Skip to contentCYBERINFO
|

Control 8.26 : Application Security Requirements

Summary

Information security requirements should be identified, specified and approved when developing or acquiring applications. This ensures that security is not a reactive addition but a foundational specification for any software used by the organization.

Applicability

In-Scope: Mandatory for the acquisition of any SaaS product or the development of internal tools. It ensures that applications meet organizational standards for data handling, authentication, and auditability before they are integrated into the environment.

Out-of-Scope: Never out-of-scope for any organization utilizing third-party or custom software.

Implementation Guidance

Microsoft 365 / Entra ID

  • App Governance: Use Microsoft Defender for Cloud Apps to assess the security score of third-party SaaS applications before authorizing them for use with corporate credentials.

  • Single Sign-On (SSO): Require that any new application supports SAML 2.0 or OpenID Connect (OIDC) for integration with Entra ID, ensuring centralized identity control and MFA enforcement.

  • Compliance Manager: Utilize Microsoft Purview Compliance Manager to map application-specific requirements against the ISO 27001 framework, ensuring that the software supports necessary controls like data encryption and retention.

Evidence Checklist

  • Security Requirements Document: A checklist or formal document used during the procurement or design phase to specify necessary security features.

  • Vetting Records: Evidence of the security assessment conducted for a recently acquired application.

  • Approved App List: A record in Entra ID showing only enterprise applications that have been formally reviewed and authorized.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What are the mandatory security features (e.g., MFA support, encryption) that an application must have before it is considered for acquisition?

  • How are high-risk applications identified during the selection process, and who has the authority to approve a security exception?

  • Can you demonstrate the security review performed for the most recently added third-party application in your Entra ID tenant?

  • How do you ensure that security requirements remain met when an application undergoes a major version update or architectural change?