Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +353 1 578 9175 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological PreventiveDetective Identify High Priority

A.8.29 Security Testing in Development and Acceptance

M365 Admin Path: Azure DevOps > Pipelines

Evidence Source: Azure DevOps and Defender

What is A.8.29 Security Testing in Development and Acceptance?

ISO 27001 control A.8.29 Security Testing in Development and Acceptance ensures that security testing processes are defined and implemented in the development lifecycle. The control requires automated security testing via Microsoft Defender for DevOps in CI/CD pipelines, manual penetration testing for critical applications, security acceptance criteria before production deployment, and vulnerability remediation verification.

How to implement A.8.29 in Microsoft 365

Implement A.8.29 by integrating Microsoft Defender for DevOps

Implement A.8.29 by integrating Microsoft Defender for DevOps into Azure Pipelines for automated SAST, DAST, and dependency scanning on every build. Configure branch policies blocking merge when high-severity vulnerabilities are detected.

Define security acceptance criteria in Azure DevOps requiring

Define security acceptance criteria in Azure DevOps requiring no critical or high vulnerabilities before production. Conduct annual penetration testing for critical applications via qualified third-party.

Document security testing results in Azure DevOps test

Document security testing results in Azure DevOps test runs linked to work items. Verify vulnerability remediation before closing security findings. Track security testing coverage metrics.

What an auditor checks for A.8.29

  • Auditors will verify Defender for DevOps is integrated into Azure Pipelines with SAST and dependency scanning.
  • They will check branch policies block merge for high-severity vulnerabilities.
  • Auditors will verify security acceptance criteria are defined and enforced.
  • They will check annual penetration test reports for critical applications.
  • Auditors will verify security testing results are documented in Azure DevOps.
  • They will check vulnerability remediation verification evidence and security testing coverage metrics.

Evidence we surface for A.8.29

A.8.29 security-testing evidence reads the Microsoft Defender for Cloud DAST scan results, the security test report from Azure DevOps Test Plans, and the pipeline release-gate security configuration. Pre-production security testing is a control where evidence-without-test is common; we surface both the test artefact and the gate that prevented progression without it.

See how your organisation scores against A.8.29 and all 93 ISO 27001 controls.

Get Your Free Assessment