0

We want to be 27001 certified and our company is based on one core application that is hosted in our cloud infrastructure but provided by a vendor.

Is there a situation where an auditor needs access to the source code to be able to justify if certain levels of security are "built" into the application and that the application has no backdoor which does "something unexpected with the data" (let's phrase it like this) or is this not necessary?

The background of the question is: the code application vendor would give access to the source code (contractually agreed) if but ONLY if this is a clear need from an ISO 27001 audit perspective.

Improve this question
0

1 Answer 1

Reset to default
1

No, it is not normal for a ISO 27001 auditor to review code.

However, if you claim as part of your ISMS that you perform code reviews of the vendor's code, then the auditors will want to see proof of your access.

Improve this answer
4
  • That we can do code reviews by ourselves was something that we would like but this request was rejected by the vendor. He would only accept a source code audit if this is essential for getting the ISO27001 certification, which is not the case according to your answer. Thx.
    – Ritchie1962
    Commented Feb 27 at 13:37
  • Yes, it's not the case. It's a strange thing for the vendor to offer, actually. Other certifications would require a code review, but not ISO 27001.
    – schroeder
    Commented Feb 27 at 13:44
  • For the sake of my interest: which other certifications do request this?
    – Ritchie1962
    Commented Feb 27 at 13:47
  • My apologies, you can only get certified against 27001. You can comply with 27002 and 27017 in ways that would require an audited code review. And like I said, even in 27001, if you say you perform code reviews, you need to be able to show that you do it.
    – schroeder
    Commented Feb 27 at 13:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .