly revised:
- Consolidation and Reduction of Controls: The total number of controls was reduced from 114 to 93. This was achieved through merging existing controls and removing some that were no longer relevant.
- New Control Categories: The controls are now organized into four thematic areas, replacing the previous 14 domains:
- A.5 Organizational Controls (37 controls)
- A.6 People Controls (8 controls)
- A.7 Physical Controls (14 controls)
- A.8 Technological Controls (34 controls)
- Introduction of New Controls: 11 new controls were introduced to address emerging threats and best practices, including:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.28 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.12 Data masking
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
- Attributes for Controls: Each control now includes five attributes (control type, information security properties, cybersecurity concepts, operational capabilities, and security domains) to facilitate easier categorization and filtering.
Core Principles and the ISMS
The Information Security Management System (ISMS) is at the heart of ISO 27001. It's a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process.
The ISMS operates on the Plan-Do-Check-Act (PDCA) cycle, a continuous improvement model:
- Plan: Establish the ISMS policy, objectives, processes, and procedures relevant to managing risk and improving information security. (Clauses 4, 5, 6)
- Do: Implement and operate the ISMS policy, controls, processes, and procedures. (Clauses 7, 8)
- Check: Monitor, measure, analyze, and evaluate the ISMS performance against objectives and requirements. (Clause 9)
- Act: Take actions to continually improve the ISMS. (Clause 10)
Main Clauses of ISO 27001:2022:
- Clause 4: Context of the organization: Understanding the internal and external issues, interested parties, and the scope of the ISMS.
- Clause 5: Leadership: Top management commitment, policy, and roles/responsibilities.
- Clause 6: Planning: Actions to address risks and opportunities, and information security objectives.
- Clause 7: Support: Resources, competence, awareness, communication, and documented information.
- Clause 8: Operation: Operational planning and control, and information security risk treatment.
- Clause 9: Performance evaluation: Monitoring, measurement, analysis, evaluation, internal audit, and management review.
- Clause 10: Improvement: Nonconformity and corrective action, and continual improvement.
Omnicom's Commitment and Alignment
Omnicom's "Secure Development and Acquisition Policy" and "Secure Development and Acquisition Standard" are meticulously crafted to reflect the requirements and spirit of ISO 27001:2022. By integrating the updated Annex A controls, particularly those related to secure coding (A.8.28) and cloud services (A.5.23), Omnicom ensures its information security practices are robust, modern, and aligned with international best practices. This commitment extends through all phases of the Secure Development Life Cycle (SDLC), ensuring that confidentiality, integrity, and availability are foundational to every system and data asset.
ISO 27001:2022 for Osborn Developers: A Practical Guide
For developers in the Osborn project, ISO 27001:2022 is a framework that guides the integration of security into every stage of our development lifecycle. Applying its principles ensures that the software we build—from the Django backend to the React frontend—is resilient against threats.
The Developer's Role in the ISMS
Developers are crucial in the "Do" and "Check" phases of the ISMS PDCA cycle. Your daily coding practices in Django and React directly contribute to implementing security controls.
Key Annex A Controls and Developer Responsibilities
While all controls are important, some have a direct impact on a developer's work within the Osborn project:
A.8.28 Secure Coding
This is the most critical control for developers. For Osborn-specific guidelines, refer to the Secure Coding Guidelines and the language-specific standards.
- Principles & Practices in Osborn:
- Input Validation: In our Django backend, we use DRF Serializers to validate all incoming API data. In the React frontend, we use libraries like Zod for schema validation before submitting forms.
- Dependency Management: We manage dependencies via
requirements.txt(Python) andpackage.json(Node.js). Our Bitbucket CI/CD pipeline includes Software Composition Analysis (SCA) to scan for vulnerabilities in these libraries. - Tools & Practices: Our Bitbucket pipeline integrates SAST, DAST, and IAST tools to identify vulnerabilities early. All code is reviewed via Pull Requests in Bitbucket.
A.5.23 Information Security for Use of Cloud Services
As an AWS-first project, this control is central to our architecture.
- Secure Configuration: We use Infrastructure as Code (IaC) to ensure our AWS resources (EC2, S3, RDS) are configured securely and consistently.
- Identity and Access Management (IAM): We follow the principle of least privilege, creating granular IAM roles for each service. For example, a Lambda function that only reads from an S3 bucket will not have write permissions.
- API Security: Our backend APIs are exposed via API Gateway, which is used to manage authentication, throttling, and access control.
A.8.12 Data Masking
Protecting sensitive data in our multi-tenant development and staging environments is crucial.
- Implementation: When seeding databases for testing, we use scripts that generate fake data or anonymize production data to avoid exposing real user information.
A.8.16 Monitoring Activities
Developers play a key role in enabling effective security monitoring.
- Logging: Our Django application is configured to send structured logs to Amazon CloudWatch. These logs are then fed into Devo, Omnicom's SIEM tool.
- Alerting: We use tools like Sentry for real-time error tracking and alerting, which helps us identify and respond to security incidents quickly.
Integration with the Osborn SDLC
Omnicom's SDLC phases are tailored to the Osborn workflow:
- Requirements Analysis: Define security requirements in the Jira task.
- Architecture and Design: Design secure AWS architectures and perform risk assessments for new features.
- Development: Apply secure coding practices and use our Bitbucket pipeline for early security testing (SAST, SCA).
- Testing: Conduct comprehensive security testing (DAST, IAST) in the
stageenvironment. - Implementation: Deploy securely to production using our CI/CD pipeline, which includes final security checks.
- Operations/Maintenance: Ensure ongoing monitoring with Sentry and Devo, and perform regular vulnerability scanning.
By actively engaging with these controls, you contribute directly to Osborn's robust information security posture.