ISO 27001 Annex : A.14.1.2 Securing Application Services on Public Networks

Implementation Guidance – Information security requirements will include the following for application services that cross public networks:

1. Each party requires a level of trust in the identity claimed by each other, for example, through authentication;
2. Authorizations for those who may authorize the content of key transnational documents, issue or sign them;
3. Ensure that communication parties are fully aware of their service provision or usage authorizations;
4. Determination and compliance with the conditions of confidentiality, integrity, proof that key documents and contracts, for instance, related to contracts and tendering process, have been dispatched and received;
5. The level of trust required in key documents’ integrity;
6. Protection of any confidential information requirements;
7. Confidentiality and Integrity of any order transactions, payment details, delivery address information and receipt confirmation;
8. the appropriate verification degree for the verification of a customer’s payment information;
9. Choosing the most appropriate form of payment settlement for fraud protection;
10. the extent of security required for keeping information about the order confidentiality and integrity;
11. Avoidance of transaction information loss or duplication;
12. liability for all transactions involving fraud;
13. Requirements for insurance.

The application of cryptographic controls will resolve many of the above concerns in compliance with legal requirements.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

An agreement that is registered and binds all parties to the agreed terms of service, including specifics of the authorization, will help the application service arrangement between partners.

Resilience requirements should be considered against attacks that may include conditions to protect the application servers or ensure that network interconnections required to provide the service are available.

Other Information – Applications accessible through public networks are threatened by a number of networks, for example, fraudulent activity, contractual disputes, and public information. Detailed assessments of risk and an appropriate range of controls are therefore important. The needed controls also involve authentication and data transfer via cryptographic methods.

Secure authentication methods, e.g. using the public encryption key and digital signatures, can be used to reduce risks by application services. Trusted third parties, if such services are necessary, can also be used.

Also Read : ISO 27001 : Annex 14 System Acquisition, Development and Maintenance

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner.  Infosavvy, an institute in Mumbai conducts training and certification for multiple domains in Information Security which includes IRCA CQI ISO 27001:2013 Lead Auditor (LA), ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards. Trainers will also help to understand that the requirements of information security for new information systems or improvements to existing information systems are important in order to ensure that systems function effectively and efficiently throughout their life cycle. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

Read More : https://info-savvy.com/iso-27001-annex-a-14-1-2-securing-application-services-on-public-networks/