Expert Advice Community

Guest

Control: 14.1.3 - Protecting application services transactions

  Quote
Guest
Guest user Created:   May 04, 2018 Last commented:   Nov 12, 2019

Control: 14.1.3 - Protecting application services transactions

I’m having some troubles with the following control: 14.1.3 Protecting application services transactions
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 04, 2018

Control: Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Could you please tell me what exactly are “application services transactions”, with a practical example ?

I googled it a bit but I cannot find any satisfactory explanation.

Answer: "Application services transactions" are basically all information exchanged between systems in a client-service structure (where part of the system is under control of the user, the other is under control of the application owner, and both are interconnected by a communication link).

Practical examples are Internet banking applications, social networks, corporate systems remotely accessed, etc.

Quote
0 0
Guest
Noriko Nov 07, 2019

This control is incuding two items involving "message"  as 1)how unauthorized message alteration will be prevented 
2)how unauthorized message duplication will be prevented.   Does it mean those two items are required if your appliaction has a capability to send messages?  

Quote
0 0
Expert
Rhand Leal Nov 12, 2019

Please note that these items must be implemented only if:
- There are unacceptable risks demanding the implementation of the items
- There are legal requirements demanding the implementation oitemsf the
- There is a top management decision demanding the implementation of the items

If none of the above occurs, you do not need to implement these items.

Considering that, you have to verify what of the above conditions occurs to each item to define which one, or both, will be implemented.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This material will also help you regarding selecting controls:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
3 0

Comment as guest or Sign in

HTML tags are not allowed

May 04, 2018

Nov 12, 2019