As digital transformation continues to accelerate, operational resilience has become increasingly crucial for businesses. With increased reliance on third-party providers and outsourced IT solutions, coupled with the ever-present risk of digital threats and other sources of business interruption, regulatory bodies are implementing new standards and guidelines that demand access to critical software source code and data.
The internationally recognised International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 for Information Security Management Systems (ISMS) has been updated to reflect these changes.
What is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS.
The ISO/IEC 27001 standard provides companies of any size and from all sectors with guidance for establishing, implementing, maintaining, and continually improving an information security management system.
By achieving ISO/IEC 27001 certification, businesses demonstrate they have put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles included in this International Standard.
ISO/IEC 27001:2022 and Annex A Control 8.30
In October 2022, ISO/IEC 27001:2022 – the newest version of ISO 27001 was published. Specified within the published changes, organizations certified to ISO/IEC 27001:2013 have until October 31, 2025 to update their information security management system (ISMS).
The standard has been updated to reflect the changing landscape of technology and information security to ensure that organizations can protect their data and assets.
Some new updates to this iteration include a major change to Annex A which refers to changes to the security controls.
Annex A 8.30 outsourced development, now includes the following guidance:
1. “Ensure that the source code of the software is protected by escrow agreements. For example, it may address what will happen if the external supplier ceases to operate.”
2. “Maintaining evidence that adequate testing has been conducted to address identified vulnerabilities.”
To mitigate the risks associated with potential supply chain issues such as software supplier failure, and to ensure business continuity in the event of system disruption, regulators and policymakers are recognising the importance of software escrow agreements.
When it comes to managing third-party risk and putting in place the required legally-binding agreements with suppliers, escrow agreements are a tried and tested method with regulators globally recommending software escrow as a key practical solution.
A Software Escrow Agreement can strengthen a firm’s operational resilience and support compliance with ISO/IEC 27001:2022 by guaranteeing access to software source code in the event of service provider failure. We store source code, critical data, and other important materials necessary to support an application in the long-term. These materials are stored in our highly secure vaults and ensures that they can be accessed and retrieved when required.
What is Escrow Verification?
Software Escrow Verification is implemented to strengthen the Escrow Agreement and helps demonstrate to auditors that the business continuity plans have been tested and are effective. It validates the accuracy and usability of the materials held under the agreement and gives a firm the knowledge required to execute their continuity plan accordingly. The technical documentation produced following the verification enables a firm to redeploy and maintain the third-party application, without additional support from the service provider.