This document provides a framework for application security.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

There is an ever increasing need for businesses to focus on protecting their information and  technological infrastructures and Organisations must do this in order to stay in business. ISO/IEC 27034 provides concepts, principles, frameworks, components and processes to assist organisations in integrating security seamlessly throughout the life cycle of their applications. When an organisation uses a systematic approach for improving application security, it provides the organisation evidence and confidence that information being used and held in its application is being adequately protected. This part of ISO/IEC 27034 defines the processes required to manage the security of applications in the organisation.

The Organisation Normative Framework (ONF) is a key component for application security and provides a framework for best practises. It is the foundation of application security in the organisation. All organisations should base their decision regarding application security on this framework.

Therefore the purpose of this part of ISO/IEC 27034 is to assist organisations to create, maintain and validate their own ONF in compliance with the requirements of this International Standard.

Intended audience are managers, domain experts, auditors, ONF committee.