The Role of ISO 27034 and ISO 27036 in Travel Rule Compliance

As Travel Rule regulations continue to mature globally, VASPs face growing pressure to evaluate the functionality of their compliance solutions and the security and governance frameworks behind them.

A Travel Rule solution provider processes some of the most sensitive data in the digital asset ecosystem: customer identification information, transaction details, counterparty information, compliance records, and audit trails.

Nowadays when selecting a solution provider, VASPs need to consider regulatory coverage, security-by-design and supplier risk management. This is where internationally recognised standards such as ISO/IEC 27034 and ISO/IEC 27036 provide valuable assurance.

21 Analytics’ Travel Rule solution, 21 Travel Rule, is aligned with both standards, helping VASPs strengthen their compliance posture while maintaining control over sensitive customer data.

What Is ISO/IEC 27034?

ISO/IEC 27034 is the international standard for application security. It provides guidance for integrating security throughout an application's entire lifecycle, from design and development through deployment, maintenance, and ongoing operation.

Rather than treating security as a final testing exercise, ISO/IEC 27034 promotes a systematic approach where security requirements are considered at every stage of development. The standard emphasises:

• Security-by-design principles
• Risk-based application security management
• Continuous verification and validation
• Secure development practices
• Demonstrable evidence that security controls are functioning as intended
• Security requirements tailored to business, regulatory, and technological contexts

The standard also recognises that application security is highly context-dependent. An application handling regulated financial data requires a different level of assurance than a standard business application, making ISO/IEC 27034 particularly relevant for Travel Rule solutions.

Why Application Security Matters for Travel Rule Compliance

Travel Rule compliance requires VASPs to exchange personally identifiable information (PII) and transaction-related data with counterparties and regulators.

A security weakness within a Travel Rule platform can expose institutions to:

• Data breaches involving customer information
• Regulatory penalties
• Reputational damage
• Operational disruption
• Increased cybersecurity risk across the organisation

As regulators increasingly focus on operational resilience and cybersecurity, VASPs must be confident that their compliance technology is built on a secure foundation.

21 Analytics aligns its Application Security framework with ISO/IEC 27034 through a Secure Software Development Lifecycle (SDLC) designed to embed security into every stage of product development. Security controls are engineered into the product from the outset.

This includes:

• A backend developed entirely in memory-safe Rust, reducing exposure to memory corruption vulnerabilities
• Deployment using minimal "distroless" containers that reduce the attack surface
• Automated vulnerability scanning before release
• Independent penetration testing conducted by accredited third-party security auditors
• Alignment with OWASP Application Security Verification Standard (ASVS) Level 2 controls covering authentication, input validation, cryptography, and application security requirements.

For VASPs, this provides confidence that the platform handling sensitive Travel Rule data has been designed, tested, and validated using internationally recognised security practices.

What Is ISO/IEC 27036?

ISO/IEC 27036 addresses another critical area: information security in supplier relationships.

The standard recognises that organisations increasingly rely on third-party providers, and that these relationships can introduce significant security risks. ISO/IEC 27036 provides guidance for assessing, managing, and reducing risks throughout the supplier lifecycle.

Key themes include:

• Third-party risk management
• Supplier due diligence
• Security governance
• Supply chain security
• Contractual security controls
• Ongoing monitoring and review of supplier relationships
• Transparency and visibility across the supply chain

In highly regulated sectors such as financial services and digital assets, supplier risk has become a major regulatory focus. Frameworks including DORA, NIS2, and various national cybersecurity requirements all place increased emphasis on third-party risk management.

Why Supplier Security Matters for VASPs

Every Travel Rule provider becomes part of a VASP's compliance and security ecosystem. When evaluating a Travel Rule solution, VASPs should consider questions such as:

• How is the provider managing its own suppliers?
• What controls exist around development environments?
• How is software supply chain risk managed?
• How transparent is the vendor's security posture?
• What business continuity measures are in place?

ISO/IEC 27036 helps establish a framework for answering these questions.

21 Analytics maintains a Third-Party Risk Management (TPRM) programme aligned with ISO/IEC 27036. This includes strict supplier reviews, access controls, confidentiality requirements, and continuous assessment of the services and platforms used to develop and support the product.

The company also supports software supply chain transparency through:

• Cryptographically signed software artifacts
• CycloneDX Software Bills of Materials (SBOMs)
• Continuous security review of development dependencies
• Alignment with software supply chain security best practices
• Independent security validation processes.

These controls help reduce the risk that vulnerabilities originating within the software supply chain impact customers.

Why This Matters for Travel Rule Solutions

Unlike many other compliance technologies, Travel Rule platforms often sit at the intersection of compliance, cybersecurity, and customer data protection.

A Travel Rule provider may become responsible for processing, transmitting, or securing highly sensitive information that falls under privacy regulations and financial crime controls.

This makes both application security and supplier security fundamental evaluation criteria. VASPs should look beyond feature lists and ask whether a provider can demonstrate:

• Secure software development practices
• Independent security testing
• Robust third-party risk management
• Supply chain transparency
• Strong operational resilience
• Clear security governance frameworks

Standards such as ISO/IEC 27034 and ISO/IEC 27036 provide objective frameworks that help answer these questions.

Security and Data Sovereignty by Design

One of the distinguishing characteristics of 21 Travel Rule is its deployment model.

Because the platform is deployed entirely on infrastructure controlled by the VASP, 21 Analytics does not host customer operational data, process customer transactions, or maintain access to customer PII during normal operation. Customers retain full control over their data, infrastructure, and operational environment.

This architecture complements the objectives of both ISO/IEC 27034 and ISO/IEC 27036 by reducing data exposure, limiting third-party dependencies, and supporting stronger operational resilience.

Conclusion

Travel Rule compliance has evolved beyond that of meeting regulatory requirements. Now, compliance means ensuring that the supporting technology is secure, resilient, and trustworthy.

ISO/IEC 27034 provides assurance that application security has been embedded throughout the software lifecycle. ISO/IEC 27036 provides assurance that supplier relationships and supply chain risks are being actively managed.

For VASPs evaluating Travel Rule providers, alignment with these standards offers proof that a solution has been designed with both security and long-term resilience in mind.

By aligning 21 Travel Rule with ISO/IEC 27034 and ISO/IEC 27036, 21 Analytics demonstrates a commitment to helping VASPs meet not only their compliance obligations, but also their broader cybersecurity and operational risk management objectives.

To learn more about 21 Analytics’ approach to compliance, visit the Trust Center.

Sources: 

ISO/IEC 27034-1:2011  Standard. Available at: https://www.iso.org/standard/44378.html

ISO/IEC 27036-1:2021  Standard. Available at:  https://www.iso.org/standard/82905.html