Cancel or suspend system development projects if the benefits do not outweigh the disadvantages.

CONTROL ID
06905

CONTROL TYPE
Systems Design, Build, and Implementation

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

Evaluate system development projects for compliance with the system requirements specifications., CC ID: 06903

There are no implementation support Controls.

The risk of developing insecure solutions should be minimised by cancelling systems development and installation activities if security requirements cannot be met satisfactorily (e.g., the discovery of significant vulnerabilities in systems). (CF.17.03.05b, The Standard of Good Practice for Information Security)
The risk of developing insecure solutions should be minimised by cancelling systems development and installation activities if security requirements cannot be met satisfactorily (e.g., the discovery of significant vulnerabilities in systems). (CF.17.03.05b, The Standard of Good Practice for Information Security, 2013)
The organization shall cancel or suspend projects when the disadvantages or risks outweigh the benefits of continuing the investment and agreements permit this action. (§ 6.2.3.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The governing body should assess its intended use of AI as part of its risk appetite. Risk can change rapidly. New insights and a proactive approach provide an organization with the means to respond to risk. The organization should therefore demonstrate willingness to modify or abort projects, if de… (§ 4.2 ¶ 2, ISO/IEC 38507:2022, Information technology â Governance of IT â Governance implications of the use of artificial intelligence by organizations)