INTERNATIONAL ISO/IEC STANDARD 27034-7 First edition 2018-05 Information technology Application security - Part 7: Assurance prediction framework Technologies de I'information -Sécurite des applications- Partie 7:Cadre de lI'assurance d'une prédiction Reference number IEC IS0/IEC 27034-7:2018(E) tso @IS0/IEC2018 IS0/IEC27034-7:2018(E) COPYRIGHTPROTECTEDDOCUMENT @IS0/IEC2018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below orIso's memberbody in the countryof therequester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier,Geneva Phone:+41227490111 Fax:+41 22 749 09 47 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2018 -All rights reserved IS0/IEC27034-7:2018(E) Contents Page Foreword ..V 0 Introduction ...vi 1 Scope. 2 Normativereferences 3 Terms and definitions 4 Abbreviatedterms 5 Prediction concepts. .3 5.1 Goal of prediction .3 5.2 Prediction framework ..4 5.3 Expected Level of Trust .4 5.3.1 Concept 5.3.2 Expectedlevel oftrustintheONF ..5 5.3.3 Expectedlevel oftrustintheANF ..6 5.3.4 ASC data in the ANF .7 5.3.5 Expectedleveloftrustoversequenceofapplicationversions .8 5.4 Principles. .10 5.4.1 IS0/IEC27034-1principles .10 5.4.2 Appropriateinvestmentforapplication securityprinciple .10 5.4.3 Application securityshould bedemonstrated principle. .10 5.5 Prediction authorization. ..10 5.5.1 Prediction accountability ..10 5.5.2 Forced authorization. ..11 5.6 Claims relativeto the actual level of trust ..11 6 Predictions. ..11 6.1 Prediction initiator. .11 6.2 Predictioncircumstances .12 6.2.1 Typical circumstance ..12 6.2.2 Relationshiptolevelof trust. ..12 6.3 Prediction consumer. ..12 7 Substantial changes. ..13 7.1 Definition discussion ..13 7.2 Guidance for substantial changes risk analysis ..13 7.2.1 General .13 7.2.2 Code change and static analysis. .13 7.2.3 Architecturalreview. ..14 7.2.4 Deprecation oftests overtime. .14 8 Confidence ..14 8.1 Confidence building blocks ..14 8.2 Establishing confidence. ..14 9 Predictionapplicationsecurityrationale ..15 9.1 Linkage to ASC ..15 9.2 Components. ..15 9.3 Format .16 9.3.1 Identifiers,actors,AsCsoutcomes ..16 9.3.2 Rationale. .16 9.3.3 Duplication of information ..16 9.3.4 Assurance cases ..16 9.4 Approval byONFCommittee ..16 9.5 Use of RACI charts in description ofactivities, roles, and responsibilities .17 10 PASR audit .17 @ IS0/IEC 2018 - All rights reserved iii