How to use Open Web Application Security Project (OWASP) for ISO 27001?

Essentially, OWASP (Open Web Application Security Project) is an online community developing international open projects related to Web Application Security. Mainly, it was created to develop secure web applications. Most of these projects have documents, guides and tools which can be useful for an ISO 27001 implementation.

Why is OWASP so useful for ISO 27001? Because the main objective of ISO 27001 is the protection of information and, during software development, that is also important. Furthermore, a high number of companies don’t know how to protect information during software development and OWASP can be a great tool for that.

So, let’s see the relationship between OWASP and ISO 27001.

Scope and structure of OWASP


OWASP is focused on Web Applications mainly because everything is currently online: shops, supermarkets, TV programs, travel agencies, libraries, etc. Most of the applications are coded for the web, and OWASP helps developers to make a secure code by giving them a lot of tools. Most of them are free and are used for software development process.

The OWASP is composed of the following project types:

  • Flagship projects (mature projects)
  • Lab projects (medium level and still working projects)
  • Incubator projects (new projects)

For an ISO 27001 implementation, the most interesting projects are the Flagship projects, because those are finished projects, which means that they are more stable. These are mature projects, and their resources (documentation, tools, etc.) are used by companies around the world.

ISO 27001 and software development

ISO 27001 has an Annex where you can find 114 security controls. These controls are generic, although all have the same objective: the protection of information. So, you can see controls related to Human Resources, compliance, providers, IT, etc. Of course, you can also find controls related to software development. (See also: Overview of ISO 27001:2013 (Read more...)

*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at:

Secure Coding Practices