A.8.30 Outsourced Development
What is this control?
ISO 27001 control A.8.30 Outsourced Development ensures that the organisation directs, monitors, and reviews the activities related to outsourced system development. The control applies information security requirements to outsourced developers through contractual obligations, supplier due diligence per A.5.19, code review requirements, security testing obligations, and intellectual property protection aligned with internal development standards.
How to implement in Microsoft 365
Implement A.8.30 by applying A.5.19 supplier due diligence to all outsourced development vendors verifying security certifications and practices. Include security requirements in development contracts covering secure coding standards, code review, security testing, vulnerability remediation SLAs, and IP protection. Grant outsourced developers access via B2B guest accounts with time-limited Access Packages.
Require code submission to organisation’s Azure DevOps with branch policies enforcing security scans. Review outsourced code via internal security review before merge to main. Monitor outsourced developer activity via Sentinel B2B logging.
What an auditor looks for
Auditors will verify supplier due diligence completed for outsourced development vendors. They will check development contracts include security requirements for coding, testing, and IP protection. Auditors will verify outsourced developers use B2B guest accounts with time-limited access.
They will check code submissions go through organisation’s Azure DevOps with security scans. Auditors will verify internal security review occurs before merge of outsourced code. They will check Sentinel monitoring of outsourced developer activity.