Secure System Architecture and Engineering Principles - ISO 27001 Annex A Control

ISO 27001 Annex A 8.27

Architecture decides what security is possible - get it wrong early and you cannot fix it later.

ISO 27001 Annex A 8.27 - Secure System Architecture and Engineering Principles

Architecture choices made early in design constrain what security is possible later. A monolithic application with shared data access cannot be retrofitted with strong least-privilege controls without major rework. A system with no audit logging built in cannot have logging added without instrumenting every relevant action. The control asks for engineering principles that prevent these structural problems from happening in the first place.

Common principles include defence in depth, least privilege, separation of concerns, fail-safe defaults, least common mechanism, and complete mediation. Each addresses a recurring pattern of security failure. The principles work as a checklist applied during design rather than a set of products bought from a vendor.

Documentation matters because architecture is hard to evaluate without it. Where the architecture is documented and the principles are explicit, security review can confirm that the principles have been applied. Where the architecture exists only in the heads of the developers, review depends on interview rather than evidence and tends to be less reliable.

The architecture principle that gets violated most often in practice is least privilege at the database layer. An application service account with full read-write access to every table because it is easier than maintaining granular permissions. When the application is later compromised, the attacker inherits the broad database access. Tighter database access is harder to set up and pays back many times over.

Practical Compliance Guidance

System architecture principles are described in the IMS1 manual at section 8.5 alongside the Information Security Policy. Architecture documentation and review records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the engineering principles applied to system development. Use as the source for the architectural baseline.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What principles should we adopt?

Defence in depth, least privilege, separation of concerns, fail-safe defaults, complete mediation, economy of mechanism, and assume breach. Industry sources such as NIST and OWASP publish detailed guidance. The chosen principles should be documented and applied consistently.

How are the principles applied in practice?

Through architecture review at the design stage of significant changes, security-focused threat modelling, and standards that specify how the principles apply to common patterns (web applications, APIs, data pipelines). The principles work best when integrated with the existing development process rather than treated as a separate review.

Does this apply to cloud architectures?

Yes. Cloud architectures bring additional considerations - shared responsibility, identity-based access, immutable infrastructure - but the underlying principles remain the same. Cloud-specific guidance from the platform providers and frameworks like the AWS Well-Architected Framework provide useful starting points.

Further Resources