GRCWatch
Sign inStart free trial

ISO 27001 Control 8.26: Application Security Requirements

Security vulnerabilities in custom and third-party applications represent a critical attack surface for organizations. ISO 27001 control 8.26 requires you to establish security requirements upfront during application development or acquisition, ensuring protection is engineered in rather than patched afterwards.

What this means

Control 8.26 mandates that organizations identify, document, and formally approve security requirements before building or buying applications. This shift-left approach embeds security into the software development lifecycle from conception, reducing the cost and risk of fixing vulnerabilities post-deployment. Security specifications must be aligned with your organization's overall information security policy and address threats relevant to your business context.

How to comply

  1. 1.Create and maintain a policy requiring security requirements in all application development and acquisition processes
  2. 2.Define standard security requirements applicable to your organization (e.g., encryption, authentication, logging, input validation)
  3. 3.Document security specifications for each new or modified application before development begins
  4. 4.Establish an approval process requiring security stakeholders to sign off on requirements before coding starts
  5. 5.Include security requirements in vendor evaluation and contract terms for third-party applications
  6. 6.Review and update security requirements regularly to reflect emerging threats and technology changes
  7. 7.Train development teams and vendors on your security requirements and expectations

Evidence auditors look for

  • Application security requirements policy document with approval dates
  • Security requirements templates or standards used across projects
  • Individual application security requirement specifications with sign-off records
  • Vendor contracts containing security requirements and acceptance criteria
  • Change control records showing security review before application updates
  • Security requirements tracking matrix linked to business applications inventory
  • Training completion records for development and security teams

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch simplifies 8.26 compliance by centralizing application security requirements in a single repository, automating approval workflows, and tracking which applications have signed-off specifications—eliminating spreadsheets and missed sign-offs.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 8.25 - Responsible disclosureISO 27001 8.28 - Secure development life cycleISO 27001 8.30 - Development and testing environment separation