Qual è lo standard ISO che aiuta le entità a implementare i processi di sicurezza, i concetti nel campo della sicurezza delle applicazioni?
Stai cercando il ISO / IEC 27034-1: 2011 . Il pubblico di destinazione è:
The following audiences will benefit from ISO/IEC 27034 while carrying out their designated organizational roles:
a) managers;
b) provisioning and operation teams;
c) acquisition personnel;
d) suppliers; and
e) auditors
Per capire in cosa consiste effettivamente questa norma, leggi la seguente citazione:
The purpose of ISO/IEC 27034 is to assist organizations in integrating security seamlessly throughout the life cycle of their applications by:
a) providing concepts, principles, frameworks, components and processes;
b) providing process-oriented mechanisms for establishing security requirements, assessing security risks, assigning a Targeted Level of Trust and selecting corresponding security controls and verification measures;
c) providing guidelines for establishing acceptance criteria to organizations outsourcing the development or operation of applications, and for organizations purchasing from third-party applications;
d) providing process-oriented mechanisms for determining, generating and collecting the evidence needed to demonstrate that their applications can be used securely under a defined environment;
e) supporting the general concepts specified in ISO/IEC 27001 and assisting with the satisfactory implementation of information security based on a risk management approach; and
f) providing a framework that helps to implement the security controls specified in ISO/IEC 27002 and other standards.ISO/IEC 27034:
a) applies to the underlying software of an application and to contributing factors that impact its security, such as data, technology, application development life cycle processes, supporting processes and actors; and
b) applies to all sizes and all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) exposed to risks associated with applications.
Ma:
ISO/IEC 27034does not:
a) provide guidelines for physical and network security;
b) provide controls or measurements; or
c) provide secure coding specifications for any programming language.
Tutti i controlli sono disponibili in ISO / IEC 27002 e altri standard. Maggiori informazioni in merito a ciò in ISO / IEC 27000 e 27001.
Tutte le citazioni sono tratte da: ISO / IEC 27034-1: 2011 (en) Tecnologia dell'informazione - Tecniche di sicurezza - Sicurezza delle applicazioni.
Leggi altre domande sui tag iso27000