ISO IEC 27034-6-2016 PDF

Full title and description

ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies. This part of the ISO/IEC 27034 series provides illustrative case studies and usage examples demonstrating how Application Security Controls (ASCs) can be applied to real-world applications to achieve and verify required security outcomes.

Abstract

ISO/IEC 27034-6:2016 provides usage examples of Application Security Controls (ASCs) for specific applications. The examples are illustrative — intended to show how ASCs, the Application Security Management Process (ASMP), and normative frameworks (ONF/ANF) can be used in practice; readers are encouraged to create organization- and application-specific ASCs tailored to their context.

General information

• Status: Published (confirmed / current listing).
• Publication date: October 2016 (Edition 1, 2016-10).
• Publisher: International Organization for Standardization (ISO), developed jointly with IEC JTC 1/SC 27.
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1 (2016).
• Number of pages: 70 pages (official ISO listing).

Key bibliographic and lifecycle information shown above is taken from the ISO product listing for ISO/IEC 27034-6:2016.

Scope

This part of ISO/IEC 27034 illustrates, via multiple case studies, how Application Security Controls (ASCs) are structured and applied at specific points in an application’s lifecycle to mitigate risks and satisfy security requirements. It demonstrates how ASCs include both a security activity and an associated verification measurement, how ASCs map into an Organization Normative Framework (ONF) and Application Normative Framework (ANF), and how the Application Security Management Process (ASMP) can be used to select, apply and verify controls for different levels of trust. The case studies are illustrative (not normative) and intended to help organizations tailor ASCs to their technical, regulatory and business contexts.

Key topics and requirements

• Illustrative case studies showing ASC application across different application types and contexts.
• Use of ASCs as paired items: a security activity plus a verification measurement (how, where, when and by whom an activity is performed).
• Mapping and tailoring of ASCs between Organization Normative Framework (ONF) and Application Normative Framework (ANF).
• Integration of ASCs into the Application Security Management Process (ASMP) and lifecycle activities (specify, assess, implement, operate, validate).
• Emphasis on reusability and verification evidence for controls rather than prescriptive, one-size-fits-all controls.

Typical use and users

ISO/IEC 27034-6 is used as a practical guide by: application security architects and engineers, software development and QA teams, security governance and risk teams, auditors and assessors, system integrators and suppliers, and organizations embedding application security into acquisition, development and operational processes. It is particularly useful when organizations want concrete examples to guide creation or tailoring of ASCs, to demonstrate verification activities, or to teach project teams how to apply the ASMP in real projects.

Related standards

ISO/IEC 27034-6 is one part of the ISO/IEC 27034 series on application security. Related parts include ISO/IEC 27034-1 (overview and concepts), ISO/IEC 27034-3 (application security management process), ISO/IEC 27034-5 (ASC data structure and protocols), ISO/IEC 27034-5-1 (XML schemas), ISO/IEC 27034-7 (assurance prediction framework), and other informative technical specifications and guidance in the series. The Part 6 case studies are intended to be read alongside the normative structures and data models provided in Parts 1, 3 and 5.

Keywords

Application security, ASC (Application Security Control), ANF (Application Normative Framework), ONF (Organization Normative Framework), ASMP (Application Security Management Process), Levels of Trust, verification measurement, case studies, application security controls, security lifecycle.

FAQ

Q: What is this standard?

A: ISO/IEC 27034-6:2016 is Part 6 of the ISO/IEC 27034 series and contains case studies that illustrate how to define, apply and verify Application Security Controls (ASCs) in real application contexts.

Q: What does it cover?

A: It covers usage examples and illustrative case studies showing the structure and application of ASCs, how to map controls into organizational and application normative frameworks, and how to perform verification activities — with the goal of helping organizations tailor controls to their specific technical, regulatory and business contexts.

Q: Who typically uses it?

A: Application security architects, development and operations teams, security governance teams, auditors, integrators and vendors — essentially anyone responsible for defining, implementing or assessing application-level security controls and their verification.

Q: Is it current or superseded?

A: ISO/IEC 27034-6:2016 is published and listed as the 2016 edition; the ISO product listing shows it as published and in the current catalogue (standards are subject to periodic review). Users should check the ISO catalogue or their national standards body for the latest confirmation or revision status before procurement.

Q: Is it part of a series?

A: Yes — it is one part of the ISO/IEC 27034 application security series (multiple parts covering overview, processes, ASC data structures, XML schemas, assurance frameworks and case studies). It is intended to be used together with the other parts (for example Parts 1, 3, 5 and 7).

Q: What are the key keywords?

A: Application security, Application Security Control (ASC), Application Normative Framework (ANF), Organization Normative Framework (ONF), ASMP, verification measurement, case studies, levels of trust.