ISO/IEC 27034-2 — Application Security — Part 2: Organization Normative Framework

Roles, Responsibilities, Processes, and Infrastructure for Enterprise Application Security Management

ISO/IEC 27034-2 focuses on the organizational normative framework for application security. While Part 1 provides the conceptual overview and introduces the ASC framework, Part 2 addresses the organizational infrastructure needed to sustain application security across the enterprise. It defines the roles, responsibilities, processes, and policies that an organization must establish to implement the ASC framework effectively. This standard is essential for any organization seeking to move application security from ad-hoc practices to a structured, repeatable, and continuously improving organizational capability.

ISO/IEC 27034-2 is the standard that bridges individual project-level application security (covered in Part 3) and organizational governance. Without the organizational framework described in this standard, application security initiatives remain fragmented and dependent on the efforts of individual champions rather than being embedded in organizational processes.

Organizational Normative Framework for Application Security

ISO/IEC 27034-2 defines the organizational normative framework (ONF) as the complete set of processes, policies, procedures, roles, responsibilities, and resources that enable an organization to manage application security consistently across all applications. The ONF includes the establishment of an Application Security Governance Committee (or equivalent body) with cross-functional representation from security, development, operations, legal, compliance, and business units. This committee is responsible for approving the organization’s application security strategy, reviewing the ASC library, and ensuring that application security is aligned with business objectives.

The standard specifies several key organizational roles with defined responsibilities for application security. The Application Security Manager (or equivalent) is responsible for the day-to-day management of the application security program, including maintaining the O-ASC library, coordinating application security assessments, and reporting on the status of application security across the organization. Each application project is assigned an Application Security Officer who serves as the point of contact for security-related decisions within the project. This role-based framework ensures clear accountability and prevents the common problem where everyone is responsible for security but no one is specifically accountable.

Role Responsibility Reports To Key Activities
AppSec Governance Committee Strategic oversight and policy approval Board / Executive Management Approve AppSec strategy, review O-ASC library, allocate resources
Application Security Manager Program management and operational coordination CISO / CIO Maintain O-ASC library, coordinate assessments, report metrics
Application Security Officer Project-level security facilitation Application Security Manager Select A-ASCs, verify implementation, conduct risk reviews
Application Developer Secure coding and ASC implementation Development Manager Follow secure coding standards, implement ASCs, self-test
Application Tester ASC verification and security testing QA Manager Execute security test plans, document findings, verify fixes
Application Auditor Independent compliance assessment Internal Audit / Compliance Audit ASC compliance, review evidence, report non-conformities

Defining Processes and Policies for Application Security

ISO/IEC 27034-2 requires the organization to establish a set of documented processes that govern application security activities. These processes include application security policy management, ASC library management, application security context determination, ASC selection and tailoring, ASC verification and validation, and application security incident management. The standard emphasizes that these processes should be integrated with the organization’s existing management systems, particularly the ISMS (ISO/IEC 27001) and IT service management (ISO/IEC 20000), rather than creating parallel and potentially conflicting security processes.

A critical contribution of Part 2 is its guidance on ASC library management. The O-ASC library is the organization’s repository of standardized application security specifications. The standard defines the lifecycle of an O-ASC: creation or modification request, review and approval by the governance committee, publication and communication to application teams, periodic review for continued relevance, and eventual retirement or supersession. Each O-ASC must include metadata such as version history, effective date, applicable application contexts, verification requirements, and related organizational policies. This systematic approach ensures that the ASC library remains current, relevant, and trusted across the organization.

Organizations with mature ONFs as described in ISO/IEC 27034-2 achieve 60% faster onboarding of new applications into their security program because the roles, processes, and ASC library are pre-established. New applications simply select from the existing ASC library rather than defining security requirements from scratch.
Do not underestimate the effort required to establish and maintain an O-ASC library. ISO/IEC 27034-2 estimates that an initial library covering common application types may require several person-months to develop. Treat the ASC library as a living asset that requires ongoing investment, not a one-time project deliverable.

Building a Sustainable Application Security Program

From an engineering management perspective, ISO/IEC 27034-2 provides a blueprint for building a sustainable application security program. The standard recognizes that application security is not a project with an end date but an ongoing organizational capability. It therefore includes requirements for measuring the effectiveness of the application security program, conducting periodic reviews, and implementing improvements based on lessons learned. The standard recommends metrics at three levels: operational metrics (number of applications assessed, ASCs verified, vulnerabilities found and fixed), program metrics (coverage of applications by the ASC framework, average time to remediate, assessment throughput), and governance metrics (board-level security reporting, risk reduction trends, compliance status).

The standard also addresses the critical issue of competence and training. It requires that all personnel involved in application security activities have the necessary competence, which is ensured through a combination of education, experience, and training. The organization must maintain records of competence assessments and provide targeted training where gaps are identified. For engineering organizations, this translates into establishing secure coding training programs, security awareness initiatives for non-technical stakeholders, and specialized training for application security officers and auditors. The standard recommends that training be role-specific and updated regularly to address emerging threats and technologies.

A common implementation failure is establishing roles and processes on paper without allocating adequate resources. An Application Security Manager with no budget, no team, and no authority cannot fulfill the responsibilities defined in ISO/IEC 27034-2. Ensure that the organizational framework is backed by executive sponsorship, dedicated budget, and measurable objectives. Without these enabling factors, the ONF becomes a bureaucratic exercise rather than an operational capability.
Q1: How does ISO/IEC 27034-2 relate to Secure SDLC frameworks?
A: Part 2 provides the organizational context and infrastructure for a Secure SDLC. While Secure SDLC frameworks (like Microsoft SDL or NIST SSDF) focus on the technical activities within the development process, ISO/IEC 27034-2 addresses the organizational enablers — roles, governance, policies, and capabilities — without which technical Secure SDLC activities cannot be sustained.
Q2: What is the relationship between Part 2 and Part 3?
A: Part 2 (organization) defines the “who” and “what” of application security — the roles, responsibilities, and infrastructure. Part 3 (process) defines the “how” — the detailed process steps for managing ASC specification and implementation. Part 2 provides the organizational container within which the Part 3 process executes.
Q3: How often should the O-ASC library be reviewed?
A: ISO/IEC 27034-2 recommends an annual review cycle for the O-ASC library, with ad-hoc updates triggered by significant events such as new regulations, major technology changes, or lessons learned from security incidents. Each O-ASC should have a review date and an owner responsible for keeping it current.
Q4: What qualifications should an Application Security Officer have?
A: The standard recommends a combination of software development experience, information security knowledge, and risk assessment skills. Typical qualifications include 3-5 years of development experience, knowledge of secure coding practices, familiarity with the organization’s technology stack, and the ability to communicate security requirements to both technical and non-technical stakeholders.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones