Which statement best describes ISO/IEC 27034?

• A. Sets guidelines for physical security of data centers.
• B. Defines software licensing terms.
• C. Specifies network routing protocols.
• D. Provides industry wide guidance on securely developing and maintaining software applications.

Answer: (D)

ISO/IEC 27034 focuses on application security by providing guidance to securely develop and maintain software throughout its life cycle. It offers a framework for embedding security into the software development lifecycle, guiding roles, processes, and controls so applications are designed, built, tested, deployed, and maintained with security in mind. This aligns with industry-wide guidance on securely developing and maintaining software applications, making it the best description of the standard.

For context, this standard sits in the ISO/IEC 27000 family and complements other basics like 27001 and 27002 by zeroing in on how to govern and implement security specifically within software development and maintenance. In practice, it helps organizations incorporate activities such as threat modeling, secure coding practices, secure testing, and ongoing vulnerability management throughout the application's life cycle.

The other options describe different areas not covered by this standard: physical security of data centers, software licensing terms, or network routing protocols.