ISO 27K2 Heade Domainwise Sheets

7/25/2019 ISO 27K2 Heade Domainwise Sheets

1/96

Sr. No 27K2 Control Requirement Title CR ID

1 Policies for information security Control A5.1.1

2 A5.1.2

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

Revie of t!e "olicies for informationsecurity Control


2/96

Control Requirement

A set of "olicies for information security s!all #e $e%ne$& a""rove$ #y mana'ement& "u#lis!e$ ( communicate$ to em"relevant e)ternal "arties.

*!e "olicies for information security s!all #e reviee$ at "lanne$ intervals or if si'ni%cant c!an'es occur to ensure t!eirsuita#ility& a$e+uacy ( e,ectiveness


3/96

CH ID Control Header CO ID Control Objective

A5 -nformation security "olicies A5.1


ana'ement $irection forinformation security /#ective



4/96


3 A6.1.1

4 e're'ation of $uties Control A6.1.2

5 Contact it! aut!orities Control A6.1.3

6 A6.1.4

7 A6.1.5

8 o#ile $evice "olicy Control A6.2.1

9 *eleorin' Control A6.2.2

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

-nformation security roles (res"onsi#ilities Control

Contact it! s"ecial interest 'rou"sControl

-nformation security in "roectmana'ement Control


5/96

148

149

150

151


6/96

Control Requirement

All information security res"onsi#ilities s!all #e $e%ne$ ( allocate$.

A""ro"riate contacts it! relevant aut!orities s!all #e maintaine$

A""ro"riate contacts it! s"ecial interest 'rou"s or ot!er s"ecialist security forums ( "rofessional associations s!all #e

-nformation security s!all #e a$$resse$ in "roect mana'ement& re'ar$less of t!e ty"e of t!e "roect.

A "olicy ( su""ortin' security measures s!all #e a$o"te$ to mana'e t!e riss intro$uce$ #y usin' mo#ile $evices.

Conictin' $uties ( areas of res"onsi#ility s!all #e se're'ate$ to re$uce o""ortunities for unaut!orie$ or unintentionalmisuse of t!e or'aniations assets.

A "olicy ( su""ortin' security measures s!all #e im"lemente$ to "rotect information accesse$& "rocesse$ or store$ at tsites.


7/96


8/96


A6 A6.1 -nternal or'aniation /#ective





A6 A6.2

A6 A6.2

/r'aniation of informationsecurity


/r'aniation of information

security




o#ile $evices ( teleorin'/#ective




9/96


10/96


10 creenin' Control A7.1.1

11 A7.1.2

12 ana'ement res"onsi#ilities Control A7.2.1

13 A7.2.2

14 isci"linary "rocess Control A7.2.3

15 A7.3.1

115

116117

118

119

120

121

122

123

124

125

126127

128

129

130

131

132

133

134

135

136137

138

139

140

141

142

143

144

145

146147

148

*erms ( con$itions of em"loymentControl

-nformation security aareness&e$ucation an$ trainin' Control

*ermination or c!an'e of em"loymentres"onsi#ilities Control


11/96

149

150

151


12/96

Control Requirement

*!e contractual a'reements it! em"loyees ( contractors s!all state t!eir ( t!e or'aniations res"onsi#ilities for infor

ac'roun$ veri%cation c!ecs on all can$i$ates for em"loyment s!all #e carrie$ out in accor$ance it! relevant las& ret!ics ( s!all #e "ro"ortional to t!e #usiness re+uirements& t!e classi%cation of t!e information to #e accesse$ ( t!e "e

ana'ement s!all re+uire all em"loyees ( contractors to a""ly information security in accor$ance it! t!e esta#lis!e$"roce$ures of t!e or'aniation.

All em"loyees of t!e or'aniation an$& !ere relevant& contractors s!all receive a""ro"riate aareness e$ucation ( traiu"$ates in or'aniational "olicies ( "roce$ures& as relevant for t!eir o# function.

*!ere s!all #e a formal ( communicate$ $isci"linary "rocess in "lace to tae action a'ainst em"loyees !o !ave comminformation security #reac!.

-nformation security res"onsi#ilities ( $uties t!at remain vali$ after termination or c!an'e of em"loyment s!all #e $e%ncommunicate$ to t!e em"loyee or contractor ( enforce$.


13/96


14/96


A7 uman resource security A7.1 Prior to em"loyment /#ective


A7 uman resource security A7.2 urin' em"loyment /#ective



A7 uman resource security A7.3*ermination ( c!an'e ofem"loyment /#ective


15/96


16/96


16 -nventory of assets Control A8.1.1

17 /ners!i" of assets Control A8.1.2

18 Acce"ta#le use of assets Control A8.1.3

19 Return of assets Control A8.1.4

20 Classi%cation of information Control A8.2.1

21 a#ellin' of information Control A8.2.2

22 an$lin' of assets Control A8.2.3

23 A8.3.1

24 is"osal of me$ia Control A8.3.2

25 P!ysical me$ia transfer Control A8.3.3

115

116

117

118

119

120

121122

123

124

125

126

127

128

129

130

131132

133

134

135

136

137

138

139

140

141142

143

ana'ement of remova#le me$ia

Control


17/96

144

145

146

147

148

149

150151


18/96

Control Requirement

Assets maintaine$ in t!e inventory s!all #e one$.

-nformation s!all #e classi%e$ in terms of le'al re+uirements& value& criticality ( sensitivity to unaut!orie$ $isclosure or

e$ia s!all #e $is"ose$ of securely !en no lon'er re+uire$& usin' formal "roce$ures.

e$ia containin' information s!all #e "rotecte$ a'ainst unaut!orie$ access& misuse or corru"tion $urin' trans"ortatio

Assets associate$ it! information ( information "rocessin' facilities s!all #e i$enti%e$ ( an inventory of t!ese assets su" ( maintaine$.

Rules for t!e acce"ta#le use of information ( of assets associate$ it! information ( information "rocessin' facilities s!

i$enti%e$& $ocumente$ ( im"lemente$.

All em"loyees ( e)ternal "arty users s!all return all of t!e or'aniational assets in t!eir "ossession u"on termination ofem"loyment& contract or a'reement.

An a""ro"riate set of "roce$ures for information la#ellin' s!all #e $evelo"e$ ( im"lemente$ in accor$ance it! t!e infoclassi%cation sc!eme a$o"te$ #y t!e or'aniation.

Proce$ures for !an$lin' assets s!all #e $evelo"e$ ( im"lemente$ in accor$ance it! t!e information classi%cation sc!et!e or'aniation

Proce$ures s!all #e im"lemente$ for t!e mana'ement of remova#le me$ia in accor$ance it! t!e classi%cation sc!eme

or'aniation.


19/96


20/96


A8 Asset mana'ement A8.1 Res"onsi#ility for assets /#ective




A8 Asset mana'ement A8.2 -nformation classi%cation /#ective



A8 Asset mana'ement A8.3 e$ia !an$lin' /#ective




21/96


22/96


26 Access control "olicy Control A9.1.1

27 A9.1.2

28 A9.2.1

29 :ser access "rovisionin' Control A9.2.2

30 A9.2.3

31 A9.2.4

32 Revie of user access ri'!ts Control A9.2.5

33 A9.2.6

34 A9.3.1

35 -nformation access restriction Control A9.4.1

36 ecure lo';on "roce$ures Control A9.4.2

37 Passor$ mana'ement system Control A9.4.3

38 A9.4.4

39 A9.4.5

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

Access to netors ( netor servicesControl

:ser re'istration ( $e;re'istration

Control

ana'ement of "rivile'e$ access ri'!tsControl

ana'ement of secret aut!enticationinformation of users Control

Removal or a$ustment of access ri'!tsControl

:se of secret aut!entication informationControl

:se of "rivile'e$ utility "ro'ramsControl

Access control to "ro'ram source co$eControl


23/96

133

134

135

136

137

138

139140

141

142

143

144

145

146

147

148

149

150

151


24/96

Control Requirement

An access control "olicy s!all #e esta#lis!e$& $ocumente$ ( reviee$ #ase$ on #usiness ( information security re+uire

:sers s!all only #e "rovi$e$ it! access to t!e netor ( netor services t!at t!ey !ave #een s"eci%cally aut!orie$ t

A formal user re'istration ( $e;re'istration "rocess s!all #e im"lemente$ to ena#le assi'nment of access ri'!ts.

*!e allocation ( use of "rivile'e$ access ri'!ts s!all #e restricte$ ( controlle$.

*!e allocation of secret aut!entication information s!all #e controlle$ t!rou'! a formal mana'ement "rocess.

Asset oners s!all revie users access ri'!ts at re'ular intervals.

:sers s!all #e re+uire$ to follo t!e or'aniations "ractices in t!e use of secret aut!entication information.

Access to information ( a""lication system functions s!all #e restricte$ in accor$ance it! t!e access control "olicy.

Passor$ mana'ement systems s!all #e interactive ( s!all ensure +uality "assor$s.

*!e use of utility "ro'rams t!at mi'!t #e ca"a#le of overri$in' system ( a""lication controls s!all #e restricte$ ( ti'!tl

Access to "ro'ram source co$e s!all #e restricte$.

A formal user access "rovisionin' "rocess s!all #e im"lemente$ to assi'n or revoe access ri'!ts for all user ty"es to allservices.

*!e access ri'!ts of all em"loyees ( e)ternal "arty users to information ( information "rocessin' facilities s!all #e remtermination of t!eir em"loyment& contract or a'reement& or a$uste$ u"on c!an'e.


25/96


26/96


A9 Access control A9.1


A9 Access control A9.2 :ser access mana'ement /#ective






A9 Access control A9.3 :ser res"onsi#ilities /#ective






usiness re+uirements of accesscontrol /#ective


ystem ( a""lication access control/#ective






27/96


28/96


40 A10.1.1

41 =ey mana'ement Control A10.1.2

115

116117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

Policy on t!e use of cry"to'ra"!iccontrols Control


29/96

Control Requirement

A "olicy on t!e use of cry"to'ra"!ic controls for "rotection of information s!all #e $evelo"e$ ( im"lemente$.

A "olicy on t!e use& "rotection ( lifetime of cry"to'ra"!ic eys s!all #e $evelo"e$ ( im"lemente$ t!rou'! t!eir !ole li


30/96


A10 Cry"to'ra"!y A10.1 Cry"to'ra"!ic controls /#ective



31/96


42 P!ysical security "erimeter Control A11.1.1

43 P!ysical entry controls Control A11.1.2

44 A11.1.3

45 A11.1.4

46 +ui"ment sitin' ( "rotection Control A11.2.1

49 u""ortin' utilities Control A11.2.2

50 Ca#lin' security Control A11.2.3

51 >+ui"ment maintenance Control A11.2.4

52 Removal of assets Control A11.2.5

53 A11.2.6

54 A11.2.7

55 :natten$e$ user e+ui"ment Control A11.2.8

56 Clear $es ( clear screen "olicy Control A11.2.9

115

116

117

118

119120

121

122

123

124

125

126

127

128

129130

131

ecurin' o?ces& rooms ( facilities

Control

Protectin' a'ainst e)ternal (environmental t!reats Control

ecurity of e+ui"ment ( assets o,;"remises Control

ecure $is"osal or reuse of e+ui"mentControl


32/96

132

133

134

135

136

137

138139

140

141

142

143

144

145

146

147

148

149

150

151


33/96

Control Requirement

ecure areas s!all #e "rotecte$ #y a""ro"riate entry controls to ensure t!at only aut!orie$ "ersonnel are alloe$ acce

P!ysical security for o?ces& rooms ( facilities s!all #e $esi'ne$ ( a""lie$.

P!ysical "rotection a'ainst natural $isasters& malicious attac or acci$ents s!all #e $esi'ne$ ( a""lie$.

Proce$ures for orin' in secure areas s!all #e $esi'ne$ ( a""lie$.

>+ui"ment s!all #e "rotecte$ from "oer failures ( ot!er $isru"tions cause$ #y failures in su""ortin' utilities.

>+ui"ment s!all #e correctly maintaine$ to ensure its continue$ availa#ility ( inte'rity.

>+ui"ment& information or softare s!all not #e taen o,;site it!out "rior aut!oriation.

ecurity s!all #e a""lie$ to o,;site assets tain' into account t!e $i,erent riss of orin' outsi$e t!e or'aniations "r

:sers s!all ensure t!at unatten$e$ e+ui"ment !as a""ro"riate "rotection.

A clear $es "olicy for "a"ers ( remova#le stora'e me$ia ( a clear screen "olicy for information "rocessin' facilities s!

ecurity "erimeters s!all #e $e%ne$ ( use$ to "rotect areas t!at contain eit!er sensitive or critical information ( inform"rocessin' facilities.

Access "oints suc! as $elivery ( loa$in' areas ( ot!er "oints !ere unaut!orie$ "ersons coul$ enter t!e "remises s!alan$& if "ossi#le& isolate$ from information "rocessin' facilities to avoi$ unaut!orie$ access.

>+ui"ment s!all #e site$ ( "rotecte$ to re$uce t!e riss from environmental t!reats ( !aar$s& ( o""ortunities for unaaccess.

Poer ( telecommunications ca#lin' carryin' $ata or su""ortin' information services s!all #e "rotecte$ from interce"tior $ama'e.

All items of e+ui"ment containin' stora'e me$ia s!all #e veri%e$ to ensure t!at any sensitive $ata ( license$ softareremove$ or securely overritten "rior to $is"osal or re;use.


34/96


35/96


A11 A11.1 ecure areas /#ective






A11 A11.2 >+ui"ment /#ective









P!ysical ( environmentalsecurity


P!ysical ( environmental

security














36/96


37/96


57 A12.1.1

58 C!an'e mana'ement Control A12.1.2

59 Ca"acity mana'ement Control A12.1.3

60 A12.1.4

61 Controls a'ainst malare Control A12.2.1

62 -nformation #acu" Control A12.3.1

63 >vent lo''in' Control A12.4.1

64 Protection of lo' information Control A12.4.2

65 A$ministrator ( o"erator lo's Control A12.4.3

66 Cloc sync!ronisation Control A12.4.4

67 A12.5.1

68 A12.6.1

69 A12.6.2

70 A12.7.1

115

116

117

118

119

120

121122

123

124

125

126

127

128

129

130

131132

133

ocumente$ o"eratin' "roce$uresControl

e"aration of $evelo"ment& testin' (o"erational environments Control

-nstallation of softare on o"erationalsystems Control

ana'ement of tec!nicalvulnera#ilities Control

Restrictions on softare installationControl

-nformation systems au$it controlsControl


38/96

134

135

136

137

138

139

140141

142

143

144

145

146

147

148

149

150

151


39/96

Control Requirement

/"eratin' "roce$ures s!all #e $ocumente$ ( ma$e availa#le to all users !o nee$ t!em

acu" co"ies of information& softare ( system ima'es s!all #e taen ( teste$ re'ularly in accor$ance it! an a'ree$

>vent lo's recor$in' user activities& e)ce"tions& faults ( information security events s!all #e "ro$uce$& e"t ( re'ularly

o''in' facilities ( lo' information s!all #e "rotecte$ a'ainst tam"erin' ( unaut!orie$ access.

ystem a$ministrator ( system o"erator activities s!all #e lo''e$ ( t!e lo's "rotecte$ ( re'ularly reviee$.

Proce$ures s!all #e im"lemente$ to control t!e installation of softare on o"erational systems.

Rules 'overnin' t!e installation of softare #y users s!all #e esta#lis!e$ ( im"lemente$.

C!an'es to t!e or'aniation& #usiness "rocesses& information "rocessin' facilities ( systems t!at a,ect information seccontrolle$.

*!e use of resources s!all #e monitore$& tune$ ( "roections ma$e of future ca"acity re+uirements to ensure t!e re+uir

"erformance.

evelo"ment& testin'& ( o"erational environments s!all #e se"arate$ to re$uce t!e riss of unaut!orie$ access or c!ao"erational environment.

etection& "revention ( recovery controls to "rotect a'ainst malare s!all #e im"lemente$& com#ine$ it! a""ro"riateaareness.

*!e clocs of all relevant information "rocessin' systems it!in an or'aniation or security $omain s!all #e sync!ronisereference time source.

-nformation a#out tec!nical vulnera#ilities of information systems #ein' use$ s!all #e o#taine$ in a timely fas!ion& t!ee)"osure to suc! vulnera#ilities evaluate$ ( a""ro"riate measures taen to a$$ress t!e associate$ ris.

Au$it re+uirements ( activities involvin' veri%cation of o"erational systems s!all #e carefully "lanne$ ( a'ree$ to minito #usiness "rocesses.


40/96


41/96


A12 /"erations security A12.1




A12 /"erations security A12.2 Protection from malare /#ective

A12 /"erations security A12.3 acu" /#ective

A12 /"erations security A12.4 o''in' ( monitorin' /#ective








/"erational "roce$ures (res"onsi#ilities /#ective


/"erational "roce$ures (

res"onsi#ilities /#ective


Control of o"erational softare/#ective

*ec!nical vulnera#ility mana'ement/#ective


-nformation systems au$itconsi$erations /#ective


42/96


43/96


71 @etor controls Control A13.1.1

72 ecurity of netor services Control A13.1.2

73 e're'ation in netors Control A13.1.3

74 A13.2.1

75 A13.2.2

76 >lectronic messa'in' Control A13.2.3

77 A13.2.4

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

-nformation transfer "olicies ("roce$ures Control

A'reements on information transferControl

Con%$entiality or non$isclosurea'reements Control


44/96

149

150

151


45/96

Control Requirement

@etors s!all #e mana'e$ ( controlle$ to "rotect information in systems ( a""lications.

rou"s of information services& users ( information systems s!all #e se're'ate$ on netors.

A'reements s!all a$$ress t!e secure transfer of #usiness information #eteen t!e or'aniation ( e)ternal "arties.

-nformation involve$ in electronic messa'in' s!all #e a""ro"riately "rotecte$.

ecurity mec!anisms& service levels ( mana'ement re+uirements of all netor services s!all #e i$enti%e$ ( inclu$e$ iservices a'reements& !et!er t!ese services are "rovi$e$ in;!ouse or outsource$.

Bormal transfer "olicies& "roce$ures ( controls s!all #e in "lace to "rotect t!e transfer of information t!rou'! t!e use ofcommunication facilities.

Re+uirements for con%$entiality or non;$isclosure a'reements reectin' t!e or'aniations nee$s for t!e "rotection of in#e i$enti%e$& re'ularly reviee$ ( $ocumente$.


46/96


47/96


A13 Communications security A13.1



A13 Communications security A13.2 -nformation transfer /#ective




@etor security mana'ement/#ective


@etor security mana'ement

/#ective


48/96


49/96


78 A14.1.1

79 A14.1.2

80 A14.1.3

81 ecure $evelo"ment "olicy Control A14.2.1

82 A14.2.2

83 A14.2.3

84 A14.2.4

85 A14.2.5

86 A14.2.6

87 /utsource$ $evelo"ment Control A14.2.7

88 ystem security testin' Control A14.2.8

89 ystem acce"tance testin' Control A14.2.9

90 Protection of test $ata Control A14.3.1

115

116

117

118

119

120

121

122

-nformation security re+uirementsanalysis ( s"eci%cation Control

ecurin' a""lication services on "u#lic

netors Control

Protectin' a""lication servicestransactions Control

ystem c!an'e control "roce$uresControl

*ec!nical revie of a""lications aftero"eratin' "latform c!an'es Control

Restrictions on c!an'es to softare"aca'es Control

ecure system en'ineerin' "rinci"lesControl

ecure $evelo"mentenvironmentControl


50/96

123

124

125

126

127

128

129130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151


51/96

Control Requirement

Rules for t!e $evelo"ment of softare ( systems s!all #e esta#lis!e$ an$ a""lie$ to $evelo"ments it!in t!e or'aniati

C!an'es to systems it!in t!e $evelo"ment lifecycle s!all #e controlle$ #y t!e use of formal c!an'e control "roce$ures

o$i%cations to softare "aca'es s!all #e $iscoura'e$& limite$ to necessary c!an'es ( all c!an'es s!all #e strictly co

*!e or'aniation s!all su"ervise ( monitor t!e activity of outsource$ system $evelo"ment.

*estin' of security functionality s!all #e carrie$ out $urin' $evelo"ment.

Acce"tance testin' "ro'rams ( relate$ criteria s!all #e esta#lis!e$ for ne information systems& u"'ra$es ( ne versio

*est $ata s!all #e selecte$ carefully& "rotecte$ ( controlle$.

*!e information security relate$ re+uirements s!all #e inclu$e$ in t!e re+uirements for ne information systems or en!e)istin' information systems.

-nformation involve$ in a""lication services "assin' over "u#lic netors s!all #e "rotecte$ from frau$ulent activity& coan$ unaut!orie$ $isclosure ( mo$i%cation.

-nformation involve$ in a""lication service transactions s!all #e "rotecte$ to "revent incom"lete transmission& mis;routiunaut!orie$ messa'e alteration& unaut!orie$ $isclosure& unaut!orie$ messa'e $u"lication or re"lay.


52/96


53/96


A14 A14.1

A14 A14.1

A14 A14.1

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.3 *est $ata /#ective

ystem ac+uisition&$evelo"ment ( maintenance

ecurity re+uirements of informationsystems /#ective

ystem ac+uisition&

$evelo"ment ( maintenance

ecurity re+uirements of information

systems /#ective




ecurity in $evelo"ment ( su""ort"rocesses /#ective















ystem ac+uisition&


ecurity in $evelo"ment ( su""ort

"rocesses /#ective



54/96


55/96


91 A15.1.1

92 A15.1.2

93 A15.1.3

94 A15.2.1

95 A15.2.2

115

116

117

118

119120

121

122

123

124

125

126

127

128

129130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

-nformation security "olicy for su""lierrelations!i"s Control

A$$ressin' security it!in su""liera'reements Control

-nformation ( communicationtec!nolo'y su""ly c!ain Control

onitorin' ( revie of su""lier servicesControl

ana'in' c!an'es to su""lier servicesControl


56/96

Control Requirement

/r'aniations s!all re'ularly monitor& revie ( au$it su""lier service $elivery.

-nformation security re+uirements for miti'atin' t!e riss associate$ it! su""liers access to t!e or'aniations assetsit! t!e su""lier ( $ocumente$.

All relevant information security re+uirements s!all #e esta#lis!e$ ( a'ree$ it! eac! su""lier t!at may access& "rocescommunicate& or "rovi$e -* infrastructure com"onents for& t!e or'aniations information.

A'reements it! su""liers s!all inclu$e re+uirements to a$$ress t!e information security riss associate$ it! informaticommunications tec!nolo'y services ( "ro$uct su""ly c!ain.

C!an'es to t!e "rovision of services #y su""liers& inclu$in' maintainin' ( im"rovin' e)istin' information security "olici( controls& s!all #e mana'e$& tain' account of t!e criticality of #usiness information& systems ( "rocesses involve$ ( rof riss.


57/96


A15 u""lier relations!i"s A15.1





-nformation security in su""lierrelations!i"s /#ective



u""lier service $eliverymana'ement /#ective



58/96


96 Res"onsi#ilities ( "roce$ures Control A16.1.1

97 A16.1.2

98 A16.1.3

99 A16.1.4

100 A16.1.5

101 A16.1.6

102 Collection of evi$ence Control A16.1.7

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

Re"ortin' information security events

Control

Re"ortin' information securityeanesses Control

Assessment of ( $ecision oninformation security events Control

Res"onse to information securityinci$ents Control

earnin' from information securityinci$ents Control


59/96

141

142

143

144

145

146

147148

149

150

151


60/96

Control Requirement

-nformation security events s!all #e re"orte$ t!rou'! a""ro"riate mana'ement c!annels as +uicly as "ossi#le.

-nformation security events s!all #e assesse$ ( it s!all #e $eci$e$ if t!ey are to #e classi%e$ as information security inci

-nformation security inci$ents s!all #e res"on$e$ to in accor$ance it! t!e $ocumente$ "roce$ures.

ana'ement res"onsi#ilities ( "roce$ures s!all #e esta#lis!e$ to ensure a +uic& e,ective ( or$erly res"onse to informinci$ents.

>m"loyees ( contractors usin' t!e or'aniations information systems ( services s!all #e re+uire$ to note ( re"ort anysus"ecte$ information security or services.eanesses in systems

=nole$'e 'aine$ from analysin' ( resolvin' information security inci$ents s!all #e use$ to re$uce t!e lieli!oo$ or iminci$ents.

*!e or'aniation s!all $e%ne ( a""ly "roce$ures for t!e i$enti%cation& collection& ac+uisition ( "reservation of informatiserve as evi$ence.


61/96


62/96


A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

-nformation security inci$entmana'ement

ana'ement of information securityinci$ents ( im"rovements /#ective

-nformation security inci$ent

mana'ement

ana'ement of information security

inci$ents ( im"rovements /#ective












63/96


64/96


103 A17.1.1

104 A17.1.2

105 A17.1.3

106 A17.2.1

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

Plannin' information security continuityControl

-m"lementin' information security

continuity Control

erify& revie ( evaluate informationsecurity continuity Control

Availa#ility of information "rocessin'facilities Control


65/96

150

151


66/96

Control Requirement

-nformation "rocessin' facilities s!all #e im"lemente$ it! re$un$ancy su?cient to meet availa#ility re+uirements.

*!e or'aniation s!all $etermine its re+uirements for information security ( t!e continuity of information security manaa$verse situations& e.'. $urin' a crisis or $isaster.

*!e or'aniation s!all esta#lis!& $ocument& im"lement ( maintain "rocesses& "roce$ures ( controls to ensure t!e re+uircontinuity for information security $urin' an a$verse situation.

*!e or'aniation s!all verify t!e esta#lis!e$ ( im"lemente$ information security continuity controls at re'ular intervals ensure t!at t!ey are vali$ ( e,ective $urin' a$verse situations.


67/96


68/96


A17 A17.1

A17 A17.1

A17 A17.1

A17 A17.2 Re$un$ancies /#ective

-nformation security as"ects of#usiness continuitymana'ement

-nformation security continuity/#ective

-nformation security as"ects of#usiness continuity

mana'ement

-nformation security continuity

/#ective





69/96


70/96


107 A18.1.1

108 -ntellectual "ro"erty ri'!ts Control A18.1.2

109 Protection of recor$s Control A18.1.3

110 A18.1.4

111 A18.1.5

112 A18.2.1

113 A18.2.2

114 *ec!nical com"liance revie Control A18.2.3

115

116

117

118119

120

121

122

123

124

125

126

127

128129

130

131

132

133

134

135

136

137

138139

140

-$enti%cation of a""lica#le le'islation (contractual re+uirements Control

Privacy ( "rotection of "ersonallyi$enti%a#le information Control

Re'ulation of cry"to'ra"!ic controlsControl

-n$e"en$ent revie of informationsecurity Control

Com"liance it! security "olicies (stan$ar$s Control


71/96

141

142

143

144

145

146

147148

149

150

151


72/96

Control Requirement

Cry"to'ra"!ic controls s!all #e use$ in com"liance it! all relevant a'reements& le'islation ( re'ulations.

-nformation systems s!all #e re'ularly reviee$ for com"liance it! t!e or'aniations information security "olicies ( st

All relevant le'islative statutory& re'ulatory& contractual re+uirements an$ t!e or'aniations a""roac! to meet t!ese res!all #e e)"licitly i$enti%e$& $ocumente$ ( e"t u" to $ate for eac! information system ( t!e or'aniation.

A""ro"riate "roce$ures s!all #e im"lemente$ to ensure com"liance it! le'islative& re'ulatory ( contractual re+uiremeintellectual "ro"erty ri'!ts ( use of "ro"rietary softare "ro$ucts.

Recor$s s!all #e "rotecte$ from loss& $estruction& falsi%cation& unaut!orie$ access ( unaut!orie$ release& in accor$anle'islatory& re'ulatory& contractual ( #usiness re+uirements.

Privacy ( "rotection of "ersonally i$enti%a#le information s!all #e ensure$ as re+uire$ in relevant le'islation ( re'ulatioa""lica#le.

*!e or'aniations a""roac! to mana'in' information security ( its im"lementation Di.e. control o#ectives& controls& "olan$ "roce$ures for information securityE s!all #e reviee$ in$e"en$ently at "lanne$ intervals or !en si'ni%cant c!an'

ana'ers s!all re'ularly revie t!e com"liance of information "rocessin' ( "roce$ures it!in t!eir area of res"onsi#ilita""ro"riate security "olicies& stan$ar$s ( any ot!er security re+uirements.


73/96


74/96

CH ID CO ID Control Objective

A18 Com"liance A18.1








ControlHeader

Com"liance it! le'al ( contractualre+uirements /#ective

Com"liance it! le'al ( contractual

re+uirements /#ective




-nformation security revies/#ective




75/96


76/96


1 Policies for information security Control A5.1.1

2 A5.1.2

3 A6.1.1

4 e're'ation of $uties Control A6.1.2

5 Contact it! aut!orities Control A6.1.3

6 A6.1.4

7 A6.1.5

8 o#ile $evice "olicy Control A6.2.1

9 *eleorin' Control A6.2.2

10 creenin' Control A7.1.1

11 A7.1.2

12 ana'ement res"onsi#ilities Control A7.2.1

13 A7.2.2

14 isci"linary "rocess Control A7.2.3

15 A7.3.1

16 -nventory of assets Control A8.1.1

17 /ners!i" of assets Control A8.1.2

18 Acce"ta#le use of assets Control A8.1.3

19 Return of assets Control A8.1.4

20 Classi%cation of information Control A8.2.1

21 a#ellin' of information Control A8.2.2

22 an$lin' of assets Control A8.2.3

23 A8.3.1

Revie of t!e "olicies for informationsecurity Control

-nformation security roles (

res"onsi#ilities Control

Contact it! s"ecial interest 'rou"sControl

-nformation security in "roectmana'ement Control

*erms ( con$itions of em"loymentControl

-nformation security aareness&e$ucation an$ trainin' Control

*ermination or c!an'e of em"loymentres"onsi#ilities Control

ana'ement of remova#le me$iaControl


77/96

24 is"osal of me$ia Control A8.3.2

25 P!ysical me$ia transfer Control A8.3.3

26 Access control "olicy Control A9.1.1

27 A9.1.2

28 A9.2.1

29 :ser access "rovisionin' Control A9.2.2

30 A9.2.3

31 A9.2.4

32 Revie of user access ri'!ts Control A9.2.5

33 A9.2.6

34 A9.3.1

35 -nformation access restriction Control A9.4.1

36 ecure lo';on "roce$ures Control A9.4.2

37 Passor$ mana'ement system Control A9.4.3

38 A9.4.4

39 A9.4.5

40 A10.1.1

41 =ey mana'ement Control A10.1.2

42 P!ysical security "erimeter Control A11.1.1

43 P!ysical entry controls Control A11.1.2

44 A11.1.3

45 A11.1.4

46


78/96

48 >+ui"ment sitin' ( "rotection Control A11.2.1

49 u""ortin' utilities Control A11.2.2

50 Ca#lin' security Control A11.2.3

51 >+ui"ment maintenance Control A11.2.4

52 Removal of assets Control A11.2.5

53 A11.2.6

54 A11.2.7

55 :natten$e$ user e+ui"ment Control A11.2.8

56 Clear $es ( clear screen "olicy Control A11.2.9

57 A12.1.1

58 C!an'e mana'ement Control A12.1.2

59 Ca"acity mana'ement Control A12.1.3

60 A12.1.4

61 Controls a'ainst malare Control A12.2.1

62 -nformation #acu" Control A12.3.1

63 >vent lo''in' Control A12.4.1

64 Protection of lo' information Control A12.4.2

65 A$ministrator ( o"erator lo's Control A12.4.3

66 Cloc sync!ronisation Control A12.4.4

67 A12.5.1

68 A12.6.1

69 A12.6.2

70 A12.7.1

71 @etor controls Control A13.1.1

ecurity of e+ui"ment ( assets o,;"remises Control

ecure $is"osal or reuse of e+ui"mentControl

ocumente$ o"eratin' "roce$uresControl

e"aration of $evelo"ment& testin' (

o"erational environments Control

-nstallation of softare on o"erationalsystems Control

ana'ement of tec!nicalvulnera#ilities Control

Restrictions on softare installationControl

-nformation systems au$it controls

Control


79/96

72 ecurity of netor services Control A13.1.2

73 e're'ation in netors Control A13.1.3

74 A13.2.1

75 A13.2.2

76 >lectronic messa'in' Control A13.2.3

77 A13.2.4

78 A14.1.1

79 A14.1.2

80 A14.1.3

81 ecure $evelo"ment "olicy Control A14.2.1

82 A14.2.2

83 A14.2.3

84 A14.2.4

85 A14.2.5

86 A14.2.6

87 /utsource$ $evelo"ment Control A14.2.7

88 ystem security testin' Control A14.2.8

89 ystem acce"tance testin' Control A14.2.9

-nformation transfer "olicies ("roce$ures Control

A'reements on information transferControl

Con%$entiality or non$isclosurea'reements Control

-nformation security re+uirementsanalysis ( s"eci%cation Control

ecurin' a""lication services on "u#lic

netors Control

Protectin' a""lication servicestransactions Control

ystem c!an'e control "roce$uresControl

*ec!nical revie of a""lications aftero"eratin' "latform c!an'es Control

Restrictions on c!an'es to softare"aca'es Control

ecure system en'ineerin' "rinci"lesControl

ecure $evelo"mentenvironmentControl


80/96

90 Protection of test $ata Control A14.3.1

91 A15.1.1

92 A15.1.2

93 A15.1.3

94 A15.2.1

95 A15.2.2

96 Res"onsi#ilities ( "roce$ures Control A16.1.1

97 A16.1.2

98 A16.1.3

99 A16.1.4

100 A16.1.5

101 A16.1.6

102 Collection of evi$ence Control A16.1.7

103 A17.1.1

104 A17.1.2

105 A17.1.3

106 A17.2.1

-nformation security "olicy for su""lierrelations!i"s Control

A$$ressin' security it!in su""liera'reements Control

-nformation ( communicationtec!nolo'y su""ly c!ain Control

onitorin' ( revie of su""lier servicesControl

ana'in' c!an'es to su""lier servicesControl

Re"ortin' information security eventsControl

Re"ortin' information securityeanesses Control

Assessment of ( $ecision oninformation security events Control

Res"onse to information securityinci$ents Control

earnin' from information securityinci$ents Control

Plannin' information security continuityControl

-m"lementin' information securitycontinuity Control

erify& revie ( evaluate informationsecurity continuity Control

Availa#ility of information "rocessin'

facilities Control


81/96

107 A18.1.1

108 -ntellectual "ro"erty ri'!ts Control A18.1.2

109 Protection of recor$s Control A18.1.3

110 A18.1.4

111 A18.1.5

112 A18.2.1

113 A18.2.2

114 *ec!nical com"liance revie Control A18.2.3

115

116

117

118

119120

121

122

123

124

125

126

127

128

129130

131

132

133

134

135

136

137

138

139140

141

-$enti%cation of a""lica#le le'islation (contractual re+uirements Control

Privacy ( "rotection of "ersonallyi$enti%a#le information Control

Re'ulation of cry"to'ra"!ic controlsControl

-n$e"en$ent revie of informationsecurity Control

Com"liance it! security "olicies (stan$ar$s Control


82/96

142

143

144

145

146

147

148149

150

151


83/96

Control Requirement

All information security res"onsi#ilities s!all #e $e%ne$ ( allocate$.

A""ro"riate contacts it! relevant aut!orities s!all #e maintaine$

A""ro"riate contacts it! s"ecial interest 'rou"s or ot!er s"ecialist security forums ( "rofessional associations s!all #e

-nformation security s!all #e a$$resse$ in "roect mana'ement& re'ar$less of t!e ty"e of t!e "roect.

A "olicy ( su""ortin' security measures s!all #e a$o"te$ to mana'e t!e riss intro$uce$ #y usin' mo#ile $evices.

*!e contractual a'reements it! em"loyees ( contractors s!all state t!eir ( t!e or'aniations res"onsi#ilities for infor

Assets maintaine$ in t!e inventory s!all #e one$.

-nformation s!all #e classi%e$ in terms of le'al re+uirements& value& criticality ( sensitivity to unaut!orie$ $isclosure or

A set of "olicies for information security s!all #e $e%ne$& a""rove$ #y mana'ement& "u#lis!e$ ( communicate$ to em"relevant e)ternal "arties.

*!e "olicies for information security s!all #e reviee$ at "lanne$ intervals or if si'ni%cant c!an'es occur to ensure t!eirsuita#ility& a$e+uacy ( e,ectiveness

Conictin' $uties ( areas of res"onsi#ility s!all #e se're'ate$ to re$uce o""ortunities for unaut!orie$ or unintentionalmisuse of t!e or'aniations assets.

A "olicy ( su""ortin' security measures s!all #e im"lemente$ to "rotect information accesse$& "rocesse$ or store$ at tsites.

ac'roun$ veri%cation c!ecs on all can$i$ates for em"loyment s!all #e carrie$ out in accor$ance it! relevant las& ret!ics ( s!all #e "ro"ortional to t!e #usiness re+uirements& t!e classi%cation of t!e information to #e accesse$ ( t!e "e

ana'ement s!all re+uire all em"loyees ( contractors to a""ly information security in accor$ance it! t!e esta#lis!e$"roce$ures of t!e or'aniation.

All em"loyees of t!e or'aniation an$& !ere relevant& contractors s!all receive a""ro"riate aareness e$ucation ( traiu"$ates in or'aniational "olicies ( "roce$ures& as relevant for t!eir o# function.

*!ere s!all #e a formal ( communicate$ $isci"linary "rocess in "lace to tae action a'ainst em"loyees !o !ave comminformation security #reac!.

-nformation security res"onsi#ilities ( $uties t!at remain vali$ after termination or c!an'e of em"loyment s!all #e $e%ncommunicate$ to t!e em"loyee or contractor ( enforce$.

Assets associate$ it! information ( information "rocessin' facilities s!all #e i$enti%e$ ( an inventory of t!ese assets su" ( maintaine$.

Rules for t!e acce"ta#le use of information ( of assets associate$ it! information ( information "rocessin' facilities s!i$enti%e$& $ocumente$ ( im"lemente$.

All em"loyees ( e)ternal "arty users s!all return all of t!e or'aniational assets in t!eir "ossession u"on termination ofem"loyment& contract or a'reement.

An a""ro"riate set of "roce$ures for information la#ellin' s!all #e $evelo"e$ ( im"lemente$ in accor$ance it! t!e infoclassi%cation sc!eme a$o"te$ #y t!e or'aniation.

Proce$ures for !an$lin' assets s!all #e $evelo"e$ ( im"lemente$ in accor$ance it! t!e information classi%cation sc!e

t!e or'aniation

Proce$ures s!all #e im"lemente$ for t!e mana'ement of remova#le me$ia in accor$ance it! t!e classi%cation sc!emeor'aniation.


84/96

e$ia s!all #e $is"ose$ of securely !en no lon'er re+uire$& usin' formal "roce$ures.

e$ia containin' information s!all #e "rotecte$ a'ainst unaut!orie$ access& misuse or corru"tion $urin' trans"ortatio

An access control "olicy s!all #e esta#lis!e$& $ocumente$ ( reviee$ #ase$ on #usiness ( information security re+uire

:sers s!all only #e "rovi$e$ it! access to t!e netor ( netor services t!at t!ey !ave #een s"eci%cally aut!orie$ t

A formal user re'istration ( $e;re'istration "rocess s!all #e im"lemente$ to ena#le assi'nment of access ri'!ts.

*!e allocation ( use of "rivile'e$ access ri'!ts s!all #e restricte$ ( controlle$.

*!e allocation of secret aut!entication information s!all #e controlle$ t!rou'! a formal mana'ement "rocess.

Asset oners s!all revie users access ri'!ts at re'ular intervals.

:sers s!all #e re+uire$ to follo t!e or'aniations "ractices in t!e use of secret aut!entication information.

Access to information ( a""lication system functions s!all #e restricte$ in accor$ance it! t!e access control "olicy.

Passor$ mana'ement systems s!all #e interactive ( s!all ensure +uality "assor$s.

*!e use of utility "ro'rams t!at mi'!t #e ca"a#le of overri$in' system ( a""lication controls s!all #e restricte$ ( ti'!tl

Access to "ro'ram source co$e s!all #e restricte$.

A "olicy on t!e use of cry"to'ra"!ic controls for "rotection of information s!all #e $evelo"e$ ( im"lemente$.

A "olicy on t!e use& "rotection ( lifetime of cry"to'ra"!ic eys s!all #e $evelo"e$ ( im"lemente$ t!rou'! t!eir !ole li

ecure areas s!all #e "rotecte$ #y a""ro"riate entry controls to ensure t!at only aut!orie$ "ersonnel are alloe$ acce

P!ysical security for o?ces& rooms ( facilities s!all #e $esi'ne$ ( a""lie$.

P!ysical "rotection a'ainst natural $isasters& malicious attac or acci$ents s!all #e $esi'ne$ ( a""lie$.

Proce$ures for orin' in secure areas s!all #e $esi'ne$ ( a""lie$.

A formal user access "rovisionin' "rocess s!all #e im"lemente$ to assi'n or revoe access ri'!ts for all user ty"es to allservices.

*!e access ri'!ts of all em"loyees ( e)ternal "arty users to information ( information "rocessin' facilities s!all #e remtermination of t!eir em"loyment& contract or a'reement& or a$uste$ u"on c!an'e.

ecurity "erimeters s!all #e $e%ne$ ( use$ to "rotect areas t!at contain eit!er sensitive or critical information ( inform"rocessin' facilities.

Access "oints suc! as $elivery ( loa$in' areas ( ot!er "oints !ere unaut!orie$ "ersons coul$ enter t!e "remises s!alan$& if "ossi#le& isolate$ from information "rocessin' facilities to avoi$ unaut!orie$ access.


85/96

>+ui"ment s!all #e "rotecte$ from "oer failures ( ot!er $isru"tions cause$ #y failures in su""ortin' utilities.

>+ui"ment s!all #e correctly maintaine$ to ensure its continue$ availa#ility ( inte'rity.

>+ui"ment& information or softare s!all not #e taen o,;site it!out "rior aut!oriation.

ecurity s!all #e a""lie$ to o,;site assets tain' into account t!e $i,erent riss of orin' outsi$e t!e or'aniations "r

:sers s!all ensure t!at unatten$e$ e+ui"ment !as a""ro"riate "rotection.

A clear $es "olicy for "a"ers ( remova#le stora'e me$ia ( a clear screen "olicy for information "rocessin' facilities s!

/"eratin' "roce$ures s!all #e $ocumente$ ( ma$e availa#le to all users !o nee$ t!em

acu" co"ies of information& softare ( system ima'es s!all #e taen ( teste$ re'ularly in accor$ance it! an a'ree$

>vent lo's recor$in' user activities& e)ce"tions& faults ( information security events s!all #e "ro$uce$& e"t ( re'ularly

o''in' facilities ( lo' information s!all #e "rotecte$ a'ainst tam"erin' ( unaut!orie$ access.

ystem a$ministrator ( system o"erator activities s!all #e lo''e$ ( t!e lo's "rotecte$ ( re'ularly reviee$.

Proce$ures s!all #e im"lemente$ to control t!e installation of softare on o"erational systems.

Rules 'overnin' t!e installation of softare #y users s!all #e esta#lis!e$ ( im"lemente$.

@etors s!all #e mana'e$ ( controlle$ to "rotect information in systems ( a""lications.

>+ui"ment s!all #e site$ ( "rotecte$ to re$uce t!e riss from environmental t!reats ( !aar$s& ( o""ortunities for unaaccess.

Poer ( telecommunications ca#lin' carryin' $ata or su""ortin' information services s!all #e "rotecte$ from interce"tior $ama'e.

All items of e+ui"ment containin' stora'e me$ia s!all #e veri%e$ to ensure t!at any sensitive $ata ( license$ softareremove$ or securely overritten "rior to $is"osal or re;use.

C!an'es to t!e or'aniation& #usiness "rocesses& information "rocessin' facilities ( systems t!at a,ect information seccontrolle$.

*!e use of resources s!all #e monitore$& tune$ ( "roections ma$e of future ca"acity re+uirements to ensure t!e re+uir"erformance.

evelo"ment& testin'& ( o"erational environments s!all #e se"arate$ to re$uce t!e riss of unaut!orie$ access or c!a

o"erational environment.

etection& "revention ( recovery controls to "rotect a'ainst malare s!all #e im"lemente$& com#ine$ it! a""ro"riateaareness.

*!e clocs of all relevant information "rocessin' systems it!in an or'aniation or security $omain s!all #e sync!ronisereference time source.

-nformation a#out tec!nical vulnera#ilities of information systems #ein' use$ s!all #e o#taine$ in a timely fas!ion& t!ee)"osure to suc! vulnera#ilities evaluate$ ( a""ro"riate measures taen to a$$ress t!e associate$ ris.

Au$it re+uirements ( activities involvin' veri%cation of o"erational systems s!all #e carefully "lanne$ ( a'ree$ to minito #usiness "rocesses.


86/96

rou"s of information services& users ( information systems s!all #e se're'ate$ on netors.

A'reements s!all a$$ress t!e secure transfer of #usiness information #eteen t!e or'aniation ( e)ternal "arties.

-nformation involve$ in electronic messa'in' s!all #e a""ro"riately "rotecte$.

Rules for t!e $evelo"ment of softare ( systems s!all #e esta#lis!e$ an$ a""lie$ to $evelo"ments it!in t!e or'aniati

C!an'es to systems it!in t!e $evelo"ment lifecycle s!all #e controlle$ #y t!e use of formal c!an'e control "roce$ures

o$i%cations to softare "aca'es s!all #e $iscoura'e$& limite$ to necessary c!an'es ( all c!an'es s!all #e strictly co

*!e or'aniation s!all su"ervise ( monitor t!e activity of outsource$ system $evelo"ment.

*estin' of security functionality s!all #e carrie$ out $urin' $evelo"ment.

Acce"tance testin' "ro'rams ( relate$ criteria s!all #e esta#lis!e$ for ne information systems& u"'ra$es ( ne versio

ecurity mec!anisms& service levels ( mana'ement re+uirements of all netor services s!all #e i$enti%e$ ( inclu$e$ iservices a'reements& !et!er t!ese services are "rovi$e$ in;!ouse or outsource$.

Bormal transfer "olicies& "roce$ures ( controls s!all #e in "lace to "rotect t!e transfer of information t!rou'! t!e use ofcommunication facilities.

Re+uirements for con%$entiality or non;$isclosure a'reements reectin' t!e or'aniations nee$s for t!e "rotection of in#e i$enti%e$& re'ularly reviee$ ( $ocumente$.

*!e information security relate$ re+uirements s!all #e inclu$e$ in t!e re+uirements for ne information systems or en!e)istin' information systems.

-nformation involve$ in a""lication services "assin' over "u#lic netors s!all #e "rotecte$ from frau$ulent activity& coan$ unaut!orie$ $isclosure ( mo$i%cation.

-nformation involve$ in a""lication service transactions s!all #e "rotecte$ to "revent incom"lete transmission& mis;routiunaut!orie$ messa'e alteration& unaut!orie$ $isclosure& unaut!orie$ messa'e $u"lication or re"lay.


87/96

*est $ata s!all #e selecte$ carefully& "rotecte$ ( controlle$.

/r'aniations s!all re'ularly monitor& revie ( au$it su""lier service $elivery.

-nformation security events s!all #e re"orte$ t!rou'! a""ro"riate mana'ement c!annels as +uicly as "ossi#le.

-nformation security events s!all #e assesse$ ( it s!all #e $eci$e$ if t!ey are to #e classi%e$ as information security inci

-nformation security inci$ents s!all #e res"on$e$ to in accor$ance it! t!e $ocumente$ "roce$ures.

-nformation "rocessin' facilities s!all #e im"lemente$ it! re$un$ancy su?cient to meet availa#ility re+uirements.

-nformation security re+uirements for miti'atin' t!e riss associate$ it! su""liers access to t!e or'aniations assetsit! t!e su""lier ( $ocumente$.

All relevant information security re+uirements s!all #e esta#lis!e$ ( a'ree$ it! eac! su""lier t!at may access& "rocescommunicate& or "rovi$e -* infrastructure com"onents for& t!e or'aniations information.

A'reements it! su""liers s!all inclu$e re+uirements to a$$ress t!e information security riss associate$ it! informaticommunications tec!nolo'y services ( "ro$uct su""ly c!ain.

C!an'es to t!e "rovision of services #y su""liers& inclu$in' maintainin' ( im"rovin' e)istin' information security "olici( controls& s!all #e mana'e$& tain' account of t!e criticality of #usiness information& systems ( "rocesses involve$ ( rof riss.

ana'ement res"onsi#ilities ( "roce$ures s!all #e esta#lis!e$ to ensure a +uic& e,ective ( or$erly res"onse to informinci$ents.

>m"loyees ( contractors usin' t!e or'aniations information systems ( services s!all #e re+uire$ to note ( re"ort anysus"ecte$ information security or services.eanesses in systems

=nole$'e 'aine$ from analysin' ( resolvin' information security inci$ents s!all #e use$ to re$uce t!e lieli!oo$ or iminci$ents.

*!e or'aniation s!all $e%ne ( a""ly "roce$ures for t!e i$enti%cation& collection& ac+uisition ( "reservation of informatiserve as evi$ence.

*!e or'aniation s!all $etermine its re+uirements for information security ( t!e continuity of information security manaa$verse situations& e.'. $urin' a crisis or $isaster.

*!e or'aniation s!all esta#lis!& $ocument& im"lement ( maintain "rocesses& "roce$ures ( controls to ensure t!e re+uircontinuity for information security $urin' an a$verse situation.

*!e or'aniation s!all verify t!e esta#lis!e$ ( im"lemente$ information security continuity controls at re'ular intervals ensure t!at t!ey are vali$ ( e,ective $urin' a$verse situations.


88/96

Cry"to'ra"!ic controls s!all #e use$ in com"liance it! all relevant a'reements& le'islation ( re'ulations.

-nformation systems s!all #e re'ularly reviee$ for com"liance it! t!e or'aniations information security "olicies ( st

All relevant le'islative statutory& re'ulatory& contractual re+uirements an$ t!e or'aniations a""roac! to meet t!ese res!all #e e)"licitly i$enti%e$& $ocumente$ ( e"t u" to $ate for eac! information system ( t!e or'aniation.

A""ro"riate "roce$ures s!all #e im"lemente$ to ensure com"liance it! le'islative& re'ulatory ( contractual re+uiremeintellectual "ro"erty ri'!ts ( use of "ro"rietary softare "ro$ucts.

Recor$s s!all #e "rotecte$ from loss& $estruction& falsi%cation& unaut!orie$ access ( unaut!orie$ release& in accor$anle'islatory& re'ulatory& contractual ( #usiness re+uirements.

Privacy ( "rotection of "ersonally i$enti%a#le information s!all #e ensure$ as re+uire$ in relevant le'islation ( re'ulatioa""lica#le.

*!e or'aniations a""roac! to mana'in' information security ( its im"lementation Di.e. control o#ectives& controls& "olan$ "roce$ures for information securityE s!all #e reviee$ in$e"en$ently at "lanne$ intervals or !en si'ni%cant c!an'

ana'ers s!all re'ularly revie t!e com"liance of information "rocessin' ( "roce$ures it!in t!eir area of res"onsi#ilita""ro"riate security "olicies& stan$ar$s ( any ot!er security re+uirements.


89/96


90/96









A6 A6.2

A6 A6.2






A7 uman resource security A7.3












security






security

o#ile $evices ( teleorin'

/#ective



*ermination ( c!an'e ofem"loyment /#ective


91/96











A9 Access control A9.3 :ser res"onsi#ilities /#ective















usiness re+uirements of access

control /#ective













92/96














A12 /"erations security A12.2 Protection from malare /#ective

A12 /"erations security A12.3 acu" /#ective






















/"erational "roce$ures (

res"onsi#ilities /#ective

Control of o"erational softare/#ective



-nformation systems au$it

consi$erations /#ective@etor security mana'ement/#ective


93/96







A14 A14.1

A14 A14.1

A14 A14.1

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2

A14 A14.2





ystem ac+uisition&


ecurity re+uirements of information

systems /#ective



















ystem ac+uisition&


ecurity in $evelo"ment ( su""ort

"rocesses /#ective


94/96

A14 A14.3 *est $ata /#ective






A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A16 A16.1

A17 A17.1

A17 A17.1

A17 A17.1

A17 A17.2 Re$un$ancies /#ective



























-nformation security as"ects of#usiness continuity

mana'ement


95/96


















96/96

Documents

ISO 27K2 Heade Domainwise Sheets