ISO/IEC 27034 is an extension of 27001 and offers guidance on information security to organisations in specifying, designing and programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of ICT. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing many ICT security risks.
The standard covers the entire Software Acquisition process, whether software applications developed internally, by external acquisition, outsourcing/offshoring or through hybrid approaches.
It addresses all aspects from determining information security requirements, to protecting information accessed by an application as well as preventing unauthorized use and/or actions of an application.
At the end of implementing a standard, an organisation can look at improving the security and test quality of software developed or acquired by them.