What is ISO27001 Application Security Requirements?

ISO27001 Annex A 8.26 Application Security Requirements is an ISO27001 control that requires us to identify, specify and approve information security requirements when we develop or acquire applications. You may hear the term – ‘security by design and default’.


ISO27001 Annex A 8.26 is a preventive control to ensure all information security requirements are identified and addressed when developing or acquiring applications.


The ISO27001 standard defines ISO27001 Annex A 8.26 as:

Information security requirements should be identified, specified and approved when developing or acquiring applications.

ISO27001:2022 Annex A ISO27001 Annex A 8.26 Application Security Requirements

Implementation Guide

Whilst I am a software engineering degree educated and time served professional, I am not in the business of telling you how to develop either systems or software. These are professions in their own right. Time has moved on. What I am going to do is show you want the ISO27001 standard expects in the implementation for you to achieve ISO27001 certification. These are on the whole, no brainers, common sense and what you would expect but let us take a look anyway.



Secure Development Policy

If you are developing software then the first step is to create, or download, your secure development policy. The secure development policy set’s out what you do for information security in the context of software and systems development. It does not set out how you do it, as how you do it is covered in your processes.

The ISO27001 Template is the quickest way to do this but you can also take a look and write it yourself.

ISO 27001 Secure Development Policy Template

For more detail on software development read – ISO27001 Annex A 8.25 Secure Development Life Cycle. We cover it in more detail in that guide.

Application Security Requirements

The requirements of the application security are going to be specific to you but the standard makes recommendations on what to consider and decide if applicable or not. From this list, and others, choose what is applicable and be in a position to defend if something is on the list and you do not have it, why you do not have it.

The basic guidance is, if you have an annex A control that is on your SOA then make sure that the application meets its requirements. Yes it is a catch all.

ISO27001 Ninja
  • Access Control
  • Information Classification
  • Segregation of Duty and Access
  • Resilience such as ability to repel malicious attacks
  • Legal, regulatory and contractual Requirements
  • Privacy
  • Data Protection
  • Protection of data that is processed, stored or transmitted
  • Input Validation
  • Output Validation
  • Use and Restrictions on ‘open text’ fields allowing unrestricted input
  • Logging and Monitoring
  • Non Reputation
  • The requirements of other Annex A controls on your Statement Of Applicability (SOA)

Transactional Services

Additional guidance is given for consideration in situations where you have applications that offer transactional services between organisations and partners.

Those requirements include the above and in addition:

  • Authorisation Processes and Levels
  • Non Repudation
  • Physical Transfers of Media and Documents
  • Data Retention Periods
  • Insurance
  • Contractual Requirements
  • End of Contract / Relationship

Payment and Ordering Applications

Payments on card are covered under the PCI DSS so if this is something you do then this is a standard that will apply and be checked as being in place.

You should follow all legal and regulatory requirements for this kind of data and this is covered extensively in laws and regulations. Seek the help of a legal professional if you are unsure to understand what those requirements are.

From an ISO27001 perspective the appropriate implementation of cryptography will be considered but know that requirements are greater than ISO27001 in this space.


There is actually nothing specific in this control that is not covered in other controls. This control basically says, yes, all the other controls apply to applications as well.

It is telling you, just because you are buying applications or building them, don’t discount the wider requirements of Annex A.