ISO/IEC INTERNATIONAL STANDARD 27034-1 First edition 2011-11-15 Information technology Security techniques Application security Part 1: Overview and concepts TechnologiesdeI'informationTechniquesdesécuriteSécurite desapplications- Partie 1:Apercu general et concepts Reference number ISO/IEC 27034-1:2011(E) IEC CopyighlnermaionalOrganizationfor Standardization ISO/IEC2011 led without license from IHS Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2011 Iso's member body in the country of the requester. ISO copyright office Case postale 56CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland @ISO/IEC 2011-Allrights reserved No reproduction or networking permited without license from IHS Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) Contents Page FOREWORD INTRODUCTION VII 0.1 GENERA... 0.2 PURPOSE VIII 0.3 TARGETED AUDIENCES. 0.3.1 General.... 0.3.2 Managers... 0.3.3 Provisioningandoperationteams... 0.3.4 Acquirers.. 0.3.5 Suppliers 0.3.6 Auditors. 0.3.7 Users. 0.4 PRINCIPLES 0.4.1 Security is a requirement.. 0.4.2 Applicationsecurityiscontext-dependent XIl 0.4.3 Appropriate investmentforapplicationsecurity. xil 0.4.4 Application securityshouldbedemonstrated.... 0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS.. 0.5.1 General.. xili 0.5.2 Iso/IEc27001,Informationsecuritymanagementsystems- Requirements... .xili 0.5.3 Iso/IEc27oo2,Codeof practiceforinformationsecuritymanagement....... 0.5.4 Iso/lEc27005,Informationsecurityriskmanagement.. .. xifi 0.5.5 ISO/IEC21827,SystemsSecurityEngineering-CapabilityMaturityModel?(SSE 0.5.6 /SO/lEC15408-3.Evaluationcriteriafor/Tsecurity -Part3:Securityassurance components.. 0.5.7 ISO/IEcTR15443-1,AframeworkforITsecurityassurance—Part1:Overviewand framework,and ISO/IECTR15443-3,Aframeworkfor/Tsecurityassurance—Part3: Analysis ofassurancemethods... .... Xiv 0.5.8 /SO/IEC15026-2,Systemsandsoftwareengineering- Systemsandsoffware assurancePart 2. Assurance case ... 0.5.9 /SO/IEC15288,Systemsandsoftwareengineering- -Systemlifecycleprocesses,and Iso/IEc12207,Systemsandsoftwareengineering-Software lifecycleprocess....xiv 0.5.10 /SO/lEc29193(underdevelopment),Securesystemengineeringprinciplesand techniques...... XiV SCOPE 2 NORMATIVEREFERENCES. 3 TERMSANDDEFINITIONS 4 ABBREVIATEDTERMS 5 STRUCTUREOFISO/IEC27034 5 6 INTRODUCTIONTOAPPLICATIONSECURITY 6 6.1 6.2 APPLICATION SECURITY VS SOFTWARE SECURITY 6.3 APPLICATION SECURITY SCOPE... 6 6.3.1 General... 6.3.2 Business context.... 6.3.3 Regulatory context... 6.3.4 Applicationlifecycleprocesses 6.3.5 Processes involved with theapplication.... CepyrightnmatinalOorgaonrstandandzationAll rightsreserved ili Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) 6.3.6 Technological context... 6.3.7 Application specifications... 6.3.8 Application data..... 6.3.9 Organizationand userdata. 6.3.10 Roles andpermissions.. 6.4 APPLICATION SECURITY REQUIREMENTS 6.4.1 Applicationsecurityrequirementssources 6.4.2 Applicationsecurityrequirementsengineering 6.4.3 ISMS.. 6.5 RISK 9 6.5.1 Applicationsecurityrisk..... 6.5.2 Applicationvulnerabilities.. .10 6.5.3 Threatstoapplications. 10 6.5.4 Impactonapplications. 10 6.5.5 Riskmanagement. .10 6.6 SECURITYCOSTS 10 6.7 TARGET ENVIRONMENT 6.8 CONTROLS AND THEIR OBJECTIVES 11 ISO/IEC27034OVERALLPROCESSES 11 7.1 COMPONENTS,PROCESSES AND FRAMEWORKS 11 7.2 ONF MANAGEMENT PROCESS .... 12 7.3 APPLICATION SECURITY MANAGEMENT PROCESS.. 13 7.3.1 13 7.3.2 Specifying the application requirements and environment ... .13 7.3.3 Assessingapplication security risks... 13 7.3.4 Creating and maintaining theApplication Normative Framework. 13 7.3.5 Provisioning and operating the application.... 14 7.3.6 Auditing the security of the application.. 14 CONCEPTS 8.1 ORGANIZATION NORMATIVE FRAMEWORK.... .14 8.1.1 General.. 14 8.1.2 Components 15 8.1.3 ProcessesrelatedtotheOrganizationNormativeFramework 8.2

pdf文档 ISO IEC 27034-1-2011

文档预览
中文文档 82 页 50 下载 1000 浏览 0 评论 0 收藏 3.0分
温馨提示:本文档共82页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
ISO IEC 27034-1-2011 第 1 页 ISO IEC 27034-1-2011 第 2 页 ISO IEC 27034-1-2011 第 3 页
下载文档到电脑,方便使用
本文档由 思安 于 2022-11-26 11:44:35上传分享
站内资源均来自网友分享或网络收集整理,若无意中侵犯到您的权利,敬请联系我们微信(点击查看客服),我们将及时删除相关资源。