APP-001 Secure Development Lifecycle Policy
Description
A documented secure software development lifecycle (SDLC) policy exists, defining security activities required at each phase: requirements, design, development, testing, deployment, and maintenance. Security requirements are defined before development begins. The policy is reviewed at least annually.
Rationale
Security introduced late in the SDLC is expensive and incomplete. A formal SDLC policy ensures security is considered from inception rather than bolted on post-release.
Framework Mappings (5)
| AIS-01 | Application and Interface Security Policy and Procedures | full |
| AIS-04 | Secure Application Development Lifecycle | full |
| 8.25 | Secure development life cycle | full |
| SA-15 | Development Process, Standards, and Tools | partial |
| SA-3 | System Development Life Cycle | full |
Evidence (2)
Documented SDLC policy defining security activities required at each development phase, with the policy owner, effective date, and review cadence.
Example: Secure SDLC Policy document (PDF or Confluence page) with sections mapping to requirements, design, development, testing, deployment, and maintenance phases, showing the security gate or activity required at each phase. Document must show a named approver and an effective or last-reviewed date within the last 12 months.
Test: Request the SDLC policy document. Verify: (1) all six phases (requirements, design, development, testing, deployment, maintenance) have at least one defined security activity, (2) the document identifies a named owner, (3) the last-reviewed or next-review date is within 12 months, (4) the policy is communicated to the engineering team — request evidence such as a distribution record, onboarding checklist, or training record.
Annual review record confirming the SDLC policy was reviewed, updated if needed, and re-approved within the last 12 months.
Example: Jira review ticket, Confluence page version history, or document management system audit trail showing the SDLC policy was reviewed and approved by the named owner within the last 12 months, with any changes noted.
Test: Request the SDLC policy version history or review ticket. Verify: (1) a review was completed within the last 12 months, (2) the reviewer holds an appropriate role (e.g. Head of Engineering, CISO), (3) if changes were made, the updated policy was re-approved and communicated to affected staff.
Questions (2)
Does your organisation have a documented secure software development lifecycle (SDLC) policy that defines required security activities at each development phase?
The policy must cover all phases: requirements, design, development, testing, deployment, and maintenance. It should have a named owner, effective date, and defined review cadence.
How frequently is the secure SDLC policy reviewed and updated?
Annual review is the minimum. The policy should be updated whenever there is a significant change in development technology, tooling, or regulatory requirements.