ISO 27002 Application Security Requirements

Home / ISO 27002 Explained / ISO 27002 Application Security Requirements

ISO 27002 Application Security Requirements

Application Security Requirements emphasises the importance of integrating security considerations throughout the entire application lifecycle, adhering to the principle of “security by design and default.”

This control requires organisations to:

Identify and specify: Clearly define the specific information security requirements for all applications.

Approve security requirements: Ensure that all security requirements are formally approved before development or acquisition commences.

By proactively incorporating security requirements into the application development process, organisations can significantly enhance the security and resilience of their applications.

What is ISO 27002:2022 Control 8.26?

ISO 27002 Control 8.26 Application Security Requirements provides implementation guidance on how to implement ISO 27001 Annex A 8.26.

Definition of ISO 27002 Control 8.26

ISO 27002 defines ISO 27002 Control 8.26 as – Organisations must identify, specify, and approve all information security requirements before developing or acquiring any new applications.

Purpose of ISO 27002 Control 8.26

This is a preventive control that helps to reduce security vulnerabilities by ensuring all information security requirements are identified and addressed during application development and acquisition

Ownership of ISO 27002 Control 8.26

The Chief Information Security Officer (CISO), supported by information security specialists, is responsible for identifying, approving, and implementing information security requirements for the acquisition, use, and development of applications.

Compliance Guidance

Identifying and Specifying Application Security Requirements

Foundation

  • Application security requirements must be clearly identified and specified.
  • A thorough risk assessment is crucial for determining these requirements.
  • Information security specialists should be actively involved in this process.

Scope

Security requirements should encompass a wide range of aspects, depending on the application’s purpose and criticality.

Key Considerations:

  • Authentication and Authorisation:
  • Define and implement robust authentication and authorisation mechanisms.
  • Determine the appropriate level of trust in user identities.

Data Protection:

  • Classify data based on sensitivity and implement appropriate protection measures (e.g., encryption, access controls).
  • Ensure data confidentiality, integrity, and availability throughout the application lifecycle.

Vulnerability Mitigation:

  • Address potential vulnerabilities such as SQL injection, cross-site scripting, and buffer overflows.
  • Legal and Regulatory Compliance:
  • Ensure compliance with all relevant laws and regulations.

Privacy:

Address the privacy concerns of all parties involved.

Technical Considerations:

  • Input/Output Controls: Implement input validation, data sanitisation, and secure output controls.
  • Automated Controls: Utilise automated controls such as approval limits, dual approvals, and intrusion detection systems.
  • Logging and Monitoring: Implement robust logging and monitoring capabilities to detect and respond to security incidents.

Business Process Considerations:

Align security requirements with specific business needs and processes.

Incorporate requirements for transaction logging, monitoring, and non-repudiation.

External Factors:

Consider legal and regulatory requirements, industry best practices, and the security requirements of other relevant controls (e.g., logging, monitoring, and data leakage prevention).

Transactional Services

When developing applications that facilitate transactions between the organisation and external partners, the following security requirements should be carefully considered:

Identity and Trust

Establish and maintain appropriate levels of trust in the claimed identities of both parties involved in the transaction.

Data Integrity

Ensure the integrity of all information exchanged or processed during the transaction.

Implement mechanisms to detect and prevent data corruption or tampering (e.g., cyclic redundancy checks, hashing, digital signatures).

Authorisation and Approval

Define and implement clear authorisation processes for approving the content, issuance, and signing of key transactional documents.

Data Confidentiality

Maintain the confidentiality of sensitive transactional information, such as order details, delivery addresses, and payment information.

Non-Repudiation

Implement mechanisms to ensure non-repudiation of transactions, such as proof of dispatch and receipt of key documents.

Data Retention

Determine and implement appropriate data retention policies for confidential transactional information.

Legal and Contractual Requirements:

Ensure compliance with all relevant legal, regulatory, and contractual obligations, including insurance requirements.

Electronic Ordering and Payment Applications

When developing applications that involve electronic ordering and payment, the following must be addressed:

Order Information Security

Maintain the confidentiality and integrity of all order information.

Payment Information Verification

Implement appropriate verification procedures to ensure the accuracy and authenticity of customer-supplied payment information.

Transaction Integrity

Prevent the loss or duplication of transaction information.

Secure Data Storage

Store transaction details in secure, non-publicly accessible environments (e.g., on the organisational intranet).

Trusted Authority Integration

If a trusted authority is used (e.g., for digital certificates), ensure that security is integrated throughout the entire certificate or signature management process.

Cryptography

Utilise cryptographic techniques (see 8.24) to protect data confidentiality, integrity, and authenticity.

Adhere to all relevant legal and regulatory requirements related to electronic transactions and data protection (refer to 5.31-5.36 for specific guidance on cryptography legislation).

Supplementary Guidance on ISO 27002 Control 8.26

Network-accessible applications face unique security challenges, including fraudulent activities, contract disputes, data breaches, and transmission errors (e.g., incomplete transmission, misrouting, unauthorised message alteration, duplication, or replay). Thorough risk assessments and careful selection of controls are essential to mitigate these risks. Cryptographic methods are often crucial for authentication and secure data transfer. Further guidance on application security can be found in the ISO/IEC 27034 series.

Changes and Differences to ISO 27002:2013

Key Differences between ISO 27002:2013 and 2022 (Control 8.26)

Scope Expansion:

2013 focused on applications passing through public networks.
2022 broadens the scope to encompass security requirements for all applications.

Enhanced Guidance:

2022 provides more comprehensive guidance, including specific considerations for Electronic Ordering and Payment Applications: Data integrity, payment verification, secure data storage, and compliance with relevant regulations.

New Considerations:

2022 introduces the importance of considering contractual and insurance requirements for transactional services, which was not addressed in the 2013 version.

These enhancements in ISO 27002:2022 reflect the evolving security landscape and the need for a more comprehensive and adaptable approach to application security.

ISO 27002 Control 8.26 FAQ

What is the difference between ISO 27001 Annex A 8.26 and ISO 27002 Control 8.26?

ISO 27001 Annex A 8.26 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.26 is the implementation guidance for the control.

Is Separation of Development, Test and Production Environments required for ISO 27001 certification?

Yes, Separation of Development, Test and Production Environments is a required information security control for ISO 27001 certification.

ISO 27002 Control 8.26 Attributes Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectApplication SecurityProtection
IntegritySystem and Network SecurityDefence
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools