INTERNATIONAL ISO/IEC STANDARD 27034-5 First edition 2017-10 Information technology Security techniques Application security Part 5: Protocols and application security controls data structure Technologies de I'information - Techniques de securite Securite des applications - Partie 5: Protocoles et structure de données de controles de sécurite d'application Reference number IS0/IEC 27034-5:2017(E) EC s CopyrightInternationalOrganization for Standardization @IS0/IEC 2017 out license from IHS IS0/IEC 27034-5:2017(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISOcopyrightoffice Ch. de Blandonnet 8 · CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org @ IS0/IEC 2017 - All rights reserved Univ/5926867100, User=JACKEY,MA No reproductic or networking permited withoutlicense from IHS IS0/IEC 27034-5:2017(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope. 2 Normative references 3 Terms and definitions 4 Abbreviated terms ..2 5 Application Security Control Structure .2 5.1 General. .2 5.2 ASC information requirements .2 5.2.1 Overview ..2 5.2.2 Integrity assurance. ..4 5.2.3 Multilingual/multiregional data representation .4 5.2.4 AsC information requirements. 5.3 AsC data structure recommendations. .14 5.3.1 General. .14 5.3.2 Exchange. ..14 5.3.3 Self-containedness ..14 6 Application Security Life Cycle Reference Model ..14 6.1 General. .14 6.2 Application Management Layer .16 6.2.1 General. .16 6.2.2 Initiating. .16 6.2.3 Planning.. ..16 6.2.4 Executing. ..17 6.2.5 Monitoring and controlling ..17 6.2.6 Closing. .18 6.3 Application provisioning and operation layer ..18 6.3.1 General. ..18 6.3.2 Preparation: Initiating. .18 6.3.3 Preparation: Plan. ..19 6.3.4 Outsourcing: Realization .19 6.3.5 Outsourcing: Transition 19 6.3.6 Development: Inception. 20 6.3.7 Development: Elaboration 20 6.3.8 Development: Construction 20 6.3.9 Acguisition:Plan 21 6.3.10 Acquisition: Close. 21 6.3.11 Transition: Plan. 21 6.3.12 Transition: Development 21 6.3.13 Transition: Test 22 6.3.14 Utilization: Utilization 22 6.3.15 Utilization: Maintenance 23 6.3.16 Archival: Archival. 23 6.3.17 Destruction: Destruction 24 6.4 Infrastructure management.. 25 6.4.1 General. 25 6.4.2 Establishment of the infrastructure .25 6.4.3 Maintenance of the infrastructure. 25 6.5 Application audit 26 6.5.1 General. 26 6.5.2 Initiating the audit. 26 6.5.3 Prepare the audit .27 yrntnematonaAll rights reerved ii ACKEY,MA No reproduction or networking permitted without license from IHS