Table of contents
- ISO 27002 Application Security Requirements
- What is ISO 27002:2022 Control 8.26?
- Definition of ISO 27002 Control 8.26
- Purpose of ISO 27002 Control 8.26
- Ownership of ISO 27002 Control 8.26
- Compliance Guidance
- Supplementary Guidance on ISO 27002 Control 8.26
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.26 FAQ
- ISO 27002 Control 8.26 Attributes Table
ISO 27002 Application Security Requirements
Application Security Requirements emphasises the importance of integrating security considerations throughout the entire application lifecycle, adhering to the principle of “security by design and default.”
This control requires organisations to:
Identify and specify: Clearly define the specific information security requirements for all applications.
Approve security requirements: Ensure that all security requirements are formally approved before development or acquisition commences.
By proactively incorporating security requirements into the application development process, organisations can significantly enhance the security and resilience of their applications.
What is ISO 27002:2022 Control 8.26?
ISO 27002 Control 8.26 Application Security Requirements provides implementation guidance on how to implement ISO 27001 Annex A 8.26.
Definition of ISO 27002 Control 8.26
ISO 27002 defines ISO 27002 Control 8.26 as – Organisations must identify, specify, and approve all information security requirements before developing or acquiring any new applications.
Purpose of ISO 27002 Control 8.26
This is a preventive control that helps to reduce security vulnerabilities by ensuring all information security requirements are identified and addressed during application development and acquisition
Ownership of ISO 27002 Control 8.26
The Chief Information Security Officer (CISO), supported by information security specialists, is responsible for identifying, approving, and implementing information security requirements for the acquisition, use, and development of applications.
Compliance Guidance
Identifying and Specifying Application Security Requirements
Foundation
- Application security requirements must be clearly identified and specified.
- A thorough risk assessment is crucial for determining these requirements.
- Information security specialists should be actively involved in this process.
Scope
Security requirements should encompass a wide range of aspects, depending on the application’s purpose and criticality.
Key Considerations:
- Authentication and Authorisation:
- Define and implement robust authentication and authorisation mechanisms.
- Determine the appropriate level of trust in user identities.
Data Protection:
- Classify data based on sensitivity and implement appropriate protection measures (e.g., encryption, access controls).
- Ensure data confidentiality, integrity, and availability throughout the application lifecycle.
Vulnerability Mitigation:
- Address potential vulnerabilities such as SQL injection, cross-site scripting, and buffer overflows.
- Legal and Regulatory Compliance:
- Ensure compliance with all relevant laws and regulations.
Privacy:
Address the privacy concerns of all parties involved.
Technical Considerations:
- Input/Output Controls: Implement input validation, data sanitisation, and secure output controls.
- Automated Controls: Utilise automated controls such as approval limits, dual approvals, and intrusion detection systems.
- Logging and Monitoring: Implement robust logging and monitoring capabilities to detect and respond to security incidents.
Business Process Considerations:
Align security requirements with specific business needs and processes.
Incorporate requirements for transaction logging, monitoring, and non-repudiation.
External Factors:
Consider legal and regulatory requirements, industry best practices, and the security requirements of other relevant controls (e.g., logging, monitoring, and data leakage prevention).
Transactional Services
When developing applications that facilitate transactions between the organisation and external partners, the following security requirements should be carefully considered:
Identity and Trust
Establish and maintain appropriate levels of trust in the claimed identities of both parties involved in the transaction.
Data Integrity
Ensure the integrity of all information exchanged or processed during the transaction.
Implement mechanisms to detect and prevent data corruption or tampering (e.g., cyclic redundancy checks, hashing, digital signatures).
Authorisation and Approval
Define and implement clear authorisation processes for approving the content, issuance, and signing of key transactional documents.
Data Confidentiality
Maintain the confidentiality of sensitive transactional information, such as order details, delivery addresses, and payment information.
Non-Repudiation
Implement mechanisms to ensure non-repudiation of transactions, such as proof of dispatch and receipt of key documents.
Data Retention
Determine and implement appropriate data retention policies for confidential transactional information.
Legal and Contractual Requirements:
Ensure compliance with all relevant legal, regulatory, and contractual obligations, including insurance requirements.
Electronic Ordering and Payment Applications
When developing applications that involve electronic ordering and payment, the following must be addressed:
Order Information Security
Maintain the confidentiality and integrity of all order information.
Payment Information Verification
Implement appropriate verification procedures to ensure the accuracy and authenticity of customer-supplied payment information.
Transaction Integrity
Prevent the loss or duplication of transaction information.
Secure Data Storage
Store transaction details in secure, non-publicly accessible environments (e.g., on the organisational intranet).
Trusted Authority Integration
If a trusted authority is used (e.g., for digital certificates), ensure that security is integrated throughout the entire certificate or signature management process.
Cryptography
Utilise cryptographic techniques (see 8.24) to protect data confidentiality, integrity, and authenticity.
Legal and Regulatory Compliance
Adhere to all relevant legal and regulatory requirements related to electronic transactions and data protection (refer to 5.31-5.36 for specific guidance on cryptography legislation).
Supplementary Guidance on ISO 27002 Control 8.26
Network-accessible applications face unique security challenges, including fraudulent activities, contract disputes, data breaches, and transmission errors (e.g., incomplete transmission, misrouting, unauthorised message alteration, duplication, or replay). Thorough risk assessments and careful selection of controls are essential to mitigate these risks. Cryptographic methods are often crucial for authentication and secure data transfer. Further guidance on application security can be found in the ISO/IEC 27034 series.
Changes and Differences to ISO 27002:2013
Key Differences between ISO 27002:2013 and 2022 (Control 8.26)
Scope Expansion:
2013 focused on applications passing through public networks.
2022 broadens the scope to encompass security requirements for all applications.
Enhanced Guidance:
2022 provides more comprehensive guidance, including specific considerations for Electronic Ordering and Payment Applications: Data integrity, payment verification, secure data storage, and compliance with relevant regulations.
New Considerations:
2022 introduces the importance of considering contractual and insurance requirements for transactional services, which was not addressed in the 2013 version.
These enhancements in ISO 27002:2022 reflect the evolving security landscape and the need for a more comprehensive and adaptable approach to application security.
ISO 27002 Control 8.26 FAQ
ISO 27001 Annex A 8.26 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.26 is the implementation guidance for the control.
Yes, Separation of Development, Test and Production Environments is a required information security control for ISO 27001 certification.
ISO 27002 Control 8.26 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Application Security | Protection |
Integrity | System and Network Security | Defence | ||
Availability |