The ÖNORM A 7700 Standard


The ÖNORM A 7700 defines the current state-of-the-art in the security of Web applications.

As a result, both the manufacturers of software and the end customers are guided by the ÖNORM A 7700 standard in the procurement and operation of Web applications.

The standard itself consists of 4 parts:


Part 1 presents the framework of the series and contains definitions of relevant technical terms.

Data protection requirements

Part 2 describes the requirements for Web applications resulting from data protection law. Data protection should be considered in a timely fashion, as prescribed by the General Data Protection Regulation (VO (EU) 2016/679). Compliance of GDPR is mandatory in every EU Member State since May, 25th 2018 every time personal data are collected and processed.

Technical security requirements

Part 3 is the revision of the long-established ÖNORM A 7700: 2008. This part aims to ensure full coverage of the technical security area in Web applications. To achieve the required level of security companies must undergo a multi-level, complete source code audit.

Requirements for secure operations

Part 4 gives an overview of the requirements for the secure operation of Web applications, which is relevant for both company-owned applications and hosted third-party applications.


Several companies, including the Austrian National Bank, approached SEC Consult to develop a standard for Web application security.

For this endeavor, the Austrian Standards Institute and numerous major banks, insurance companies, authorities, and industrial companies initiated the standardized ONR 17700 standard. The content of this standard is greatly derived from the recommendations of the internationally recognized OWASP guide. OWASP, although comprehensively describing the subject of Web application security, did not provide any kind of certification.

Publication of the ON 17700 as the first EU-wide recognized standard that will allow Web applications to be certified, based on their security.

The first certifications are issued according to the ONR 17700 standard. Enterprises, as well as the public sector, are beginning to anchor the ONR 17700 standard as a requirement in the procurement and development of Web apps.

The ONR 17700 standard is renamed ÖNORM A 7700, and defines the state-of-the-art for secure online applications.

The now well-established ÖNORM A 7700 standard is being fundamentally revised and expanded to include data protection and secure operation categories. To ensure a clear overview, the standard is converted into a four-part series of standards (publication: Summer 2019).

Source of supply

Please purchase the ÖNORM A 7700 from the following source:

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!



To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Home. Home