ISO/IEC 27034-2
ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework
(first edition)
Abstract
ISO/IEC 27034 part 2 “provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.”
[Source: ISO/IEC 27034-2:2015]
Introduction
Part 2 explains the structure, relationships and interdependencies between processes in the Organisation Normative Framework - a suite of application security-related policies, procedures, roles and tools.
Scope
Part 2 provides guidance on designing, implementing, operating and auditing the ONF.
Structure
Main sections:
5: Organization Normative Framework
Annex A: Aligning the ONF and ASMP with ISO/IEC 15288 and ISO/IEC 12207 through ISO/IEC 15026-4
Annex B: ONF implementation example: implementing ISO/IEC 27034 Application Security and its ONF in an existing organization
Status
The current first edition of part 2 was published in 2015 and confirmed unchanged in 2021.
Commentary
The highly structured ONF approach approach is formal and bureaucratic e.g. a committee is needed to oversee the ONF, hence it seems most likely to suit mature organisations who already have or need a highly structured way of securing the applications they develop.