Ensuring security of products and infrastructure is part TL9000 requirements. The ISO standard on information security can be a helpful reference for the organizations and auditors. The ISO 27001 standard provides a list of security controls. ISO 27002 provides implementation guidance of those controls. Organizations can pick and choose controls relevant for their products and/or services.
Key words in TL9000 (section 7.1) related to security are:
- Security risk assessment by identifying threats and vulnerabilities
- Product design should consider safeguarding from such threats and vulnerabilities
- Implement operational controls in the operational environment
- Include security risk assessment in the change control process
Here are some commonly used controls from ISO 2701:2013 Annex A that can be helpful for the organizations implementing TL9000. Most of these controls are simple common sense. You do not require an expert on security or IT to implement those.
For questions, contact Subrata Guha.