ISO 27001 & Application Security

 

ISO 27001 allows organizations to define what parts of its overall ecosystem are in scope for compliance. Organizations must then create an Information Security Management System (ISMS), which includes a number of documents and controls, as described in ISO 27002.

ISO defines a scope which is detailed in a statement of applicability (“SOA”) around which security controls are built. Whilst it would be easy to look at ISO 27001 requirements and see that only a few of them directly mention application security, managers and internal compliance teams should understand that it is important to first determine the scope and then build security around it.

As such if the scope of ISO 27001 described in the SOA is to secure a software development process, then the overall process is subject to the whole of ISO 27001, not just requirements including the terms “application security”. It is worth noting that in the ISO 27001 manuals,  application security tends to refer to the security of applications used within the environment of the scope, they do not tend to refer to generic application security.

ISO 27001 covers the following:

 

  • Personnel security
  • Organization of information security
  • Human resources security
  • Physical and environmental security
  • Communications & operations management
  • Systems development and maintenance
  • Access controls to provision and monitor access to information
  • Security incident management
  • Business continuity management
  • Compliance with applicable legal and industry security standards

 


How Security Innovation can help


While there are many firms that can help you with ISO 27001 compliance, Security Innovation is uniquely positioned to ensure you succeed in the areas of systems development and maintenance as well as compliance with industry security standards (such as PCI-DSS).

  • SDLC Review

    Review of your SDLC security posture when developing and maintaining software

  • SDLC Documentation

    Documentation of security controls in place to be used during an audit

  • Awareness & Technical Training

    Cost-effective eLearning to ensure compliance with industry and corporate requirements

  • Policies & Guidelines

    For use during systems development to prove secure development processes to an auditor