ISO27001:2013 A.14.1.3 - Protecting application service transactions
Assign topic to the user
Damian,
In most cases this control applies to e-commerce transactions - so when a financial transaction is made, you have to make sure it is completely protected.
Theoretically, a "transaction" can also be interpreted as many other things, but normally the certification auditors do not go that far.
Dejan,
Thanks for this, that makes sense. One follow up question though - does it apply to both:
* external e-commerce systems that we use in our business (i.e. that we are a customer of), as well as
* any e-commerce systems that we have developed (i.e. that our customers use)
I'm assuming both cases.
Regards
Damian
Damian,
Please find my answers below:
* external e-commerce systems that we use in our business (i.e. that we are a customer of)
- No - this is something that is usually not covered with this control because you didn't program those applications so you cannot influence the transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
* any e-commerce systems that we have developed (i.e. that our customers use)
- This depends on the ISMS scope - if you run those systems on your servers and you are responsible for client data, than yes - control A.14.1.3 is applicable; if those systems run on your client servers and they are managing them, then usually such applications are out of the ISMS scope.
Dejan,
Thanks for this, that clarifies it nicely.
Regards
Damian
Hi Dejan,
You have mentioned most of the case for it is applied for eCommerce, what could be other examples where it can be apply?
Our team might thinking whether it is applicable or not though we are not considering it in eCommerce, please suggest!
Thanks,
-Amit
It also can apply to financial transactions (between banks, or between an entity with a bank), transactions of database (for example, 2 database that are synchronizing information through Internet), and generally any transaction that involves the interchange of information through a network between 2 applications (think also in a ERP that is connected with an external site where send or receives information).
Comment as guest or Sign in
Jan 12, 2016