The international standard for building secure products, systems, and applications. Five architectural principles. Five design principles. Confirmed current in 2024.
Published jointly by ISO and IEC, this technical specification provides a catalogue of architectural and design principles for building secure products and systems. It does not impose certification requirements — it is a design guidance framework used alongside ISO/IEC 15408 (Common Criteria).
Related components are grouped into domains with shared security attributes. Domains communicate only over controlled, well-defined channels.
Example: x86 ring levels — kernel at ring 0 (most privileged), user apps at ring 3 (least privileged).Systems are structured in abstract levels. Security policies can be imposed and validated independently at each layer.
Example: OSI Network Model — 7 layers, each providing services to the layer above and enforcing its own controls.Low-level implementations are hidden behind controlled interfaces. Prevents direct manipulation of internal data or state.
Example: API design — callincrement() rather than directly modifying the seconds variable.
Supports both availability and integrity. If a component fails or is tampered with, the system continues and can detect the discrepancy.
Example: RAID 5 — one drive fails, data remains available via parity; tampering on one disk is detectable.Sharing hardware across multiple isolated operating systems. Provides sandboxing, improved security boundaries, and safe malware detonation environments.
Example: Cloud sandboxes — malicious code detonated and observed in an isolated VM without affecting host systems.Grant only the minimum permissions required to complete a task — nothing more. Limits blast radius when credentials are compromised.
If a user only needs to read a document — grant read only. No write, no execute.Every unnecessary service, port, or feature is a potential attack vector. Disable or remove anything not required.
Hardening a Linux system: disable unused services, close open ports, remove unnecessary packages.All user and system input flows through a single validation library. Prevents injection attacks, DoS from malformed input, and RCE.
One validation module for all inputs — not inconsistent checks scattered across every handler.Centralize authentication, authorization, and auditing. Reduces policy inconsistency across subsystems.
Centralized auth server for the whole org — with availability controls to prevent it becoming a single point of failure.Design systems to fail safe. Error messages must not leak internal state. Plan for unexpected failures — they will happen.
If a firewall crashes: block all traffic — not allow all traffic. Fail closed, not open.