A.8.29 Security Testing in Development and Acceptance
What is this control?
ISO 27001 control A.8.29 Security Testing in Development and Acceptance ensures that security testing processes are defined and implemented in the development lifecycle. The control requires automated security testing via Microsoft Defender for DevOps in CI/CD pipelines, manual penetration testing for critical applications, security acceptance criteria before production deployment, and vulnerability remediation verification.
How to implement in Microsoft 365
Implement A.8.29 by integrating Microsoft Defender for DevOps into Azure Pipelines for automated SAST, DAST, and dependency scanning on every build. Configure branch policies blocking merge when high-severity vulnerabilities are detected. Define security acceptance criteria in Azure DevOps requiring no critical or high vulnerabilities before production.
Conduct annual penetration testing for critical applications via qualified third-party. Document security testing results in Azure DevOps test runs linked to work items. Verify vulnerability remediation before closing security findings.
Track security testing coverage metrics.
What an auditor looks for
Auditors will verify Defender for DevOps is integrated into Azure Pipelines with SAST and dependency scanning. They will check branch policies block merge for high-severity vulnerabilities. Auditors will verify security acceptance criteria are defined and enforced.
They will check annual penetration test reports for critical applications. Auditors will verify security testing results are documented in Azure DevOps. They will check vulnerability remediation verification evidence and security testing coverage metrics.