High Table ISO 27001 Logo

ISO 27001 Annex A 8.26 Application Security Requirements

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.26 Application Security Requirements
ISO27001 Annex A 8.26

Table of contents

What is ISO 27001 Application Security Requirements?

ISO 27001 Annex A 8.26 Application Security Requirements is an ISO 27001 control that requires us to identify, specify and approve information security requirements when we develop or acquire applications. You may hear the term – ‘security by design and default’.

Purpose

ISO 27001 Annex A 8.26 is a preventive control to ensure all information security requirements are identified and addressed when developing or acquiring applications.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.26 as:

Information security requirements should be identified, specified and approved when developing or acquiring applications.

ISO27001:2022 Annex A 8.26 Application Security Requirements

Implementation Guide

Whilst I am a software engineering degree educated and time served professional, I am not in the business of telling you how to develop either systems or software. These are professions in their own right. Time has moved on. What I am going to do is show you want the ISO 27001 standard expects in the implementation for you to achieve ISO 27001 certification. These are on the whole, no brainers, common sense and what you would expect but let us take a look anyway.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

Secure Development Policy

If you are developing software then the first step is to create, or download, your secure development policy. The secure development policy set’s out what you do for information security in the context of software and systems development. It does not set out how you do it, as how you do it is covered in your processes.

The ISO 27001 Template is the quickest way to do this but you can also take a look and write it yourself.

ISO 27001 Secure Development Policy Template

For more detail on software development read – ISO 27001 Annex A 8.25 Secure Development Life Cycle. We cover it in more detail in that guide.

Application Security Requirements

The requirements of the application security are going to be specific to you but the standard makes recommendations on what to consider and decide if applicable or not. From this list, and others, choose what is applicable and be in a position to defend if something is on the list and you do not have it, why you do not have it.

The basic guidance is, if you have an annex A control that is on your SOA then make sure that the application meets its requirements. Yes it is a catch all.

ISO 27001 Ninja
  • Access Control
  • Information Classification
  • Segregation of Duty and Access
  • Resilience such as ability to repel malicious attacks
  • Legal, regulatory and contractual Requirements
  • Privacy
  • Data Protection
  • Protection of data that is processed, stored or transmitted
  • Input Validation
  • Output Validation
  • Use and Restrictions on ‘open text’ fields allowing unrestricted input
  • Logging and Monitoring
  • Non Reputation
  • The requirements of other Annex A controls on your Statement Of Applicability (SOA)

Transactional Services

Additional guidance is given for consideration in situations where you have applications that offer transactional services between organisations and partners.

Those requirements include the above and in addition:

  • Authorisation Processes and Levels
  • Non Repudation
  • Physical Transfers of Media and Documents
  • Data Retention Periods
  • Insurance
  • Contractual Requirements
  • End of Contract / Relationship

Payment and Ordering Applications

Payments on card are covered under the PCI DSS so if this is something you do then this is a standard that will apply and be checked as being in place.

You should follow all legal and regulatory requirements for this kind of data and this is covered extensively in laws and regulations. Seek the help of a legal professional if you are unsure to understand what those requirements are.

From an ISO 27001 perspective the appropriate implementation of cryptography will be considered but know that requirements are greater than ISO 27001 in this space.

Conclusion

There is actually nothing specific in this control that is not covered in other controls. This control basically says, yes, all the other controls apply to applications as well.

It is telling you, just because you are buying applications or building them, don’t discount the wider requirements of Annex A.