ISO 27001:2005

Control Objective
Clause
Application access control
11.6
Logical access controls should be enacted to protect application systems and data
from unauthorized access.

Information access restriction

11.6.1
To ensure that access is restricted to organization's information assets by role

Sensitive system isolation

11.6.2
To ensure that sensitive systems are logically and physically isolated

Information Systems Acquisition, Development

12 and Maintenance
Security Requirements of Information Systems

To ensure that security is an integral part of information systems. Security

requirements should be identified and agreed prior to the development or
12.1 acquisition of information systems.

Security requirements analysis and specification

An analysis of the requirements for security controls should be carried out at the
12.1.1 requirements analysis stage of each project.

Correct processing in applications

To prevent errors, loss, unauthorised modification or misuse of information in

applications. Appropriate security controls, validation methodologies and audit
12.2 trails or activity logs should be designed into application systems.

Input data validation

12.2.1 Data input into application systems should validated.

Control of internal processing

12.2.2 Data processed by application systems should be validated.

Message integrity

A message authentication system should be considered for applications that have

12.2.3 a requirement to protect the integrity and authenticity of the message content.

Output data validation

12.2.4 To ensure that output data is validated for its correctness

Cryptographic Controls

To protect the confidentiality, authenticity or integrity of information by

cryptographic means. Cryptographic systems and techniques should be used for
the protection of information that is considered at risk and for which other controls
12.3 do not provide adequate protection.
12.3.1 Policy on the use of cryptographic controls
Key Management

A management system must be in place to protect an organisation's cryptographic

12.3.2 keys from creation to destruction.
 Security of System Files

To ensure that IT project and support activities are conducted in a secure manner.
12.4 Access to system files should be controlled.

Control of operational software

Strict control should be exercised over the implementation of software on

12.4.1 operational systems.

Protection of system test data

12.4.2 Test data should be protected and controlled.

Access control to program source code

12.4.3 Strict control should be maintained over access to program source code.

Security in Development and Support Processes

To maintain the security of application system software and information. Project

12.5 and support environments should be strictly controlled.

Change control procedures

12.5.1 Formal change control procedures should be enforced.

Technical review of applications after operating system

changes

The impact of operating system changes should be reviewed and tested to ensure
12.5.2 that there is no adverse impact on operation or security.

Restrictions on changes to software packages

Modifications to software packages should be discouraged. Any essential changes

12.5.3 should be strictly controlled.

Information leakage

To ensure that adequate controls are deployed to identify opportunities of

12.5.4 information leak

Outsourced software development

Where software development is outsourced it should be closely monitored, fully

12.5.5 tested and subject to an appropriate contract.

Technical Vulnerability Management

12.6 To reduce risks resulting from exploitation of published technical vulnerabilities

Control of technical vulnerabilities

The organisation should have up to date information on technical vulnerabilities to

12.6.1 allow it to address the risks posed by such vulnerabilities.
Control