What the auditor wants to verify
Audit objective
Verify that application security requirements are identified, specified, approved, and verified when applications are developed or acquired.
Evidence to request
| Evidence | Purpose |
|---|---|
| Application security requirements register | Shows requirements are specified |
| Risk assessment or threat model | Shows requirements are justified |
| Approval records | Shows owner/security approval |
| Test/acceptance evidence | Shows requirements were verified |
| Transaction security checklist | Shows high-risk transaction controls |
| Exception/risk acceptance records | Shows gaps are managed |
Strong evidence
- Requirements are specific and testable.
- Requirements trace to risk, classification, and legal obligations.
- Security and business owners approve requirements.
- Testing proves requirements are met before release or acceptance.
- Transaction services include verification, secure protocols, and monitoring.
Weak evidence
- Requirements say only “must be secure”.
- Vendor security is assumed without mapping.
- Security requirements are added after go-live.
- No test evidence exists.
- Transaction controls are undocumented.
Sample interview questions
- How are application security requirements identified?
- Who approves them?
- How are acquired applications assessed?
- How are transaction protections determined?
- How are requirements tested before release?
- How are exceptions risk-accepted?
Common nonconformities
- Requirements are not documented or approved.
- Requirements are not testable.
- Public transaction risks are not assessed.
- Cryptographic or legal requirements are missed.
- Acceptance testing omits security requirements.
Related notes
- Audit
- Evidence
- A8 26
- Iso27001
Note Metadata
Aliases: A.8.26 Evidence
Source: 04 Audit Evidence Packs/A.8.26 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.26 - Application Security Requirements
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.26 Application Security Requirements
- A.8.26 Audit Checklist
- Application Security Requirements Approval Record
- Application Security Requirements Register
- Application Transaction Security Checklist
- Audit Evidence Index