UnixTime

Research Note

ISO 27001 A.8.26 - Application Security Requirements

Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application...

On this page

Requirement

Requirement lens

This control asks whether information security requirements are identified, specified, and approved when applications are developed or acquired.

“Information security requirements shall be identified, specified and approved when developing or acquiring applications.”

Plain-language meaning

Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application needs, document those requirements, and approve them.

This applies to internal applications, customer-facing services, websites, APIs, SaaS, industrial systems, payment/transaction systems, and acquired commercial applications.

Why this matters

Applications often process sensitive transactions, credentials, personal information, billing details, customer data, and business records. If requirements are not defined early, security is guessed later or retrofitted badly.

Security requirements can include authentication, authorization, cryptography, logging, transaction validation, secure protocols, fraud prevention, segregation of duties, privacy, legal compliance, and network protection.

Implementation guidance

Implementer focus

Security requirements should be approved like functional requirements. If they are not in the requirement set, they are easy to miss during design, procurement, and testing.

1. Identify application security requirements

Use risk assessment, classification, privacy obligations, legal/contractual obligations, architecture, transaction risk, user roles, and threat modelling to define requirements.

2. Specify requirements clearly

Avoid vague requirements like “application must be secure.” Define testable requirements for access control, cryptography, logging, input validation, transaction verification, secure protocols, data storage, monitoring, and administration.

3. Approve requirements

Security requirements should be approved by the appropriate business owner, system owner, security role, and other relevant stakeholders before development or acquisition decisions proceed.

4. Address transaction and public-network risks

Applications that process transactions over public networks may need stronger controls for authenticity, integrity, confidentiality, non-repudiation, certificate trust, user credential verification, payment validation, monitoring, and legal compliance.

5. Carry requirements into testing and acceptance

Security requirements should be verified before go-live or acceptance. Procurement, development, testing, and release records should show whether requirements were met or risk-accepted.

Audit guidance

Auditor focus

Select an application and trace security requirements from risk assessment to specification, approval, design, testing, acceptance, and operation.

Auditors should verify:

  • application security requirements are identified for new, changed, and acquired applications;
  • requirements are risk-based and specific;
  • requirements are approved by appropriate owners;
  • authorization, segregation of duties, cryptography, network security, logging, and transaction verification are considered where relevant;
  • public network and transaction services have appropriate protections;
  • certificate authorities and digital signature processes are managed where used;
  • secure communication protocols and secure storage are specified;
  • legal/regulatory requirements are considered;
  • requirements are tested before release or acceptance;
  • exceptions are approved and risk-treated.

Evidence examples

Evidence quality

Strong evidence proves application security requirements are explicit, approved, tested, and traceable to risk.

Evidence What it proves
Application security requirements register Requirements are specified
Risk assessment or threat model Requirements are justified
Approval records Owners accepted requirements
Test/acceptance evidence Requirements were verified
Transaction control review High-risk transaction controls are defined
Cryptographic requirement review Crypto needs are governed
Exception/risk acceptance records Gaps are managed

Strong evidence

  • Requirements are specific and testable.
  • Requirements trace to risk, data classification, and legal needs.
  • Application owner and security approver sign off.
  • Testing proves requirements were met.
  • Transaction services include verification, secure protocols, and monitoring.
  • Exceptions are documented and risk-accepted.

Weak evidence

  • Security requirements are vague or absent.
  • Procurement assumes vendor security without requirement mapping.
  • Requirements are added after design is complete.
  • Transaction controls are undocumented.
  • Cryptographic controls are chosen without key-management policy.
  • No evidence shows security requirements were tested.

Common failures

Implementation watchouts

A.8.26 fails when security requirements are treated as informal advice instead of approved application requirements.

Failure Why it matters
Vague requirements Cannot be designed or tested
No approval Business and security expectations diverge
Late requirement discovery Security becomes expensive retrofit
Transaction risks ignored Fraud and dispute risks increase
Crypto selected ad hoc Key management and legal issues are missed
Vendor security assumed Acquired applications may not meet need

Exam traps

Exam focus

A.8.26 is about identifying, specifying, and approving application security requirements before or during development/acquisition.

Trap Correct interpretation
Secure coding covers application requirements A.8.26 is about requirements; A.8.25 is lifecycle rules
Vendor applications need no requirements Acquired applications also need security requirements
Requirements can be generic Requirements should be specific and testable
Cryptography alone protects transactions Authentication, integrity, authorization, monitoring, legal, and process controls may also be needed
Approval can wait until go-live Requirements should be approved early enough to affect design or selection

KB-ready summary

Mentor takeaway

A.8.26 makes application security explicit before design, purchase, or release. Strong implementation proves requirements are risk-based, approved, testable, verified, and carried into acceptance.

  • Identify security requirements early.
  • Specify requirements clearly.
  • Approve requirements before selection or build.
  • Include transaction, crypto, network, legal, and logging needs.
  • Test requirements before go-live.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Application security
  • Secure development
  • Audit

Note Metadata

Aliases: A.8.26, Application Security Requirements

Source: 05 Annex A Technological Controls/A.8.26 Application Security Requirements.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.