ISO/IEC 27001:2022 Boosts Security Requirements with Software Escrow Agreements (Guest blog by Escrow London)
In recent years, the business landscape has undergone a profound transformation, driven by the widespread adoption of cloud-based technologies and an increasing reliance on digital solutions. Organisations across various industries are recognising the immense benefits that cloud computing offers, including scalability, cost-efficiency and enhanced collaboration. The increasing reliance on digital services has been accelerated by the growing demand for remote work capabilities, competitive markets and innovation, making cloud-based solutions even more vital for maintaining seamless connectivity and productivity.
In response to this ever-changing business landscape, new evolving security challenges need to be managed appropriately. The internationally recognised standard ISO/IEC 27001 for Information Security Management Systems (ISMS) has been updated to reflect this evolution.
What is ISO/IEC 27001?
ISO/IEC 27001 provides a systematic and comprehensive approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability. The standard is designed to help organisations of all sizes and types establish, implement, maintain, and continually improve their ISMS.
It outlines a risk-based approach to information security, helping organisations identify and assess potential risks related to their information assets. It provides a set of requirements and best practices that organisations can follow to manage these risks effectively and protect their sensitive data from various threats, including unauthorized access, data breaches, and cyber-attacks.
By achieving ISO/IEC 27001 certification, organisations demonstrate their commitment to information security and gain the confidence of customers, partners, and stakeholders. The standard is widely recognised and implemented globally, making it a crucial framework for enhancing information security practices and mitigating risks in today's digital age.
What are the changes to ISO/IEC 27001?
In October 2022, ISO/IEC 27001:2022 was published. Some new updates to this iteration include a major change of Annex A which refers to changes to the security controls. Some security controls have been removed, 24 have been merged and a further 58 have been revised. There are also 11 new security controls, designed to address the evolving cyber and information security landscape – to threat intelligence to data leakage prevention. Under these changes, the controls have reduced from 114 to 93, which are now organised into 4 categories: Organisational, People, Physical and Technological.
If you are responsible for Information Security, the new ISO/IEC 27001 requires you to implement these changes to ensure you not only remain compliant, but align your information security defenses and practices with digitalisation practices and the accompanying threats.
ISO/IEC 27001:2022 Annex A Control 8:30
One notable change in ISO/IEC 27001:2022 is the inclusion of software escrow also known as source code escrow in Annex A Control 8.30.
ISO 27001:2022 Annex A 8.30 helps organisations in ensuring that the designated information security requirements are upheld when outsourcing system and software development to third-party entities.
As organisations outsource tasks due to lack of internal resources or to speed up the time to market, they must ensure that external parties adhere to the information security requirements established by the organisation. Outsourcing inherently results in reduced control over the development process and potentially ownership of the IP, making it more challenging to implement and sustain information security standards. ISO 27001:2022 Annex A 8.30 now includes the following guidelines to cover this area:
1: “Ensure that the source code of the software is protected by escrow agreements. For example, it may address what will happen if the external supplier ceases to operate.”
2: “Maintaining evidence that adequate testing has been conducted to address identified vulnerabilities.”
The importance of Software Escrow Agreements
With a rise in data breaches and new regulatory requirements that mandate access and control over critical software assets globally, software escrow agreements are becoming essential for companies to protect themselves from potential supply chain issues such as software vendor failure and have the ability to restore functionality or maintain systems following a catastrophic event.
Software escrow refers to the depositing of a software application’s source code with a trusted third-party software escrow vendor. By depositing the source code (and related assets) with a software escrow vendor, developers ensure that their clients have continued access to the software's codebase and intellectual property, even in unforeseen circumstances like bankruptcy, acquisition, or the developer's inability to maintain the software. This level of assurance fosters trust between parties, encourages collaboration and mitigates potential disruptions, making software escrow agreements a vital tool in ensuring the longevity and stability of software-based business relationships. Clearly recognised by The International Organization for Standardization as a vital component to reduce these types of risks.
How Escrow London can help
Escrow London is is recognised as a reliable and trusted partner globally in the software escrow industry. We offer secure and robust and services to safeguard valuable software and data that can be released in the event of third-party software supplier failure and then utilised to restore system functionality by the beneficiary or the software escrow vendor.
We offer an array of to mitigate potential risks with software escrow arrangements and also testing for vulnerabilities within code. Our mission is for our clients to be comfortable that in the event of a release condition, the source code deposit will be accessible and usable. Escrow London are accredited with ISO27001 and ISO27017 certifications.
The team is here to not only help you adhere to ISO/IEC 27001:2022 but implement suitable software continuity services and plans to protect your organisation from supply chain risks. Please do not hesitate to Escrow London.