Skip to navigation Skip to main content Skip to footer

28 September 2023

ISO/IEC 27001:2022 - Requirement for Software Escrow

ISO/IEC 27001:2022


As digital transformation continues to accelerate, operational resilience has become increasingly crucial for businesses. With increased reliance on third-party providers and outsourced IT solutions, coupled with the ever-present risk of digital threats and other sources of business interruption, regulatory bodies are implementing new standards and guidelines that demand access to critical software source code and data.

The internationally recognised International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 for Information Security Management Systems (ISMS) has been updated to reflect these changes.

What is ISO/IEC 27001?

ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS.

The ISO/IEC 27001 standard provides companies of any size and from all sectors with guidance for establishing, implementing, maintaining, and continually improving an information security management system.

By achieving ISO/IEC 27001 certification, businesses demonstrate they have put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles included in this International Standard.

ISO/IEC 27001:2022 and Annex A Control 8.30

In October 2022, ISO/IEC 27001:2022 – the newest version of ISO 27001 was published. Specified within the published changes, organizations certified to ISO/IEC 27001:2013 have until October 31, 2025 to update their information security management system (ISMS).

The standard has been updated to reflect the changing landscape of technology and information security to ensure that organizations can protect their data and assets.

Some new updates to this iteration include a major change to Annex A which refers to changes to the security controls.

Annex A 8.30 outsourced development, now includes the following guidance:

1. “Ensure that the source code of the software is protected by escrow agreements. For example, it may address what will happen if the external supplier ceases to operate.”

2. “Maintaining evidence that adequate testing has been conducted to address identified vulnerabilities.”

To mitigate the risks associated with potential supply chain issues such as software supplier failure, and to ensure business continuity in the event of system disruption, regulators and policymakers are recognising the importance of software escrow agreements.

What exactly are Software Escrow Agreements?

When it comes to managing third-party risk and putting in place the required legally-binding agreements with suppliers, escrow agreements are a tried and tested method with regulators globally recommending software escrow as a key practical solution.

 A Software Escrow Agreement can strengthen a firm’s operational resilience and support compliance with ISO/IEC 27001:2022 by guaranteeing access to software source code in the event of service provider failure. We store source code, critical data, and other important materials necessary to support an application in the long-term. These materials are stored in our highly secure vaults and ensures that they can be accessed and retrieved when required.

What is Escrow Verification?

Software Escrow Verification is implemented to strengthen the Escrow Agreement and helps demonstrate to auditors that the business continuity plans have been tested and are effective. It validates the accuracy and usability of the materials held under the agreement and gives a firm the knowledge required to execute their continuity plan accordingly. The technical documentation produced following the verification enables a firm to redeploy and maintain the third-party application, without additional support from the service provider.

Our software escrow services help businesses prepare for any type of software disruption in any business-critical environment – whether it’s on-premise, software as a service, embedded software or IoT. Implementing software escrow measures such as Escrow agreements and Verification with all third-party software suppliers provides institutions reliant on outsourced software with the necessary materials to engage with an alternative third-party to rebuild out an outsourced service.

Get in touch with our team to learn more about our software escrow services and how we can assist with ISO 27001:2022 requirements. 

Interested in learning more about our Software Escrow Services?

Skip to navigation Skip to main content Skip to footer