ISO 27001 Annex A Control 8.26

ISO 27001 control 8.26 Application security requirements

The basics

ISO 27001 control A.8.26 Application security requirements requires companies to define information security requirements for the development or acquisition of software. This is important because, without clear security requirements that are set up front, security could be easily forgotten while purchasing or developing software.

Documentation

ISO 27001 control A.8.26 Application security requirements can be documented through the Security Requirements Specification. In most cases, no policy or procedure is needed for this control.

This document is not mandatory but is recommended.

Implementation

In order to comply with control A.8.26 Application security requirements you might implement the following:

  • Technology — the technology to enable the identification and management of security requirements in most cases will be already available in the company. Small companies will probably be able to identify and manage security requirements by using office applications (e.g., business case documents, or requirements spreadsheets), while bigger companies may use collaboration tools to allow developers to work on requirements simultaneously.
  • Organization/processes — you should set up a process for defining methods for security requirements identification and how to integrate them in the earlier stages of software development. You can document those processes through a Secure Development Policy and document the identified requirements to be managed in a Security Requirements Specification document.
  • People — make employees aware of why defining and managing security requirements is needed, and train developers on how to identify and manage security requirements.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.26 Application security requirements: if information security requirements are considered in acquired and/or developed software.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.