# ISO/IEC 27034:2011*

Information technology - Security techniques - Application security

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
ANF Application Normative Framework
ASMP Application Security Management Process
IEC International Electrotechnical Commission
ISO International Organization for Standardization
ONF Organizational Normative Framework

# Overview

ISO/IEC 27034 provides one of the most widely accepted set of standards and guidelines for secure application development. ISO/IEC 27034 is a comprehensive set of standards that cover many aspects of application development. It defines concepts, frameworks, and processes to help organizations integrate security within their software development lifecycle.

A few of the key elements include the organizational normative framework (ONF), the application normative framework (ANF), and the application security management process (ASMP).

ISO/IEC 27034 supports the concepts defined in ISO/IEC 27001 and provides a framework to implement the controls found in ISO/IEC 27002.

# Components

The ONF and ANF are used to build the ASMP.


The ONF defines the organizational security best practices for all application development, and include several sections.

The ONF includes the application lifecycle reference model as well as roles and responsibilities (as shown below). It also contains an application specifications repository, which details the functional requirements for all applications.

Part of ISO/IEC 27034 lays out the ONF for all of the components of best practices with regard to application security. It is the container for all subcomponents of application security best practices catalogued and leveraged by an organization. The standard is composed of the following categories:

Includes all application security policies, standards, and best practices adopted by the organization.

Includes all standards, laws, and regulations that affect application security.

Includes required and available technologies that are applicable to application security.

Documents the organization's IT functional requirements and the solutions that are appropriate to address these requirements.

Documents the actors within an organization who are related to IT applications.

Relates to application security.

Contains the approved controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust.

  • An ASC is a control that mitigates a security weakness within an application.*
    • Each ASC is paired to an application based on its contexts. These can be technical, regulatory, and business contexts.
    • Each ASC must include a verification measurement.

The Application Level of Trust is designed since not every application has the same need for security controls. Each ASC can fit within one or more levels of trust, commonly referred to as an "application level of trust."

ISO/IEC 27034 defines an ONF management process. This bidirectional process is meant to create a continuous improvement loop. Innovations that result from security a single application are returned to the ONF to strengthen all organization application security in the future.


The ANF uses the applicable portions of the ONF on a specific application to achieve the needed security requirements or the target trust level.

The ANF is used together with the ONF in that it is created for a specific application. The ANF shares the applicable parts of the ONF needed to achieve an application's required level of security and the level of trust desired.


ISO/IEC 27034 defines an ASMP to manage and maintain each ANF. The ASMP is created in five steps:

  • Specifying the application requirements and environment
  • Assessing application security risks
  • Creating and maintaining the ANF
  • Provisioning and operating the application
  • Auditing the security of the application