What should we look at when defining our security requirements?

We have talked a lot in this blog about various aspects of implementing your information security management system; But one of the most fundamental aspects to this is understanding your security requirements. By taking an objective view of your particular organization we can clearly define what our risk is, what mitigating controls can be put in place and have the best view into our threat landscape. ISO 27001 outlines 3 main considerations to take with this;

Security category – 14.1. Security requirements of information systems

14.1.1. Information security requirements analysis and specification.

Security should be an integral part of the development and acquisition of all new information systems. This means including any security needs as deliverables/requirements at the earliest possible point in development or acquisition. The tenet of “If it doesn’t work securely, it doesn’t work.”[1] should apply when planning, developing, testing and deploying applications. The level of security should be a reflection of the value of the information being processed by the new application and its business criticality.

14.1.2. Securing application services on public networks.

Whenever our information processing takes place across public networks, such as the internet, we need to take steps to ensure the data isn’t disclosed or modified and to ensure there is a level of non-repudiation. Using encryption such as transporting the data over a VPN, SSL/TLS or IPSec can provide us with protection against disclosures and making use of encrypted hashes (known as digital signatures) can provide us with a level of assurance that the information has not been modified. In a PKI setup, we can also achieve non-repudiation through the use of public-private key pairs.

14.1.3. Protecting application service transactions

Special consideration should be given to information involved in transactions where data is modified within the service. Clearly defined stored procedures, database locking and other methods should be used to mitigate against this threat.


[1] Kelly Henderhan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s