ISO 27001:2022 Annex A 8.26 – Application Security Requirements

• See ISO 27002:2022 Control 8.26 for more information.
• See ISO 27001:2013 Annex A 14.1.2 for more information.
• See ISO 27001:2013 Annex A 14.1.3 for more information.

Understanding ISO 27001:2022 Annex A 8.26 – Application Security Essentials

Application software such as web apps, graphics programs, databases, and payment processing are essential to many business operations.

Applications are often vulnerable to security issues which can lead to the exposure of confidential data.

As an example, US-based credit bureau Equifax neglected to apply a security patch to the web application framework they employed to manage customer complaints. This neglect enabled cyber attackers to exploit the security weaknesses of the web application, infiltrate Equifax’s corporate networks and steal sensitive information from around 145 million people.

ISO 27001:2022 Annex A 8.26 outlines how organisations can implement and implement information security requirements for applications during their development, use, and acquisition. It ensures that security measures are integrated into the life cycle of applications.

Purpose of ISO 27001:2022 Annex A 8.26

ISO 27001:2022 Annex A 8.26 allows organisations to defend their data assets stored on or processed by applications through the recognition and application of appropriate information security specifications.

Ownership of Annex A 8.26

The Chief Information Security Officer, backed by information security experts, should undertake the identification, approval, and implementation of information demands relating to the acquisition, utilisation and development of applications.

General Guidance on ISO 27001:2022 Annex A 8.26 Compliance

Organisations should conduct a risk assessment to establish the necessary information security requirements for a particular application.

Content and types of information security requirements may differ dependent on the application, yet these should cover:

• Based on ISO 27001:2022 Annex A 5.17, 8.2, and 8.5, the level of trust assigned to a specific entity’s identity.
• Classification of the information assets to be saved or handled by the software must be identified.
• Is there a necessity to separate access to features and data stored on the app.
• Assess whether the application is robust against cyber penetrations like SQL injections or unintended interceptions like buffer overflow.
• Legally, regulatory and statutory requirements and standards must be met when dealing with transactions processed, generated, saved or finished by the app.
• Privacy is of utmost importance for all involved.
• Ensuring confidential data is safeguarded is essential.
• Ensuring the security of information when it is employed, transferred, or stored is paramount.
• It is essential that all relevant parties have secure encryption of their communications if necessary.
• Implementing input controls, like validating input and performing integrity checks, guarantees accuracy.
• Performing automated controls.
• Ensuring that access rights, as well as who can view outputs, are taken into account for output control.
• It is essential to impose limits on what can be included in “free-text” fields to guard against the unintentional distribution of confidential information.
• Regulatory requirements, such as those governing logging of transactions and non-repudiation.
• Other security controls may require adherence to specific requirements; for example, data leakage detection systems.
• How your organisation handles error messages.

Guidance on Transactional Services

ISO 27001:2022 Annex A 8.26 requires organisations to consider the following seven recommendations when providing transactional services between themselves and a partner:

• The degree of faith each party needs to have in the other’s identity is essential in any transaction.
• The trustworthiness of data sent or processed must be assured, and a suitable system to recognise any integrity deficits, including hashing and digital signatures, must be identified.
• The company must set up a system to determine who is authorised to approve, sign and sign off on critical transactional documents.
• Ensuring the secrecy and accuracy of essential documents, and verifying the transmission and reception of said documents.
• Preserving the confidentiality and accuracy of transactions, this could be orders and invoices.
• Requirements on how transactions must remain confidential for a specified period of time.
• Contractual obligations and insurance requirements needs must be fulfilled.

Guidance on Electronic Ordering and Payment Applications

Organisations should consider the following when incorporating payment and electronic ordering capabilities into applications:

• Ensuring confidentiality and integrity of order information is essential.
• Establishing an appropriate level of confirmation for affirming the payment information provided by a customer.
• Avoiding the misplacement or replication of transaction data.
• Ensure that info pertaining to information is kept away from a publicly available area, e.g. a storage media located within the organisation’s intranet.
• Whenever an organisation relies on an external authority to issue digital signatures, it must ensure that security is integrated throughout the process.

Guidance on Networks

When applications are accessed via networks, they could be exposed to contractual disagreements, fraudulent behaviour, misdirection, unapproved alterations to the content of communication or the confidentiality of sensitive data could be breached.

ISO 27001:2022 Annex A 8.26 advises organisations to conduct thorough risk assessments to identify suitable controls, such as cryptography, to protect the security of information transfers.

Changes and Differences From ISO 27001:2013

ISO 27001:2022 Annex A 8.26 replaces ISO 27001:2013 Annex A 14.1.2 and 14.1.3 in the revised 2022 standard.

There are three major distinctions between the two versions.

All Applications vs Applications Passing Through Public Networks

ISO 27001:2013 outlines a list of information security requirements to be taken into account for applications that are to be transmitted via public networks.

ISO 27001:2022 Annex A 8.26, in contrast, supplies a list of information security requirements that apply to all applications.

Further Guidance on Electronic Ordering and Payment Applications

ISO 27001:2022 Annex A 8.26 provides specific guidance on electronic ordering and payment applications, something which was not addressed in the 2013 version.

Requirement on Transactional Services

Whereas the 2022 edition and the 2013 edition are nearly the same concerning the prerequisites for transactional services, the 2022 edition introduces an extra demand not considered in the 2013 edition:

• Organisations should bear in mind contractual obligations and insurance stipulations.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.online is a cloud-based system which assists organisations in demonstrating alignment with ISO 27001:2022. This system can be used to supervise ISO 27001 requirements, ensuring that your organisation remains compliant with the standard.

Our platform is user-friendly and accessible to all. It doesn’t require complex technical knowledge; anyone in your business can make use of it.

Contact us now to schedule a demonstration.