ISO27001A.8.26voice-validated

ISO27001 A.8.26: A.8.26

ISO/IEC 27001:2022 Information Security Management

AL
Adam Lundqvist
Founder at SQUR · last verified 2026-06-19

Regulation text

Information security requirements shall be identified, specified and approved when developing or acquiring applications. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.26.)

ATT&CK techniques this article tests · 15

TechniqueWhy it mapsConfidence
T11901. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1190 by ensuring applications are developed with robust input validation and secure coding practices, reducing exploitable flaws.
90%
T10781. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1078 by ensuring strong authentication and authorization mechanisms are designed and implemented within applications.
90%
T10591. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1059 by requiring secure coding practices that mitigate injection vulnerabilities in application development.
90%
T10681. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1068 by ensuring applications are designed with least privilege and robust vulnerability management.
90%
T10551. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1055 by requiring secure memory management and process isolation in application design.
70%
T11331. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1133 by ensuring external services are securely configured and access is strictly controlled within application design.
70%
T10031. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1003 by ensuring secure storage and handling of credentials within applications.
90%
T15521. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1552 by requiring secure credential management and storage practices.
90%
T1562.0011. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1562.001 by ensuring applications are designed not to interfere with or disable host security controls.
70%
T1070.0041. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1070.004 by requiring applications to implement secure logging and integrity checks, preventing unauthorized file deletion.
70%
T10831. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1083 by requiring granular access controls and secure file system permissions within applications.
90%
T10211. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1021 by ensuring remote access functionalities are securely designed and restricted.
90%
T10051. Control A.8.26 mandates identifying security requirements for applications. This directly prevents T1005 by requiring robust data access controls and secure data handling within applications.
90%
T10411. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1041 by ensuring applications are designed with secure network communication and data exfiltration prevention mechanisms.
90%
T14861. Control A.8.26 requires specifying security requirements for applications. This directly prevents T1486 by ensuring applications incorporate data integrity and availability measures, mitigating ransomware impact.
90%

Defending mitigations · 7

MitigationWhat it doesConfidence
M10511. Control A.8.26 requires identifying security requirements for applications. This supports M1051 by mandating that applications are designed for secure updates and vulnerability patching.
90%
M10501. Control A.8.26 requires specifying security requirements for applications. This supports M1050 by ensuring applications are developed with testability in mind, facilitating vulnerability scanning.
90%
M10301. Control A.8.26 mandates identifying security requirements for applications. This supports M1030 by requiring applications to be designed for deployment within segmented network architectures.
70%
M10321. Control A.8.26 requires specifying security requirements for applications. This supports M1032 by mandating that applications integrate multi-factor authentication for enhanced security.
90%
M10351. Control A.8.26 mandates identifying security requirements for applications. This supports M1035 by requiring applications to enforce the principle of least privilege for all users and processes.
90%
M10471. Control A.8.26 requires specifying security requirements for applications. This supports M1047 by mandating that applications include robust logging and auditing capabilities.
90%
M10131. Control A.8.26 mandates identifying security requirements for applications. This directly supports M1013 by requiring the integration of secure development principles and guidance into the application lifecycle.
90%

Underlying weaknesses · 7

CWEWhy it persistsConfidence
CWE-791. Control A.8.26 requires identifying security requirements for applications. This directly prevents CWE-79 by mandating secure input validation and output encoding practices.
90%
CWE-891. Control A.8.26 requires specifying security requirements for applications. This directly prevents CWE-89 by mandating the use of parameterized queries and secure database access methods.
90%
CWE-2001. Control A.8.26 mandates identifying security requirements for applications. This directly prevents CWE-200 by requiring secure data handling, storage, and transmission protocols.
90%
CWE-2871. Control A.8.26 requires specifying security requirements for applications. This directly prevents CWE-287 by mandating robust authentication mechanisms and identity verification.
90%
CWE-2691. Control A.8.26 mandates identifying security requirements for applications. This directly prevents CWE-269 by requiring strict privilege management and access control enforcement.
90%
CWE-4341. Control A.8.26 requires specifying security requirements for applications. This directly prevents CWE-434 by mandating secure file upload validation and content scanning.
90%
CWE-5021. Control A.8.26 mandates identifying security requirements for applications. This directly prevents CWE-502 by requiring secure deserialization practices and validation of untrusted data.
90%

What SQUR Covers

Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.

What SQUR Does Not Cover

Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.

Provenance

Mapped Q2.2026 using gemini-2.5-flash · €0.0194 compute · voice-rubric self-validated