ISO/IEC 27034-2:2015

INTERNATIONAL ISO/IEC
STANDARD 27034-2
First edition
2015-08-15
Information technology — Security
techniques — Application security —
Part 2:
Organization normative framework
Technologie de l’information — Sécurité des applications —
Partie 2: Cadre normatif de l’organisation
Reference number
ISO/IEC 27034-2:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC 27034-2:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27034-2:2015(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Organization Normative Framework . 2
5.1 General . 2
5.2 Purpose . 2
5.3 Principles . 2
5.4 ONF Management Process . 2
5.4.1 General. 2
5.4.2 Use of RACI charts in description of activities, roles and responsibilities . 4
5.4.3 Establishing the ONF committee. 5
5.4.4 Designing the ONF . 6
5.4.5 Implementing the ONF . 8
5.4.6 Monitoring and reviewing the ONF .10
5.4.7 Improving the ONF . .11
5.4.8 Auditing the ONF .13
5.5 ONF Elements.15
5.5.1 General.15
5.5.2 Business context component .16
5.5.3 Regulatory context component .17
5.5.4 Technological context component .18
5.5.5 Application specifications repository .19
5.5.6 Roles, responsibilities and qualifications repository .20
5.5.7 Organization ASC Library .21
5.5.8 Application Security Control .23
5.5.9 Application Security Life Cycle Reference Model .26
5.5.10 Application Security Life Cycle Model .32
5.5.11 Application Security Management Process .33
5.5.12 Application Security Risk Analysis Process .34
5.5.13 Application Security Verification Process .36
Annex A (informative) Aligning the ONF and ASMP with ISO/IEC 15288 and ISO/IEC 12207
through ISO/IEC 15026-4 .38
Annex B (informative) ONF implementation example: implementing ISO/IEC 27034
Application Security and its ONF in an existing organization .42
Bibliography .52
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27034-2:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques.
ISO/IEC 27034 consists of the following parts, under the general title Information technology — Security
techniques — Application security:
— Part 1: Overview and concepts
— Part 2: Organization normative framework
The following parts are under preparation:
— Part 3: Application security management process
— Part 4: Application security validation
— Part 5: Protocols and application security control data structure
— Part 6: Security guidance for specific applications
— Part 7: Application security assurance prediction
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27034-2:2015(E)

Introduction
General
Organizations must protect their information and technological infrastructures in order to stay in
business. There is an increasing need for organizations to focus on protecting their information at the
application level. A systematic approach towards improving application security provides an organization
with evidence that information being used or stored by its applications is being adequately protected.
ISO/IEC 27034 provides concepts, principles, frameworks, components and processes to assist
organizations in integrating security seamlessly throughout the life cycle of their applications.
The Organization Normative Framework (ONF) is the most important of those components.
The ONF is an organization-wide framework where all application security best practices recognized
by the organization are stored. It comprises essential components, processes that utilize these
components, and processes for managing the ONF itself. It is the foundation of application security in
the organization and all the organization’s future application security decisions should be made by
referring to this framework. The ONF is the authoritative source for all components and processes
related to application security in the organization.
This part of ISO/IEC 27034 defines the processes required to manage the security of applications in
the organization. These processes are presented in 5.4. It also introduces security-related elements of
applications (processes, roles and components) that should be integrated into the ONF. These elements
are presented in 5.5.
Finally, this part of ISO/IEC 27034 presents the Auditing the ONF process, needed by an organization
for verifying its ONF and verifying compliance of all applications with the requirements and controls in
the ONF. This process is presented in 5.4.8.
Purpose
The purpose of this part of ISO/IEC 27034 is to assist organizations to create, maintain and validate
their own ONF in compliance with the requirements of this International Standard.
This part of ISO/IEC 27034 is designed to enable an organization to align or integrate its ONF with
the organization’s enterprise architecture and/or the organization’s information security management
system requirements. However, implementing an information security management system as
described in ISO/IEC 27001 is not a requirement for the implementation of this International Standard.
Targeted Audiences
General
The following audiences will find value and benefits when carrying their designated organizational roles:
a) managers;
b) ONF committee;
c) domain experts;
d) auditors.
Managers
Managers should read this International Standard because they are responsible for the following:
a) improving application security through the ONF and other aspects of ISO/IEC 27034;
b) ensuring the ONF stays aligned with the organization’s information security management system
and application security needs;
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 27034-2:2015(E)

c) leading the establishment of the ONF in the organization;
d) ensuring the ONF is available, communicated and used in application projects with proper tools
and procedures all across the organization;
e) determining the appropriate level(s) of management that the ONF Committee reports to.
ONF Committee
The ONF Committee is responsible for managing the implementation and maintenance of the
application-security-related components and processes in the Organization Normative Framework.
The ONF Committee needs to
a) manage the cost of implementing and maintaining the ONF,
b) determine what components and processes should be implemented in the ONF,
c) make sure introduced components and processes respect the organization’s priorities for security
requirements,
d) review auditor reports for acceptance or rejection that the ONF conforms to this International
Standard and meets the organization’s requirements,
e) provide processes and tools for managing compliance with standards, laws and regulations
according to the regulatory context of the organization,
f) communicate security awareness, training and oversight to all actors, and
g) promote compliance with the ONF for all application projects throughout the organization.
ONF development team
Experts who have been assigned by the ONF Committee with the task of developing and implementing
one or more ONF element(s), who need to
a) develop and implement a designed ONF element,
b) determine training in the use of ONF elements by its different actors, and
c) collaborate in providing adequate training to actors.
Domain experts
Provisioning, operation, acquisition and audit experts who need to
a) participate in ONF implementation and maintenance,
b) validate that the ONF is useable and useful in the course of an application project, and
c) propose new components and processes.
Auditors
Auditors are personnel performing roles in the audit processes, who need to participate in ONF
validation and verification.
NOTE Auditors may be external or internal to the organization, depending on the target and circumstances
of the audit, and according to the organization’s audit policies and conformance requirements.
vi © ISO/IEC 2015 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27034-2:2015(E)
Information technology — Security techniques —
Application security —
Part 2:
Organization normative framework
1 Scope
This part of ISO/IEC 27034 provides a detailed description of the Organization Normative Framework
and provides guidance to organizations for its implementation.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security Techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27005, Information technology — Security techniques — Information security risk management
ISO/IEC 27034-1:2011, Information technology — Security techniques — Application security —
Part 1: Overview and concepts
NOTE Additional detail about the relationship between ISO/IEC 27034 and other standards is available in
ISO/IEC 27034-1:2011, 0.5.
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27034-1, ISO/IEC 27000,
and ISO/IEC 27005 apply.
4 Abbreviated terms
ASLC Application Security Life Cycle
ASLCRM Application Security Life Cycle Reference Model
ANF Application Normative Framework
ASC Application Security Control
ASMP Application Security Management Process
ONF Organization Normative Framework
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 27034-2:2015(E)

5 Organization Normative Framework
5.1 General
An organization’s normative framework is the sum of all regulations, policies, practices, roles and tools
used by the organization. Every organization should already have a normative framework, more or less
formally documented.
The Organization Normative Framework (ONF) concept described in this International Standard is an
organization-wide framework containing a subset of the organization’s processes and components that
are relevant to application security and are normative inside the organization.
Although an informal ONF is a first step towards securing the organization’s applications, this
International Standard recommends a formalized and standardized ONF, as described in this
International Standard.
5.2 Purpose
The purpose of implementing the ONF is to:
a) assign responsibility for application security and establish a process that can evolve to improve
application security visibility;
b) ensure all elements (components, roles and processes) involved in application security are
approved by the appropriate decision-makers and accepted by all relevant actors and stakeholders;
c) minimize resistance to changes brought by these new application security elements;
d) standardize application security elements to ensure a uniform implementation and verification
throughout the organization;
e) help the organization to improve its maturity level (as defined in ISO/IEC 15504 and other
standards such as SEI/CMMI) by formalizing and revising all application security elements to keep
them up to date with the organization’s evolving environment; and
f) establish mechanisms to ensure that an appropriate level of security can be achieved in a cost-
effective manner, for example, through reusing existing approved application security elements.
5.3 Principles
Organizations creating and maintaining the components and processes in the ONF should be guided by
the following principles:
a) the contents of ONF should be adapted to the organization’s business needs;
b) any element defined in the ONF should be approved by the ONF committee;
c) contents of the ONF should be available and communicated organization-wide;
d) because the threat context changes continuously and without notice, the organization should be
prepared to review the ONF in response to those changes; and
e) the ONF should be auditable.
5.4 ONF Management Process
5.4.1 General
The organization should establish, implement, maintain and improve an organization-level process for
the management of its ONF.
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27034-2:2015(E)

The ONF Management Process comprises six sub processes.
Four of them are adapted from the “Plan, Do, Check, Act” processes of the general PDCA model, and are
tailored for the development and implementation of application security elements in the ONF.
The following table shows how ONF management sub processes map to the four stages of the PDCA
model and to information security management system processes.
Table 1 — Mapping of PDCA stages, information security management system processes and
application security-related ONF management sub processes
ISO/IEC 27001 ISO/IEC 27034
PDCA Stage
Information security management process ONF Management Process
Plan Planning Designing the ONF
Do Support / Operation Implementing the ONF
Check Performance evaluation Monitoring and reviewing the ONF
Act Improvement Improving the ONF
Another sub process, “Establishing the ONF committee”, is used first, to mandate the ONF committee
and demonstrate appropriate accountable management’s commitment to application security.
Finally, the “Auditing the ONF” sub process is used for verifying the ONF and verifying compliance of
applications with the requirements and controls in the ONF.
The organization should perform the ONF Management Process iteratively in order to incrementally
implement the ONF. This reduces impact and achieves quicker gains by prioritizing in each iteration
those elements that are more urgently needed.
A graphical representation of the ONF Management Process is shown in Figure 1. The figure also shows
how this process relates to the organization’s other management processes, and to the Application
Security Management Process which makes use of the ONF for adding Application Security Controls to
application projects.
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 27034-2:2015(E)

Figure 1 — ONF Management Process
5.4.2 Use of RACI charts in description of activities, roles and responsibilities
This International Standard uses RACI charts for assigning roles and responsibilities for carrying out
activities in processes. Such charts identify actors responsible, accountable, consulted or informed for
the realization of an activity. Abbreviations are used for describing responsibilities of actors. Those are
enumerated in Table 2.
Table 2 — Abbreviations for responsibilities used in RACI charts
Code Responsibility
R Responsible for the realization of an activity
A Accountable for the realization of an activity
C Consulted during the realization of an activity
I Informed of the realization of an activity
Use of RACI charts within organizations implementing this standard is not required. Organizations
should align guidance provided in this standard with their own method of clarifying roles and
responsibilities.
When conducting realization and verification activities, it is critical for organizations to determine
the resources that are responsible, accountable, consulted, and informed. The tables below provide a
starting point for discussion during the realization of an ONF.
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27034-2:2015(E)

5.4.3 Establishing the ONF committee
5.4.3.1 Purpose
The purpose of this process is to establish an ONF committee with the required authority and resources
for the development, implementation and evolution of the ONF, and to demonstrate appropriate
accountable management’s commitment.
5.4.3.2 Outcomes
As a result of the successful performance of this process:
a) roles and responsibilities for ONF Committee members are defined;
b) a candidate is appointed for each role;
c) the ONF committee is officially mandated to establish and maintain the ONF and this is
communicated within the organization;
d) the ONF committee is made accountable for the implementation, quality, and utilization of the ONF
in the organization;
e) the ONF committee is provided with the necessary resources for assuming its responsibilities; and
f) the ONF committee is provided with sufficient authority for relevant internal communication.
5.4.3.3 Realization activities
Table 3 — RACI chart for realization of process “Establishing the ONF committee”
Realization activities Managers
1) Define roles and responsibilities for ONF Committee members. A/R
2) Appoint a candidate for each role. A/R
3) Officially mandate the ONF committee to establish and maintain the ONF and communicate
A/R
this within the organization.
4) Make the ONF committee accountable for the ONF implementation, quality, and utilization
A/R
in the organization.
5) Provide the ONF committee with the necessary resources for assuming its responsibilities. A/R
6) Provide the ONF committee with sufficient authority for relevant internal communication. A/R
5.4.3.4 Verification activities
Table 4 — RACI chart for verification of process “Establishing the ONF committee”
Verification activities Managers Auditors
1) Verify the existence of official communication from appropriate accountable
A R
management demonstrating that outcomes a), b), c) and d), were achieved.
2) Evaluate from official communication from appropriate accountable manage-
A R
ment whether outcomes e) and f) were achieved.
© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 27034-2:2015(E)

5.4.4 Designing the ONF
5.4.4.1 Purpose
The purpose of this process is to determine goals for application security, determine which elements
should be implemented in the ONF in the current iteration of the ONF management process, and design
those elements.
5.4.4.2 Outcomes
As a result of the successful performance of this process:
a) the scope of the current iteration of the ONF management process is defined, approved by
appropriate accountable management and communicated, and
b) in-scope ONF elements are designed.
5.4.4.3 Realization activities
Table 5 — RACI chart for process “Designing the ONF”
ONF Com-
Managers
Realization activities mittee
1)  Determine application security goals. A R
2)  Define the scope and implementation strategy of the current iteration of the
A R
ONF management process.
3)  Define the organization’s application security posture, priorities and plans. A/R
4)  Establish an inventory and a security classification of information involved
with applications and integrate it within the organization’s information architec- A/R
ture.
5)  Design ONF elements. A/R
5.4.4.4 Verification activities
Table 6 — RACI chart for verification for process “Designing the ONF”
Verification activities Managers Auditors
1)  Verify that the scope of the current iteration of the ONF management process is
A R
defined, approved by appropriate accountable management and communicated.
2)  Verify that the ONF elements in scope for the current iteration are designed
A R
correctly.
5.4.4.5 Guidance
Possible inputs for this process are:
a) outcomes of the organization’s security risk management process, such as organization-level
security objectives or plans;
b) outcomes of the “Improving the ONF” process, such as documented needs to redesign ONF elements
or design new ONF elements;
c) outcomes of the “Auditing the ONF” process;
d) outcomes of an organization’s information security audit;
e) training needs, strategy, metrics, policies, and up to date knowledge of attacks and mitigations; and
6 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 27034-2:2015(E)

f) other ISO/IEC standards including supply chain (27036), evaluation (15408), assurance (15026),
software life cycle processes (12207), system life cycle processes (15288) – see ISO/IEC 27034-
1:2011, 0.5 and Figure 1.
ONF elements that should be designed are described in 5.5. Specific guidance for the design of those
elements is also found in 5.5.
ONF elements should be designed and built in an iterative process. In the course of this process, the
ONF committee should:
a) prioritize elements based on the organization’s priorities and available resources;
b) assign responsibility and sufficient resources for the design of in-scope elements;
c) monitor and validate the design of ONF elements;
d) integrate the ONF’s processes into the organization’s business processes;
e) ensure that the ONF’s application security policy is aligned with the organization’s other policies
and the organization’s information security management system;
f) ensure that the ONF is aligned with the organization’s security architecture, information
architecture and business architecture;
g) ensure that ONF risk management performance indicators are aligned with other performance
indicators used in the organization;
h) ensure that ONF risk management objectives are aligned with the objectives and strategies of the
organization;
i) ensure legal and regulatory compliance;
j) ensure that the outcomes of its activities are communicated to all relevant parties;
k) designate an information repository to act as the authoritative source for consolidating and
communicating information on the ONF and all its elements;
l) establish communication and reporting mechanisms (internal, external, interfaces with application
projects, etc.); and
m) provide guidance on how to implement the requirements from this International Standard in the
organization, by establishing an application security management policy.
NOTE It should not be expected that every member or partner of the organization will read this International
Standard. It should be expected that they conform t
...