Fork me on GitHub
Dimension Subdimension Actvity SAMM 2 ISO 27001 Controls
Build and DeploymentBuild
Building and testing of artifacts in virtual environments
i-secure-build|A|2
  • 14.2.6
Build and DeploymentBuild
Defined build process
i-secure-build|A|1
  • 12.1.1
  • 14.2.2
Build and DeploymentBuild
Regular tests
i-secure-build|A|3
  • 14.2.3
  • 14.2.8
  • 14.2.9
Build and DeploymentBuild
Signing of artifacts
i-secure-build|A|1
  • 14.2.6
Build and DeploymentBuild
Signing of code
i-secure-build|A|2
  • 14.2.6
Build and DeploymentDeployment
Backup before deployment
TODO
  • 12.3
  • 14.2.6
Build and DeploymentDeployment
Blue/Green Deployment
TODO
  • 17.2.1
  • 12.1.1
  • 12.1.2
  • 12.1.4
  • 12.5.1
  • 14.2.9
Build and DeploymentDeployment
Defined deployment process
i-secure-deployment|A|1
  • 12.1.1
  • 14.2.2
Build and DeploymentDeployment
Environment depending configuration parameters
i-secure-deployment|B|1
  • 9.4.5
  • 14.2.6
Build and DeploymentDeployment
Handover of confidential parameters
i-secure-deployment|B|2 TODO might be 1
  • 14.1.3
  • 13.1.3
  • 9.4.3
  • 9.4.1
  • 10.1.2
Build and DeploymentDeployment
Inventory of running artifacts
o-incident-management|TODO
  • 8.1
  • 8.2
Build and DeploymentDeployment
Rolling update on deployment
i-secure-deployment|A|1
  • 12.5.1
  • 14.2.2
  • 17.2.1
Build and DeploymentDeployment
Same artifact for environments
i-secure-deployment|A|2
  • 14.3.1
  • 14.2.8
  • 12.1.4
Build and DeploymentDeployment
Usage of feature toggles
TODO
  • 14.3.1
  • 14.2.8
  • 14.2.9
  • 12.1.4
Build and DeploymentDeployment
Usage of trusted images
i-secure-deployment|A|2
  • 15.1.1
  • 15.1.2
  • 15.1.3
  • 14.1.3
Build and DeploymentPatch Management
A patch policy is defined
o-environment-management|B|1
  • 12.6.1
  • 12.5.1
  • 14.2.5
Build and DeploymentPatch Management
Automated PRs for patches
o-environment-management|B|1
  • 12.6.1
  • 14.2.5
Build and DeploymentPatch Management
Nightly build of images
o-environment-management|B|1
  • 12.6.1
Build and DeploymentPatch Management
Reduction of the attack surface
o-environment-management|B|1
  • hardening is missing in ISO 27001
  • 14.2.1
Build and DeploymentPatch Management
Usage of a maximum lifetime for images
o-environment-management|B|1
  • 12.6.1
Build and DeploymentPatch Management
Usage of a short maximum lifetime for images
o-environment-management|B|1
  • 12.6.1
Culture and Org.Culture and Org.
Conduction of advanced threat modelling
TODO
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and Org.Culture and Org.
Conduction of simple threat modelling on business level
TODO
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and Org.Culture and Org.
Conduction of simple threat modelling on technical level
TODO
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and Org.Culture and Org.
Creation of advanced abuse stories
TODO
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assesment
  • 8.1.2
Culture and Org.Culture and Org.
Creation of simple abuse stories
TODO
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assesment
  • 8.1.2
Culture and Org.Culture and Org.
Information security targets are communicated
TODO
  • 5.1.1
  • 7.2.1
Culture and Org.Education and Guidance
Ad-Hoc Security trainings for software developers
TODO
  • 7.2.2
Culture and Org.Education and Guidance
Aligning security in teams
TODO
  • 7.1.1
Culture and Org.Education and Guidance
Conduction of build-it, break-it, fix-it contests
TODO
  • 7.2.2
Culture and Org.Education and Guidance
Conduction of collaborative security checks with developers and system administrators
TODO
  • Mutual review of source code is not explicitly required in ISO 27001 may be
  • 7.2.2
  • 12.6.1
  • 12.7.1
Culture and Org.Education and Guidance
Conduction of collaborative team security checks
TODO
  • Mutual scurity testing is not explicitly required in ISO 27001 may be
  • 7.2.2
Culture and Org.Education and Guidance
Conduction of war games
TODO
  • ware games are not explicitly required in ISO 27001 may be
  • 7.2.2
  • 16.1
  • 16.1.5
Culture and Org.Education and Guidance
Each team has a security champion
TODO
  • security champions are missing in ISO 27001 most likely
  • 7.2.1
  • 7.2.2
Culture and Org.Education and Guidance
Regular security training for all
TODO
  • 7.2.2
Culture and Org.Education and Guidance
Regular security training for everyone
TODO
  • 7.2.2
Culture and Org.Education and Guidance
Regular security training of security champions
TODO
  • security champions are missing in ISO 27001
  • 7.2.2
Culture and Org.Education and Guidance
Reward of good communication
TODO
  • not required by ISO 27001
  • interestingly enough A7.2.3 is requiring a process to handle misconduct but nothing to promote good behavior.
Culture and Org.Education and Guidance
Security consulting on request
TODO
  • security consulting is missing in ISO 27001 may be
  • 6.1.1
  • 6.1.4
  • 6.1.5
Culture and Org.Education and Guidance
Security-Lessoned-Learned
TODO
  • 16.1.6
Culture and Org.Process
Approval by reviewing any new version
TODO
  • peer review - four eyes principle is not explicitly required by ISO 27001
  • 6.1.2
  • 14.2.1
Culture and Org.Process
Definition of a change management process
TODO
  • 14.2.2
  • 12.1.2
  • 12.4.1
Culture and Org.Process
Definition of simple BCDR practices for critical components
TODO
  • 17.1.1
Culture and Org.Process
Prevention of unauthorized installation
TODO
  • 12.5.1
  • 12.6.1
Information GatheringLogging
Centralized application logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Centralized system logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Correlation of security events
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Logging of security events
o-incident-management|A|1
  • 12.4.1
Information GatheringLogging
PII logging concept
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
  • 18.1.1
Information GatheringLogging
Visualized logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringMonitoring
Advanced availablity and stability metrics
o-incident-management|A|2
  • 12.1.3
Information GatheringMonitoring
Advanced webapplication metrics
o-incident-management|A|2
  • 12.6.1
Information GatheringMonitoring
Alerting
o-operational-management|B|3
  • 16.1.2
  • 16.1.4
  • 12.1.4
Information GatheringMonitoring
Coverage and control metrics
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
Information GatheringMonitoring
Deactivation of unused metrics
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
Information GatheringMonitoring
Defence metrics
o-incident-management|A|2
  • 12.4.1
  • 13.1.1
Information GatheringMonitoring
Grouping of metrics
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
Information GatheringMonitoring
Metrics are combined with tests
o-incident-management|A|2
  • not explicitly covered by ISO 27001
Information GatheringMonitoring
Screens with metric visualization
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
Information GatheringMonitoring
Simple application metrics
o-incident-management|A|1
  • 12.4.1
Information GatheringMonitoring
Simple system metrics
o-incident-management|A|1
  • 12.1.3
Information GatheringMonitoring
Targeted alerting
o-operational-management|B|3
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
Information GatheringMonitoring
Visualized metrics
o-incident-management|A|2
  • 12.1.3
InfrastructureInfrastructure Hardening
2FA
TODO
  • not explicitly covered by ISO 27001 - too specific
  • 9.1.1
  • 9.4.2
  • 14.2.5
InfrastructureInfrastructure Hardening
Applications are running in virtualized environments
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
InfrastructureInfrastructure Hardening
Checking the sources of used libraries
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
InfrastructureInfrastructure Hardening
Immutable Infrastructure
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 17.2.1
InfrastructureInfrastructure Hardening
Infrastructure as Code
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
InfrastructureInfrastructure Hardening
Limitation of system calls in virtual environments
o-environment-management|A|1
  • system hardenong is not explicitly covered by ISO 27001 - too specific
InfrastructureInfrastructure Hardening
Microservice-Architecture
o-environment-management|A|1
  • not explicitly covered by ISO 27001
InfrastructureInfrastructure Hardening
Production near environments are used by developers
o-environment-management|A|1
  • 12.1.4
  • 17.2.1
InfrastructureInfrastructure Hardening
Role based authentication and authorization
o-environment-management|A|1
  • 9.4.1
InfrastructureInfrastructure Hardening
Segmented networks for virtual environments
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
InfrastructureInfrastructure Hardening
Simple access control for systems
o-environment-management|A|1
  • 9.4.1
InfrastructureInfrastructure Hardening
The cluster is hardened
o-environment-management|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
InfrastructureInfrastructure Hardening
Usage of a chaos monkey
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 17.1.3
InfrastructureInfrastructure Hardening
Usage of security by default for components
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
InfrastructureInfrastructure Hardening
Usage of test and production environments
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.4
  • 17.2.1
InfrastructureInfrastructure Hardening
Virtual environments are limited
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.1.3
  • 13.1.3
  • 17.2.1
InfrastructureInfrastructure Hardening
versioning
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
  • 14.2.2
Test and VerificationApplication tests
High coverage of security related module and integration tests
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Security integration tests for important components
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Security unit tests for important components
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Smoke Test
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
Test and VerificationConsolidation
Advanced visualization of defects
defect-management|B|1
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Definition of quality gates
i-defect-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 16.1.4
Test and VerificationConsolidation
Integration of vulnerability issues into the development process
i-defect-management|B|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.4
  • 16.1.5
  • 16.1.6
Test and VerificationConsolidation
Reproducible defect tickets
i-defect-management|B|2
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Simple false positive treatment
i-defect-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.6
Test and VerificationConsolidation
Simple visualization of defects
i-defect-management|B|1
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Treatment of all defects
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Treatment of defects with severity high or higher
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Treatment of defects with severity middle
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Usage of a vulnerability management system
i-defect-management|B|1
  • 12.6.1
  • 16.1.3
  • 16.1.4
  • 16.1.5
  • 16.1.6
Test and VerificationDynamic depth for applications
Coverage analysis
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • part of periodic review, PDCA
Test and VerificationDynamic depth for applications
Coverage of client side dynamic components
v-security-testing|A|2
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Coverage of hidden endpoints
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
Test and VerificationDynamic depth for applications
Coverage of more input vectors
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
Test and VerificationDynamic depth for applications
Coverage of sequential operations
v-security-testing|A|2
  • 14.2.8
  • 14.2.3
Test and VerificationDynamic depth for applications
Coverage of service to service communication
v-security-testing|A|2
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Simple Scan
v-security-testing|A|1
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Usage of different roles
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Usage of multiple scanners
v-security-testing|A|2
  • 12.6.1
  • 14.2.5
Test and VerificationDynamic depth for infrastructure
Load tests
v-security-testing|A|1
  • 12.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test network segmentation
v-security-testing|A|2
  • 13.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test of the configuration of cloud environments
TODO
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Weak password test
v-security-testing|A|2
  • 9.4.3
Test and VerificationStatic depth for applications
Exclusion of source code duplicates
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for applications
Static analysis for all components/libraries
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for all self written components
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for important client side components
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for important server side components
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Stylistic analysis
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for applications
Test of client side components with known vulnerabilities
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Test of server side components with known vulnerabilities
v-security-testing|A|2
  • 12.6.1
Test and VerificationStatic depth for applications
Usage of multiple analysers
v-security-testing|A|3
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for infrastructure
Check for image lifetime
v-security-testing|A|1
  • 12.6.1
  • 14.2.5
Test and VerificationStatic depth for infrastructure
Check for malware
v-security-testing|A|2
  • 12.2.1
Test and VerificationStatic depth for infrastructure
Check for new image version​
v-security-testing|A|2
  • 12.6.1
  • 14.2.5
  • 12.2.1
Test and VerificationStatic depth for infrastructure
Stored Secrets
v-security-testing|A|1
  • vcs usage is not explicitly covered by ISO 27001 - too specific
  • 9.4.3
  • 10.1.2
Test and VerificationStatic depth for infrastructure
Test cluster deployment resources
v-security-testing|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationStatic depth for infrastructure
Test of infrastructure components for known vulnerabilities
v-security-testing|A|1
  • 12.6.1
  • 14.2.1
Test and VerificationStatic depth for infrastructure
Test the configuration of cloud environments
v-security-testing|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationStatic depth for infrastructure
Test the definition of virtualized environments
v-security-testing|A|1
  • system hardening, virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
  • 14.2.1
Test and VerificationTest-Intensity
Creation and application of a testing concept
v-security-testing|A|2
  • 14.2.2
  • 14.2.3
  • 14.2.1
  • 14.2.5
  • 12.6.1
Test and VerificationTest-Intensity
Deactivating of unneeded tests
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationTest-Intensity
Default settings for intensity
v-security-testing|A|1
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationTest-Intensity
High test intensity
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5