A.8.25 Secure Development Life Cycle
What is this control?
ISO 27001 control A.8.25 Secure Development Life Cycle ensures that rules for the secure development of software and systems are established and applied through integration of security throughout the development lifecycle. The control implements DevSecOps practices including security requirements definition, secure coding standards, automated security testing via Microsoft Defender for DevOps, code review requirements, and vulnerability scanning before production deployment.
How to implement in Microsoft 365
Implement A.8.25 by defining security requirements in Azure DevOps work items per A.5.8 before development begins. Establish secure coding standards documentation covering OWASP Top 10 prevention and input validation. Configure Azure DevOps branch policies requiring code review approval from independent reviewers.
Integrate Microsoft Defender for DevOps for automated SAST scanning on pull requests with high-severity findings blocking merge. Deploy Defender for DevOps secret scanning to prevent credential exposure in repositories. Implement automated security testing in CI/CD pipelines.
Document security sign-off requirements before production deployment.
What an auditor looks for
Auditors will verify Azure DevOps work item templates include security requirements fields. They will check secure coding standards documentation exists covering OWASP Top 10. Auditors will verify branch policies require code review approval from independent reviewers.
They will check Defender for DevOps is integrated with SAST scanning enabled. Auditors will verify secret scanning is active and preventing credential exposure. They will check evidence of security testing in CI/CD pipelines and security sign-off before production deployments.
Related controls
M365 capabilities that implement this control
Azure Defender for Cloud plans (Servers, Containers, Databases) and Cloud Security Posture Management with Secure Score