Table of contents
What is ISO 27001 Application Security Requirements?
ISO 27001 Annex A 8.26 Application Security Requirements is an ISO 27001 control that requires us to identify, specify and approve information security requirements when we develop or acquire applications. You may hear the term – ‘security by design and default’.
Purpose
ISO 27001 Annex A 8.26 is a preventive control to ensure all information security requirements are identified and addressed when developing or acquiring applications.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.26 as:
Information security requirements should be identified, specified and approved when developing or acquiring applications.
ISO27001:2022 Annex A 8.26 Application Security Requirements
Implementation Guide
Whilst I am a software engineering degree educated and time served professional, I am not in the business of telling you how to develop either systems or software. These are professions in their own right. Time has moved on. What I am going to do is show you want the ISO 27001 standard expects in the implementation for you to achieve ISO 27001 certification. These are on the whole, no brainers, common sense and what you would expect but let us take a look anyway.
DO IT YOURSELF
ISO 27001
Secure Development Policy
If you are developing software then the first step is to create, or download, your secure development policy. The secure development policy set’s out what you do for information security in the context of software and systems development. It does not set out how you do it, as how you do it is covered in your processes.
The ISO 27001 Template is the quickest way to do this but you can also take a look and write it yourself.
For more detail on software development read – ISO 27001 Annex A 8.25 Secure Development Life Cycle. We cover it in more detail in that guide.
Application Security Requirements
The requirements of the application security are going to be specific to you but the standard makes recommendations on what to consider and decide if applicable or not. From this list, and others, choose what is applicable and be in a position to defend if something is on the list and you do not have it, why you do not have it.
- Access Control
- Information Classification
- Segregation of Duty and Access
- Resilience such as ability to repel malicious attacks
- Legal, regulatory and contractual Requirements
- Privacy
- Data Protection
- Protection of data that is processed, stored or transmitted
- Input Validation
- Output Validation
- Use and Restrictions on ‘open text’ fields allowing unrestricted input
- Logging and Monitoring
- Non Reputation
- The requirements of other Annex A controls on your Statement Of Applicability (SOA)
Transactional Services
Additional guidance is given for consideration in situations where you have applications that offer transactional services between organisations and partners.
Those requirements include the above and in addition:
- Authorisation Processes and Levels
- Non Repudation
- Physical Transfers of Media and Documents
- Data Retention Periods
- Insurance
- Contractual Requirements
- End of Contract / Relationship
Payment and Ordering Applications
Payments on card are covered under the PCI DSS so if this is something you do then this is a standard that will apply and be checked as being in place.
You should follow all legal and regulatory requirements for this kind of data and this is covered extensively in laws and regulations. Seek the help of a legal professional if you are unsure to understand what those requirements are.
From an ISO 27001 perspective the appropriate implementation of cryptography will be considered but know that requirements are greater than ISO 27001 in this space.
Conclusion
There is actually nothing specific in this control that is not covered in other controls. This control basically says, yes, all the other controls apply to applications as well.
It is telling you, just because you are buying applications or building them, don’t discount the wider requirements of Annex A.