Requirement
Requirement lens
This control asks whether information security requirements are identified, specified, and approved when applications are developed or acquired.
“Information security requirements shall be identified, specified and approved when developing or acquiring applications.”
Plain-language meaning
Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application needs, document those requirements, and approve them.
This applies to internal applications, customer-facing services, websites, APIs, SaaS, industrial systems, payment/transaction systems, and acquired commercial applications.
Why this matters
Applications often process sensitive transactions, credentials, personal information, billing details, customer data, and business records. If requirements are not defined early, security is guessed later or retrofitted badly.
Security requirements can include authentication, authorization, cryptography, logging, transaction validation, secure protocols, fraud prevention, segregation of duties, privacy, legal compliance, and network protection.
Implementation guidance
Implementer focus
Security requirements should be approved like functional requirements. If they are not in the requirement set, they are easy to miss during design, procurement, and testing.
1. Identify application security requirements
Use risk assessment, classification, privacy obligations, legal/contractual obligations, architecture, transaction risk, user roles, and threat modelling to define requirements.
2. Specify requirements clearly
Avoid vague requirements like “application must be secure.” Define testable requirements for access control, cryptography, logging, input validation, transaction verification, secure protocols, data storage, monitoring, and administration.
3. Approve requirements
Security requirements should be approved by the appropriate business owner, system owner, security role, and other relevant stakeholders before development or acquisition decisions proceed.
4. Address transaction and public-network risks
Applications that process transactions over public networks may need stronger controls for authenticity, integrity, confidentiality, non-repudiation, certificate trust, user credential verification, payment validation, monitoring, and legal compliance.
5. Carry requirements into testing and acceptance
Security requirements should be verified before go-live or acceptance. Procurement, development, testing, and release records should show whether requirements were met or risk-accepted.
Audit guidance
Auditor focus
Select an application and trace security requirements from risk assessment to specification, approval, design, testing, acceptance, and operation.
Auditors should verify:
- application security requirements are identified for new, changed, and acquired applications;
- requirements are risk-based and specific;
- requirements are approved by appropriate owners;
- authorization, segregation of duties, cryptography, network security, logging, and transaction verification are considered where relevant;
- public network and transaction services have appropriate protections;
- certificate authorities and digital signature processes are managed where used;
- secure communication protocols and secure storage are specified;
- legal/regulatory requirements are considered;
- requirements are tested before release or acceptance;
- exceptions are approved and risk-treated.
Evidence examples
Evidence quality
Strong evidence proves application security requirements are explicit, approved, tested, and traceable to risk.
| Evidence | What it proves |
|---|---|
| Application security requirements register | Requirements are specified |
| Risk assessment or threat model | Requirements are justified |
| Approval records | Owners accepted requirements |
| Test/acceptance evidence | Requirements were verified |
| Transaction control review | High-risk transaction controls are defined |
| Cryptographic requirement review | Crypto needs are governed |
| Exception/risk acceptance records | Gaps are managed |
Strong evidence
- Requirements are specific and testable.
- Requirements trace to risk, data classification, and legal needs.
- Application owner and security approver sign off.
- Testing proves requirements were met.
- Transaction services include verification, secure protocols, and monitoring.
- Exceptions are documented and risk-accepted.
Weak evidence
- Security requirements are vague or absent.
- Procurement assumes vendor security without requirement mapping.
- Requirements are added after design is complete.
- Transaction controls are undocumented.
- Cryptographic controls are chosen without key-management policy.
- No evidence shows security requirements were tested.
Common failures
Implementation watchouts
A.8.26 fails when security requirements are treated as informal advice instead of approved application requirements.
| Failure | Why it matters |
|---|---|
| Vague requirements | Cannot be designed or tested |
| No approval | Business and security expectations diverge |
| Late requirement discovery | Security becomes expensive retrofit |
| Transaction risks ignored | Fraud and dispute risks increase |
| Crypto selected ad hoc | Key management and legal issues are missed |
| Vendor security assumed | Acquired applications may not meet need |
Exam traps
Exam focus
A.8.26 is about identifying, specifying, and approving application security requirements before or during development/acquisition.
| Trap | Correct interpretation |
|---|---|
| Secure coding covers application requirements | A.8.26 is about requirements; A.8.25 is lifecycle rules |
| Vendor applications need no requirements | Acquired applications also need security requirements |
| Requirements can be generic | Requirements should be specific and testable |
| Cryptography alone protects transactions | Authentication, integrity, authorization, monitoring, legal, and process controls may also be needed |
| Approval can wait until go-live | Requirements should be approved early enough to affect design or selection |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.24 Use of Cryptography
- A.8.25 Secure Development Life Cycle
- A.8.27 Secure System Architecture and Engineering Principles
- A.8.20 Networks Security
- A.8.15 Logging
- A.5.8 Information Security in Project Management
- A.5.15 Access Control
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- Risk Assessment
- Statement of Applicability
- Application Security Requirements Register
- Application Transaction Security Checklist
- Application Security Requirements Approval Record
- A.8.26 Audit Evidence Pack
- A.8.26 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.26 makes application security explicit before design, purchase, or release. Strong implementation proves requirements are risk-based, approved, testable, verified, and carried into acceptance.
- Identify security requirements early.
- Specify requirements clearly.
- Approve requirements before selection or build.
- Include transaction, crypto, network, legal, and logging needs.
- Test requirements before go-live.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Application security
- Secure development
- Audit
Note Metadata
Aliases: A.8.26, Application Security Requirements
Source: 05 Annex A Technological Controls/A.8.26 Application Security Requirements.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.8 - Information Security in Project Management
- A.8.26 Audit Evidence Pack
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.30 - Outsourced Development
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.26 Application Security Requirements
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-038 - Secure Development and Architecture
- EXAM-039 - Secure Coding and Security Testing
- ISO 27002 Annex A Control Interpretation Map
- A.8.26 Audit Checklist
- Application Security Requirements Approval Record
- Application Security Requirements Register
- Application Transaction Security Checklist
- Secure Architecture Principles Standard
- Security Acceptance Criteria Checklist
- Security Test Plan
- Annex A Controls MOC