CSA CAN/CSA-ISO/IEC 27034-1:12

Abstract

<strong>Purpose</strong> <br>The purpose of ISO/IEC 27034 is to assist organizations in integrating security seamlessly throughout the life cycle of their applications by: <br>a) providing concepts, principles, frameworks, components and processes; <br>b) providing process-oriented mechanisms for establishing security requirements, assessing security risks, assigning a Targeted Level of Trust and selecting corresponding security controls and verification measures; <br>c) providing guidelines for establishing acceptance criteria to organizations outsourcing the development or operation of applications, and for organizations purchasing from third-party applications; <br>d) providing process-oriented mechanisms for determining, generating and collecting the evidence needed to demonstrate that their applications can be used securely under a defined environment; <br>e) supporting the general concepts specified in ISO/IEC 27001 and assisting with the satisfactory implementation of information security based on a risk management approach; and <br>f) providing a framework that helps to implement the security controls specified in ISO/IEC 27002 and other standards. <br>ISO/IEC 27034: <br>a) applies to the underlying software of an application and to contributing factors that impact its security, such as data, technology, application development life cycle processes, supporting processes and actors; and <br>b) applies to all sizes and all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) exposed to risks associated with applications. <br>ISO/IEC 27034 <u>does not</u>: <br>a) provide guidelines for physical and network security; <br>b) provide controls or measurements; or <br>c) provide secure coding specifications for any programming language. <br>ISO/IEC 27034 <u>is not</u>: <br>a) a software application development standard; <br>b) an application project management standard; or <br>c) a software development life cycle standard. <br>The requirements and processes specified in ISO/IEC 27034 are not intended to be implemented in isolation but rather integrated into an organization's existing processes. To this effect, organizations should map their existing processes and frameworks to those proposed by ISO/IEC 27034, thus reducing the impact of implementing ISO/IEC 27034. <br>Annex A (informative) provides an example illustrating how an existing software development process can be mapped to some of the components and processes of ISO/IEC 27034. Generally speaking, an organization using any development life cycle should perform a mapping such as the one described in Annex A, and add whatever missing components or processes are needed for compliance with ISO/IEC 27034.