Application software programs such as web applications, graphics software, database software, and payment processing software are vital to many critical business operations.
However, these applications are often exposed to security vulnerabilities that may result in the compromise of sensitive information.
For example, Equifax, a US-based credit bureau, failed to apply a security patch on a website application framework used to handle customer complaints. The cyber attackers used security vulnerabilities in the web application to infiltrate Equifax’s corporate networks and stole sensitive data of around 145 million people.
Control 8.26 addresses how organisations can establish and apply information security requirements for the development, use, and acquisition of applications.
Control 8.26 enables organisations to protect information assets stored on or processed through applications by identifying and applying appropriate information security requirements.
Control 8.26 is a preventive type of control that prevents risks to the integrity, availability, and confidentiality of information assets stored on application through the use of suitable information security measures.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application Security #System and Network Security | #Protection #Defence |
Chief Information Security Officer, with the support of information security specialists, should be responsible for the identification, approval, and implementation of information requirements for the acquisition, use and development of applications.
General Guidance notes that organisations should carry out a risk assessment to determine the type of information security requirements appropriate to a particular application.
While the content and types of information security requirements may vary depending on the nature of the application, the requirements should address the following:
Control 8.26 requires organisations to take into account the following seven recommendations when an application offers transactional services between the organisation and a partner:
When applications include payment and electronic ordering functionality, organisations should take into account the following:
When applications are accessed through networks, they are vulnerable to threats such as contract disputes, fraudulent activities, misrouting, unauthorised changes to the content of communications, or loss of confidentiality of sensitive information.
Control 8.26 recommends organisations perform comprehensive risk assessments to identify appropriate controls such as the use of cryptography to ensure the security of information transfers.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
27002:2022/8.26 replace 27002:2013/(14.1.2 and 14.1.3)
There are three big differences between the two versions.
The ISO 27002:2013 version did not list requirements that apply to all applications: It provided a list of information security requirements that should be considered for applications passing through public networks.
Control 8.26 in the 2022 version, on the contrary, provided a list of information security requirements that apply to all applications.
Control 8.26 in the 2022 Version contains specific guidance on Electronic Ordering and Payment Applications. In contrast, the 2013 Version did not address this.
Whereas the 2022 version and the 2013 version are almost identical in terms of the requirements for transactional services, the 2022 version introduces an additional requirement not addressed in the 2013 version:
ISMS.online is a cloud-based solution that helps companies show compliance with ISO 27002. The ISMS.online solution can be used to manage the requirements of ISO 27002 and ensure that your organisation remains compliant with the new standard.
Our platform is user-friendly and straightforward. It is not only for highly technical individuals; it is for everyone in your company.
Get in touch today to book a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |