richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Moved a directory, changed some filenames

Browse source
This commit is contained in:
Richard Kranendonk 2026-06-06 20:37:28 +02:00
parent ae27a60bcf
commit 347706835e
195 changed files with 696 additions and 255 deletions
Download patch file Download diff file Expand all files Collapse all files

85
Corpus/Standards/ISO27x/about/ISO 27034 MoC.md Normal file
View file

@ -0,0 +1,85 @@
---
tags:
- iso27034
- type/MoC
---
# ISO 27034 Application security
[Overview by SecAware](https://www.iso27001security.com/html/27034.html)
## Overview generated by Gemini
These ISO/IEC standards establish comprehensive frameworks for **application security**, aiming to ensure software is built and maintained securely throughout its lifecycle. **ISO/IEC 27034-1** introduces core concepts like the **Organization Normative Framework (ONF)**, a central repository for reusable security elements, and **Application Security Controls (ASCs)**, which detail security activities and their verification. **ISO/IEC 27034-2** provides the **organizational framework** for managing the ONF, detailing its components such as business, regulatory, and technological contexts, along with processes like risk analysis and verification. **ISO/IEC 27034-3** outlines the **Application Security Management Process (ASMP)**, guiding organizations in integrating security into each application's lifecycle, from specifying requirements to auditing. Finally, **ISO/IEC 27034-6** offers **case studies and examples**, illustrating the practical application of ASCs and the **Application Security Life Cycle Reference Model (ASLCRM)**, while **ISO/IEC 27034-7** introduces the concept of **Prediction Application Security Rationales (PASRs)** for assessing the security of subsequent application versions without full re-verification.
The ISO/IEC 27034 series provides a comprehensive framework to **integrate security seamlessly throughout the life cycle of applications**. It is designed to assist organizations in protecting their information at the application level and applies to applications developed in-house, acquired from third parties, or outsourced. Importantly, it is applicable to organizations of all sizes and types, including commercial enterprises and government agencies. It is not a software application development standard, a project management standard, or a software development life cycle standard itself, but rather integrates with existing processes.
The purpose of ISO/IEC 27034 is to help organizations:
 Establish **security requirements** and **assess security risks**.
 Assign a **Targeted Level of Trust** to applications and select corresponding security controls and verification measures.
 Demonstrate that their applications can be used securely under a defined environment.
 Support the general concepts of ISO/IEC 27001 (Information security management systems) and implement security controls from ISO/IEC 27002 (Code of practice for information security management).
• **Minimize resistance to changes** brought by new application security elements.
• **Standardize application security elements** for uniform implementation and verification.
 Achieve an appropriate level of security in a **cost-effective manner**, for example, through reusing existing approved application security elements.
**Overview of the 27034 Framework**
The ISO/IEC 27034 framework is built around two main overarching processes:
1. **Organization Normative Framework (ONF) Management Process**: This is a **continuous, organizational-level process** responsible for managing the application security aspects of the ONF. It defines and maintains the organization's contexts for application security and serves as a central reference.
2. **Application Security Management Process (ASMP)**: This process is used for **managing security on specific application projects**. It is a specialization of the risk management process found in ISO/IEC 27005. The ASMP helps a project team apply relevant portions of the ONF to a specific application project and formally record evidence of the outcomes in an Application Normative Framework (ANF).
**Key Components and Concepts**
To implement these processes, ISO/IEC 27034 introduces several core components:
• **Organization Normative Framework (ONF)**: The **most important component** of ISO/IEC 27034, the ONF is an **organization-wide framework** that stores all application security best practices recognized by the organization. It acts as the foundation for application security, guiding all future security decisions. Key elements of the ONF include:
    ◦ **Business context component**: Identifies security risks and requirements from the organizations business activities and adopted standards.
    ◦ **Regulatory context component**: Identifies security risks from applicable laws and regulations in the countries or jurisdictions where the application is developed, deployed, or used.
    ◦ **Technological context component**: Identifies security risks from the organizations IT components and best practices for their use.
    ◦ **Application specifications repository**: Documents general IT functional requirements and pre-approved solutions to determine and mitigate risks from application specifications.
    ◦ **Roles, responsibilities and qualifications repository**: Lists all roles, responsibilities, and required qualifications for actors involved with the organizations applications and ONF.
    ◦ **Organization Application Security Control (ASC) Library**: The **repository of all ASCs available in the organization**. ASCs are associated with one or many levels of trust.
    ◦ **Application Security Life Cycle Reference Model (ASLCRM)**: A reference model that helps to uniformly identify and communicate _when_ in the application life cycle and _by whom_ ASCs should be implemented. It is divided into Provisioning (Preparation, Realization, Transition) and Operation (Utilization and maintenance, Archival, Destruction) stages, and vertically into layers like Application management, Application provisioning and operation, Infrastructure management, and Application audit.
• **Application Security Control (ASC)**: A **central concept** in ISO/IEC 27034, an ASC is a data structure that precisely describes a **security activity** and its associated **verification measurement** to be performed at a specific point in an application's life cycle. It formalizes security activities and ensures supporting evidence is collected for verification.
• **Application Normative Framework (ANF)**: A **subset or refinement of the ONF** that contains only the detailed, relevant information required for a **specific application project** to achieve its Targeted Level of Trust. Its security requirements are derived from the application's risk assessment.
• **Levels of Trust (LoT)**: A label identifying a set of applicable ASCs from the Organization ASC Library.
    ◦ **Targeted Level of Trust (TLOT)**: The set of ASCs deemed necessary by the application owner to lower the risk associated with a specific application to an acceptable level. This becomes the goal for the application project team.
    ◦ **Actual Level of Trust (ALOT)**: The maximum confidence level demonstrated by the verification team based on the verification measurements of all the applications ASCs. An application is considered **"secure"** when its Actual Level of Trust is equal to or greater than its Targeted Level of Trust.
**Implementation in a Small Software Development Company**
For a small software development company, implementing ISO/IEC 27034 can be approached effectively by leveraging its inherent flexibility and iterative nature:
• **Integration with Existing Processes**: The processes and frameworks of ISO/IEC 27034 are designed to be **integrated into an organization's existing processes**, rather than implemented in isolation. This means your company can map its current software development lifecycle and practices to the ISO/IEC 27034 framework, reducing the impact of adopting new standards.
• **Iterative Implementation**: The ONF Management Process should be performed **iteratively**, allowing you to implement the ONF incrementally. This approach helps to **reduce initial impact** and achieve quicker gains by prioritizing the elements that are most urgently needed for your company. You can start with a baseline level of security and expand as your needs and resources grow.
• **Focus on Core Components**: For a small company, it might be beneficial to initially focus on formalizing the most critical ONF components, such as the **business, regulatory, and technological contexts**, and developing a foundational **ASC Library** relevant to your primary applications.
• **Defined Roles and Responsibilities**: While RACI charts are mentioned, the standard emphasizes that organizations should align guidance with their own methods for clarifying roles and responsibilities. This allows for flexibility in how a small team defines who is "responsible," "accountable," "consulted," and "informed" for application security activities.
• **Cost-Effectiveness and Reuse**: A key purpose of the ONF is to enable an appropriate level of security in a **cost-effective manner**, for instance, by **reusing existing approved application security elements**. This is a significant advantage for a small company where resource optimization is crucial. Once ASCs are defined, they can be reused across multiple projects.
• **Leveraging Automation and Tools**: The standard encourages the use of approved tools to take advantage of new security analysis functionality. Automation can increase consistency in defining and enforcing security requirements and Targeted Levels of Trust across applications. This can be particularly beneficial for a small team, enabling them to achieve more with fewer manual efforts.
• **Targeted Level of Trust for Each Application**: By defining a **Targeted Level of Trust** for each application based on a risk assessment, your company can ensure that the investment in security is appropriate for the value and risks associated with that specific application.
• **Guidance for Acquisition/Outsourcing**: If your company acquires software or outsources development, ISO/IEC 27034 provides guidelines for communicating requirements and verifying evidence of security controls from third parties.
By systematically implementing the framework, even in a simplified and iterative manner, your small software development company can gain demonstrable evidence that its applications are adequately protected, align with industry best practices, and improve its overall application security posture.