A.8.27 Secure System Architecture and Engineering Principles
What is this control?
ISO 27001 control A.8.27 Secure System Architecture and Engineering Principles ensures that principles for engineering secure systems are established, documented, maintained, and applied to any information system development activities. The control implements Zero Trust architecture, defence-in-depth, least privilege, secure defaults, and fail-secure design patterns across all system development following documented architecture standards.
How to implement in Microsoft 365
Implement A.8.27 by documenting secure architecture principles in an Architecture Standards document covering Zero Trust with identity-verified access, defence-in-depth with multiple security layers, least privilege with minimum necessary access, secure defaults with security enabled by default, and fail-secure with secure state on failure. Apply principles to all system designs via architecture review board approval. Implement reference architectures for common patterns using Azure landing zones and M365 security baselines.
Require architecture compliance documentation in Azure DevOps before deployment. Review and update architecture standards annually.
What an auditor looks for
Auditors will verify Architecture Standards document exists covering Zero Trust, defence-in-depth, least privilege, secure defaults, and fail-secure principles. They will check evidence of architecture review board approval for system designs. Auditors will verify reference architectures are documented and followed for common patterns.
They will check Azure DevOps contains architecture compliance documentation. Auditors will verify architecture standards are reviewed and updated within 12 months.