ISO IEC 27034-2-2015 PDF

Full title and description

ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: Organization normative framework. This part describes the Organization Normative Framework (ONF) and gives guidance for designing, implementing, operating, monitoring and auditing an ONF to support application security in an organization.

Abstract

ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework and practical guidance for its implementation, including the ONF management process, ONF elements (business, regulatory and technological context, repositories, libraries and life‑cycle models), and processes for application security management, risk analysis and verification.

General information

• Status: Published (confirmed as current at five‑year review in 2021).
• Publication date: 2015 (published August 2015 / circulation July–August 2015).
• Publisher: ISO (joint ISO/IEC standard developed under ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1 (2015).
• Number of pages: 52 (main ISO edition pagination).

Core bibliographic and lifecycle details from the ISO record and official distribution listings.

Scope

Part 2 explains the structure, relationships and interdependencies of processes and elements that make up an Organization Normative Framework (ONF). It provides guidance for establishing ONF governance (including committees and RACI-style role descriptions), designing ONF elements (business, regulatory and technological context components; application specification and roles repositories; Application Security Control libraries; life‑cycle models), and for implementing, operating, monitoring, auditing and improving the ONF to support application security across the organisation. Annexes show alignment with systems/software lifecycle standards and give an implementation example.

Key topics and requirements

• Definition and purpose of the Organization Normative Framework (ONF) and its management process (establish, design, implement, monitor, improve, audit).
• Governance structures and roles (use of RACI charts and requirement for an ONF committee to oversee policies and processes).
• ONF elements: business, regulatory and technological context components; application specifications and roles/responsibilities repositories; ASC (Application Security Control) library.
• Application Security Life Cycle Reference Model and Application Security Management Process (ASMP), including application security risk analysis and verification processes.
• Guidance on implementation and alignment with system/software lifecycle standards (ISO/IEC 15288, ISO/IEC 12207 and ISO/IEC 15026‑4) and a worked implementation example in an informative annex.

Typical use and users

Used by organisations establishing or strengthening formal application security governance: security architects, application security teams, IT governance and compliance officers, software development and DevSecOps leads, internal/external auditors, and consultants. The standard is particularly suited to organisations seeking a structured, auditable framework (ONF) to integrate application security into organisational processes.

Related standards

ISO/IEC 27034‑1 (Overview and concepts), ISO/IEC 27034‑3 (Application security management process), ISO/IEC 27001 (Information security management), and systems/software lifecycle standards referenced for alignment: ISO/IEC 15288, ISO/IEC 12207, ISO/IEC 15026‑4. These documents are cross-referenced or aligned in Part 2 guidance and annexes.

Keywords

Application security; Organization Normative Framework (ONF); application security management; ASMP; application security controls (ASC); application security life cycle; risk analysis; verification; governance; ISO/IEC JTC 1/SC 27; ICS 35.030.

FAQ

Q: What is this standard?

A: ISO/IEC 27034‑2:2015 is Part 2 of the ISO/IEC 27034 series, titled "Organization normative framework". It defines the ONF concept and provides guidance to organisations on establishing and operating an ONF to manage application security.

Q: What does it cover?

A: It covers the structure, governance and elements of an ONF, processes for ONF management (design, implementation, monitoring, auditing and improvement), repositories and libraries used to store application specifications and security controls, and processes for application security management, risk analysis and verification. Informative annexes show lifecycle alignment and an implementation example.

Q: Who typically uses it?

A: Security architects, application security teams, compliance and governance officers, development leads, auditors and consultants who need a formal, auditable framework to integrate application security into organisational practices. Organisations with mature governance models or those seeking a structured approach to application security will find it especially relevant.

Q: Is it current or superseded?

A: The 2015 edition (Edition 1) remains the published version; it was reviewed and confirmed (no change) in the five‑year review cycle (confirmed in 2021), so it is still current as of that review. Users should check national/ISO catalogs for any later revisions or newer related parts before adoption.

Q: Is it part of a series?

A: Yes — ISO/IEC 27034 is a multipart series on application security. Part 1 gives overview and concepts, Part 2 defines the Organization Normative Framework, Part 3 addresses the Application Security Management Process, and other parts provide complementary guidance.

Q: What are the key keywords?

A: Application security, Organization Normative Framework (ONF), ASMP, application security controls, lifecycle model, risk analysis, verification, governance, repository, ASC library. These reflect the standard’s core topics and intended use.