System Guides

A.8.27 Secure System Architecture and Engineering Principles would include:

1. Secure Architecture Design: Documentation of the system's architecture design that incorporates security principles, such as defense in depth, least privilege, and separation of duties.

2. Threat Modeling: Evidence of threat modeling exercises conducted during the system's design phase to identify potential security threats and vulnerabilities.

3. Security Controls: Documentation of security controls implemented at the architectural level to mitigate identified risks and protect critical assets.

4. Secure Development Framework: Evidence of the use of secure development frameworks or methodologies that promote secure architecture and engineering practices.

5. Security Review Reports: Reports from security reviews and assessments conducted by qualified security experts to evaluate the system's architecture for security flaws and design weaknesses.

6. Secure Coding Guidelines: Evidence that secure coding guidelines and practices are integrated into the system's development process to ensure secure engineering.

7. Component Review: Documentation of security reviews conducted for each component or module of the system to assess its security features and potential vulnerabilities.

8. Security by Design Principles: Information on the implementation of security by design principles, ensuring that security considerations are incorporated from the system's inception.

9. Compliance with Security Standards: Verification that the system's architecture complies with relevant security standards and best practices, such as ISO/IEC 27001, NIST Cybersecurity Framework, or other industry-specific guidelines.

10. Security Testing: Evidence of security testing conducted on the system's architecture to validate its resilience against security threats and attacks.

11. Secure Configuration Management: Documentation of secure configuration management practices, ensuring that the system's components are properly configured to minimize security risks.

12. Secure Protocols and Standards: Information on the use of secure communication protocols and cryptographic standards to protect data in transit and at rest.

By examining these pieces of evidence, an auditor can assess the organization's adherence to secure system architecture and engineering principles. The goal is to verify that security is an integral part of the system's design, development, and deployment, reducing the likelihood of security incidents and ensuring the protection of sensitive information and critical assets.