ISO/IEC 27034-1
ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts
(first edition)
Abstract
“ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications. [Part 1] presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.”
[Source: ISO/IEC 27034-1:2011]
Introduction
As with other multipartite ISO27k standards, the first part sets the scene for the remainder, providing a general introduction and outlining the remaining parts.
Scope
The ISO/IEC 27034 standards are not specifically about software application development, application project management standard nor software development cycle. Their purpose is to provide general guidance on application security that will be supported, in turn, by more detailed methods and standards in those other areas.
The standards take a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance application security is not defined as the state of security of an application system (the results of the process) but as “a process an organisation can perform for applying controls and measurements to its applications in order the manage the risk of using them”.
They use the concept of defining a Targeted Level of Trust (similar to a security plan) for an application, designing and building the application to meet it, and then validating the application against it.
Structure
Main sections:
5: Structure of ISO/IEC 27034
6: Introduction to application security
7: ISO/IEC 27034 overall processes
8: Concepts
Annex A: Mapping an existing development process to ISO/IEC 27034 Case Study
Annex B: Mapping ASC with an existing standard
Annex C: ISO/IEC 27005 risk management process mapped with the ASMP
This part is ~80 pages long with quite a bit of detail.
Status
The current first edition of part 1 was published in 2011.
Three minor corrections plus a revised figure were published in 2014 as a technical corrigendum.
The corrected standard was confirmed in 2022.
A project to update the ISO/IEC 27034 standards commenced in 2024. It will take years to complete. All parts of the standard should conform with JTC 1/SC 17’s standards on software engineering, plus relevant ISO27k standards, and the terminology should align with the ISO 31000 series.
A major redesign of the scope of the individual ISO/IEC 27034 standards and the set as a whole is under way, with the intention of making them more relevant and useful for SMEs, and better aligned with other software engineering standards such as ISO/IEC/IEEE 12207 and 15288. The revision project was therefore stopped and restarted in 2025 at Preliminary Work Instruction stage.
Commentary
The ISO/IEC 27034 standards draw on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems.
The text tends to emphasize deliberate threats arising from external adversaries implying the importance of confidentiality controls, arguably downplaying insider and accidental threats and the need for integrity and availability controls, but the process described ostensibly takes account of the full spectrum of security risks and controls.
Rewriting all the parts in [ISO's version of] plain English would be enormously challenging for SC 27 but could substantially extend the utility and value of these standards.