Guest post Created: Jan 12, 2016 Last commented: Jan 12, 2016

ISO27001:2013 A.14.1.3 - Protecting application service transactions

Hi, For control A.14.1.3 - "Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay." I'm not clear exactly what this is asking and how it applies to us. Our company builds and manages cloud based software, and internally we use both cloud based and on-premise applications, so I expect that it will relate to these. But I'm not sure how. Can anyone please give me an example of how this control is implemented in their environment. Alternatively a better explanation of exactly what this control means will be great? Regards Damian

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Damian,

In most cases this control applies to e-commerce transactions - so when a financial transaction is made, you have to make sure it is completely protected.

Theoretically, a "transaction" can also be interpreted as many other things, but normally the certification auditors do not go that far.

Quote

0 1

Guest

Guest post Jan 12, 2016

Dejan,

Thanks for this, that makes sense. One follow up question though - does it apply to both:
* external e-commerce systems that we use in our business (i.e. that we are a customer of), as well as
* any e-commerce systems that we have developed (i.e. that our customers use)
I'm assuming both cases.

Regards
Damian

Quote

0 0

Guest

DejanK Jan 12, 2016

Damian,

Please find my answers below:

* external e-commerce systems that we use in our business (i.e. that we are a customer of)
- No - this is something that is usually not covered with this control because you didn't program those applications so you cannot influence the transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

* any e-commerce systems that we have developed (i.e. that our customers use)
- This depends on the ISMS scope - if you run those systems on your servers and you are responsible for client data, than yes - control A.14.1.3 is applicable; if those systems run on your client servers and they are managing them, then usually such applications are out of the ISMS scope.

Quote

0 1

Guest

Guest post Jan 12, 2016

Dejan,

Thanks for this, that clarifies it nicely.

Regards
Damian

Quote

0 0

Guest

Guest post Jan 12, 2016

Hi Dejan,

You have mentioned most of the case for it is applied for eCommerce, what could be other examples where it can be apply?

Our team might thinking whether it is applicable or not though we are not considering it in eCommerce, please suggest!

Thanks,

-Amit

Quote

0 0

Guest

AntonioS Jan 12, 2016

It also can apply to financial transactions (between banks, or between an entity with a bank), transactions of database (for example, 2 database that are synchronizing information through Internet), and generally any transaction that involves the interchange of information through a network between 2 applications (think also in a ERP that is connected with an external site where send or receives information).

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community