INTERNATIONAL ISO/IEC STANDARD 27034-2 Firstedition 2015-08-15 Information technology - Security techniques Application security Part 2: Organization normative framework Technologie de I'information -Sécurité des applications- Partie 2: Cadre normatif de I'organisation Reference number ISO/IEC27034-2:2015(E) E( @IS0/IEC2015 Copyright Intern ational Organization for Standardizatior IS0/IEC27034-2:2015(E) COPYRIGHTPROTECTEDDOCUMENT @ IS0/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISo at the address below or ISo's member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier,Geneva, Switzerland Tel. +41 22 749 01 11 Fax +4122 749 09 47 copyright@iso.org www.iso.org IS0/IEC 2015 - All rights reserved Nrrdctionnworkingpemitedwithout licenfrmH Provided by IHS under license with I Not for Resale, 12/25/2015 20:37:00 MST IS0/IEC27034-2:2015(E) Contents Page Foreword ..iv Introduction. 1 Scope.. ..1 2 Normative references 3 Terms and definitions ..1 4 Abbreviated terms. 5 Organization Normative Framework .2 5.1 General. .2 5.2 Purpose. 2 5.3 Principles .2 5.4 ONF Management Process 2 5.4.1 General. .2 5.4.2 Use of RACI charts indescription of activities,roles and responsibilities .4 5.4.3 Establishing the ONF committee. .5 5.4.4 DesigningtheONF 6 5.4.5 Implementing the ONF .8 5.4.6 Monitoring and reviewing the ONF ..10 5.4.7 Improving the ONF .11 5.4.8 Auditing the ONF .13 5.5 ONFElements. ..15 5.5.1 General. ..15 5.5.2 Business context component. 5.5.3 Regulatory context component. ..17 5.5.4 Technological context component 5.5.5 Applicationspecificationsrepository .19 5.5.6 Roles,responsibilities andqualifications repository 20 5.5.7 Organization AsC Library. .21 5.5.8 Application Security Control ..23 5.5.9 Application Security Life Cycle Reference Model .26 5.5.10 Application Security Life Cycle Model. .32 5.5.11 Application Security Management Process .33 5.5.12 Application Security Risk Analysis Process .34 5.5.13 Application SecurityVerification Process ..36 Annex A (informative)Aligning the ONF and ASMP with IS0/IEC 15288 and IS0/IEC 12207 throughIS0/IEC15026-4 .38 Annex B (informative) ONF implementation example: implementingIS0/IEC 27034 Application Securityand its ONF in an existing organization. .42 Bibliography .52 iii Provided by IHS under license with ISO No reproduction or networking permitted without license from IHS Not for Resale, 12/25/2015 20:37:00 MST