The previous version of the ÖNORM A 7700 was released in December 2008. In a fast-paced field like information security, some would call this quite dated. Therefore, we decided to not only overhaul the standard completely but also address the limitations in scope, which we have witnessed over the years. The previous version was solely focused on the application security aspects of web applications, neglecting the underlying requirements for secure operations. Data protection aspects have also been completely out of scope so far.
We decided to take the opportunity to add those topics to the new version of the ÖNORM, called ÖNORM A 7700:2019. This allowed us to cover more ground but also introduced a whole new level of complexity into the standardization process. Nevertheless, we took the necessary time to get it right and, in the end, we managed to align everything in a conclusive series of standards.
The ÖNORM A 7700 was split into four distinct parts, to separate the individual topics. While the ÖNORM A 7700-1 contains the terminology required for the rest of the series, ÖNORM A 7700-2 to ÖNORM A 7700-4 contain the actual requirements:
- ÖNORM A 7700-1: Web Applications – Terms and definitions
- ÖNORM A 7700-2: Web Applications – Data protection requirements
- ÖNORM A 7700-3: Web Applications – Security requirements
- ÖNORM A 7700-4: Web Applications – Requirements for secure operations
We stuck to our guns when it came to the orientation and goals of the standard. As a requirement document that defines the state-of-the-art, the ÖNORM A 7700 must define what to do, not how to do it. This approach has some critics and I do understand their sentiment. If you are looking for specific guidance, you would like to have more details – in an ideal world even a technology-specific how-to.
That’s not the intention of an ÖNORM though. The clear goal of such a standard is defining the requirements as generic as possible, without any unnecessary restrictions. If you need more specific recommendations, there are bettersuited resources available. But if you are looking for a clear-cut, generic requirements document, look no further!
1 New Data Protection Requirements For Web Applications
Nevertheless, one year after the release of the GDPR, people were longing for concrete implementation guidelines. Concerning data protection for web applications, we made it our mission to deliver such ground rules.
The result is ÖNORM A 7700-2. Our goal was providing the requirements without being overly redundant with the GDPR itself. We address the specific needs of developers who have to consider data protection requirements during implementation, while also providing cross-references to the GDPR.
While the standard is – for obvious reasons – focused on web applications that collect personal data, there is also guidance for web applications that do not. Especially identifying and tracking users need to be addressed, even when personal data is not explicitly collected.