ISO 27001:2022 Annex A Control 8.26

Application Security Requirements

Book a demo

cultural,mix,of,young,people,working,in,a,company

Application software such as web apps, graphics programs, databases, and payment processing are essential to many business operations.

Applications are often vulnerable to security issues which can lead to the exposure of confidential data.

As an example, US-based credit bureau Equifax neglected to apply a security patch to the web application framework they employed to manage customer complaints. This neglect enabled cyber attackers to exploit the security weaknesses of the web application, infiltrate Equifax’s corporate networks and steal sensitive information from around 145 million people.

ISO 27001:2022 Annex A 8.26 outlines how organisations can implement and implement information security requirements for applications during their development, use, and acquisition. It ensures that security measures are integrated into the life cycle of applications.

Purpose of ISO 27001:2022 Annex A 8.26

ISO 27001:2022 Annex A 8.26 allows organisations to defend their data assets stored on or processed by applications through the recognition and application of appropriate information security specifications.

Ownership of Annex A 8.26

The Chief Information Security Officer, backed by information security experts, should undertake the identification, approval, and implementation of information demands relating to the acquisition, utilisation and development of applications.

General Guidance on ISO 27001:2022 Annex A 8.26 Compliance

Organisations should conduct a risk assessment to establish the necessary information security requirements for a particular application.

Content and types of information security requirements may differ dependent on the application, yet these should cover:

  • Based on ISO 27001:2022 Annex A 5.17, 8.2, and 8.5, the level of trust assigned to a specific entity’s identity.
  • Classification of the information assets to be saved or handled by the software must be identified.
  • Is there a necessity to separate access to features and data stored on the app.
  • Assess whether the application is robust against cyber penetrations like SQL injections or unintended interceptions like buffer overflow.
  • Legally, regulatory and statutory requirements and standards must be met when dealing with transactions processed, generated, saved or finished by the app.
  • Privacy is of utmost importance for all involved.
  • Ensuring confidential data is safeguarded is essential.
  • Ensuring the security of information when it is employed, transferred, or stored is paramount.
  • It is essential that all relevant parties have secure encryption of their communications if necessary.
  • Implementing input controls, like validating input and performing integrity checks, guarantees accuracy.
  • Performing automated controls.
  • Ensuring that access rights, as well as who can view outputs, are taken into account for output control.
  • It is essential to impose limits on what can be included in “free-text” fields to guard against the unintentional distribution of confidential information.
  • Regulatory requirements, such as those governing logging of transactions and non-repudiation.
  • Other security controls may require adherence to specific requirements; for example, data leakage detection systems.
  • How your organisation handles error messages.

Guidance on Transactional Services

ISO 27001:2022 Annex A 8.26 requires organisations to consider the following seven recommendations when providing transactional services between themselves and a partner:

  • The degree of faith each party needs to have in the other’s identity is essential in any transaction.
  • The trustworthiness of data sent or processed must be assured, and a suitable system to recognise any integrity deficits, including hashing and digital signatures, must be identified.
  • The company must set up a system to determine who is authorised to approve, sign and sign off on critical transactional documents.
  • Ensuring the secrecy and accuracy of essential documents, and verifying the transmission and reception of said documents.
  • Preserving the confidentiality and accuracy of transactions, this could be orders and invoices.
  • Requirements on how transactions must remain confidential for a specified period of time.
  • Contractual obligations and insurance requirements needs must be fulfilled.

Guidance on Electronic Ordering and Payment Applications

Organisations should consider the following when incorporating payment and electronic ordering capabilities into applications:

  • Ensuring confidentiality and integrity of order information is essential.
  • Establishing an appropriate level of confirmation for affirming the payment information provided by a customer.
  • Avoiding the misplacement or replication of transaction data.
  • Ensure that info pertaining to information is kept away from a publicly available area, e.g. a storage media located within the organisation’s intranet.
  • Whenever an organisation relies on an external authority to issue digital signatures, it must ensure that security is integrated throughout the process.

Guidance on Networks

When applications are accessed via networks, they could be exposed to contractual disagreements, fraudulent behaviour, misdirection, unapproved alterations to the content of communication or the confidentiality of sensitive data could be breached.

ISO 27001:2022 Annex A 8.26 advises organisations to conduct thorough risk assessments to identify suitable controls, such as cryptography, to protect the security of information transfers.

Changes and Differences From ISO 27001:2013

ISO 27001:2022 Annex A 8.26 replaces ISO 27001:2013 Annex A 14.1.2 and 14.1.3 in the revised 2022 standard.

There are three major distinctions between the two versions.

All Applications vs Applications Passing Through Public Networks

ISO 27001:2013 outlines a list of information security requirements to be taken into account for applications that are to be transmitted via public networks.

ISO 27001:2022 Annex A 8.26, in contrast, supplies a list of information security requirements that apply to all applications.

Further Guidance on Electronic Ordering and Payment Applications

ISO 27001:2022 Annex A 8.26 provides specific guidance on electronic ordering and payment applications, something which was not addressed in the 2013 version.

Requirement on Transactional Services

Whereas the 2022 edition and the 2013 edition are nearly the same concerning the prerequisites for transactional services, the 2022 edition introduces an extra demand not considered in the 2013 edition:

  • Organisations should bear in mind contractual obligations and insurance stipulations.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online is a cloud-based system which assists organisations in demonstrating alignment with ISO 27001:2022. This system can be used to supervise ISO 27001 requirements, ensuring that your organisation remains compliant with the standard.

Our platform is user-friendly and accessible to all. It doesn’t require complex technical knowledge; anyone in your business can make use of it.

Contact us now to schedule a demonstration.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.