ISO/IEC INTERNATIONAL STANDARD 27034-3 First edition 2018-05 Information technology Application security - Part 3: Application security management process Technologie de I'information - Sécurite des applications - Partie 3: Processus de gestion de la securité d'une application Reference number IEC IS0/IEC 27034-3:2018(E) oS1 @IS0/IEC2018 IS0/IEC27034-3:2018(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC2018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting beloworIso'smemberbodyinthecountryoftherequester ISO copyright office CP 40i: Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +4122 749 0111 Fax: +41 22 749 09 47 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2018 - All rights reserved IS0/IEC27034-3:2018(E) Contents Page Foreword .. Introduction. ..i. 1 Scope.. 2 Normative references 3 Terms and definitions ..1 4 Abbreviated terms. .2 5 Application Security Management Process ..2 5.1 General .2 5.2 Purpose. 4 5.3 Principles and concepts 5.3.1 General. 4 5.3.2 Clearly communicate roles and responsibilities 4 5.3.3 Relationship of the ASMP with the Organizational Normative Framework (ONF) 4 5.3.4 Use approved tools. 5 5.3.5 LevelofTrust .5 5.3.6 Application's Targeted Level of Trust 5 5.3.7 Application's Actual Level of Trust .5 5.3.8 Impact of this document on an application project 6 6 ASMP steps. 7 6.1 Identifying the application requirements and environment 7 6.1.1 General. 7 6.1.2 Purpose. .8 6.1.3 Outcomes. .8 6.1.4 Realization activities. .8 6.1.5 Verification activities. .9 6.1.6 Guidance. 9 6.2 Assessing application security risks 6.2.1 General. .11 6.2.2 Purpose. .12 6.2.3 Outcomes. .12 6.2.4 Realization activities. .12 6.2.5 Verification activities. .13 6.2.6 Guidance .13 6.3 Creating and maintaining the Application Normative Framework 21 6.3.1 General 21 6.3.2 Purpose 22 6.3.3 Outcomes. 22 6.3.4 Realization activities. 22 6.3.5 Verification activities 23 6.3.6 Guidance 23 6.4 Provisioning and operating the application 24 6.4.1 General. 24 6.4.2 Purpose 25 6.4.3 Outcomes. 26 6.4.4 Realization activities. 26 6.4.5 Verification activities 26 6.4.6 Guidance. 27 6.5 Auditing the security of the application. 27 6.5.1 General .27 6.5.2 Purpose .28 6.5.3 Outcomes. .28 6.5.4 Realizationactivities. 29 @ IS0/IEC 2018 - All rights reserved ili