A.8.26 Application Security Requirements
What is this control?
ISO 27001 control A.8.26 Application Security Requirements ensures that information security requirements are identified, specified, and approved when developing or acquiring applications. The control requires security requirements to be documented early in the application lifecycle covering authentication, authorisation, data protection, logging, and input validation aligned with the organisation’s security policies and risk appetite.
How to implement in Microsoft 365
Implement A.8.26 by defining application security requirements in Azure DevOps work items with mandatory fields for Authentication requirements specifying MFA and SSO via Entra ID, Authorisation requirements specifying RBAC model, Data Protection requirements specifying encryption and classification, Logging requirements specifying audit trail to Sentinel, and Input Validation requirements. Require CISO or Security Team approval before development proceeds. Document security requirements in ADO work item discussion or linked documents.
Apply same requirements to acquired or SaaS applications via supplier due diligence per A.5.19.
What an auditor looks for
Auditors will verify Azure DevOps work items contain security requirements fields for authentication, authorisation, data protection, logging, and input validation. They will check CISO or Security Team approval evidence in work item discussion before development. Auditors will verify security requirements documentation is linked to work items.
They will check acquired applications underwent supplier due diligence including security requirements verification. Auditors will verify security requirements align with organisational policies and risk appetite.
Related controls
M365 capabilities that implement this control
Azure Defender for Cloud plans (Servers, Containers, Databases) and Cloud Security Posture Management with Secure Score