ISO 27001 A.8.27: Secure system architecture and engineering principles
What This Control Requires
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
In Plain Language
Bolt-on security is brittle security. If your systems are not designed with security principles from the ground up, you end up layering band-aids over architectural weaknesses that should have been addressed in the design phase.
Secure engineering principles are the high-level guidelines that shape design decisions across every project. Defence in depth, least privilege, fail secure, separation of duties, economy of mechanism, complete mediation, secure defaults - these are not abstract concepts. They are practical rules that, when consistently applied, prevent entire classes of vulnerabilities.
The key word is "consistently." Auditors want to see documented principles, evidence that teams know about them, and proof that they are actually applied across projects through design reviews and security assessments.
How to Implement
Document a set of secure engineering principles that all development must follow. The essentials:
Defence in depth - layer multiple controls so a single failure does not compromise everything. Least privilege - grant the minimum access needed for users, processes, and systems. Fail secure - when something breaks, it should deny access, not grant it. Separation of duties - split critical functions across different components and people. Economy of mechanism - keep security designs simple to shrink the attack surface. Complete mediation - check every access request rather than caching authorisation decisions. Secure defaults - systems should be locked down out of the box, requiring deliberate action to open up. Open design - security should not depend on keeping the design secret.
Turn these principles into practical reference architectures for your common system types (web applications, microservices, IoT). Include security patterns for authentication, authorisation, secure communications, error handling, and logging.
Bake secure engineering into the development workflow. Run security architecture reviews at the design stage. Use threat modelling to verify principles are properly applied. For significant projects, make security design review a gate before development starts.
Keep the principles alive. Review them annually and after significant security incidents. Fold in lessons from security testing and incident response. Update reference architectures as technology and threats evolve. Share best practices and case studies across teams.
Train all architects and developers on the principles and how to apply them in practice. Include secure architecture topics in training programmes. Provide mentoring and review support for complex security design decisions.
Evidence Your Auditor Will Request
- Documented secure engineering principles and guidelines
- Reference architectures embedding security principles
- Security architecture review records for recent projects
- Threat modeling records demonstrating principle application
- Developer and architect training records on secure engineering
Common Mistakes
- No documented secure engineering principles for the organization
- Principles exist but are not consistently applied across projects
- Security architecture reviews are not conducted during the design phase
- Development teams are not trained on secure engineering principles
- Principles are not updated to reflect current threats and technologies
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC8.1 | Related |
| GDPR | Art.25 | Related |
| NIS2 | Art.21(2)(e) | Partial overlap |
Frequently Asked Questions
What are the most important secure engineering principles?
How do we apply secure engineering in cloud-native development?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment