[COMPANY] ISO 27001 Statement of Applicability

*This template is provided as a reference only and is in no way intended as legal or security compliance advice.

Classification: Confidential
*-
VERSION HISTORY: LAST MODIFIED BY: DESCRIPTION OF CHANGES: DATE:

DATE OF
ANNEX A CONTROL CONTROL CONTROL DATE OF LAST
TITLE CONTROL OBJECTIVE CONTROL NOTES AND DETAILS JUSTIFICATION FOR EXCLUSION IMPLEMENTATI
CONTROL APPLIED? REQUIREMENT OWNER ASSESSMENT
ON

5 INFORMATION SECURITY POLICIES

5.1 Management Provide management direction and support for
direction for information security in accordance with
information security business requirements and relevant laws and
regulations.
5.1.1 Policies for A set of policies for information security shall
information security be defined, approved by management, Business
published, and communicated to all Yes
requirement
employees and relevant external parties.
5.1.2 Review of the The policies for information security shall be
policies for reviewed at planned intervals or if significant ISO 27001
information security changes occur to ensure their continuing No
requirement
suitability, adequacy, and effectiveness

6 ORGANIZATION OF INFORMATION SECURITY

6.1 Internal Establish a management framework to initiate
organization and control the implementation and operation
of information security within the organization.

6.1.1 Information security All information security responsibilities shall

roles and be defined and allocated
responsibilities Partial

6.1.2 Segregation of Conflicting duties and areas of responsibility

duties shall be segregated to reduce opportunities
for unauthorized or unintentional modification Not Applicable
or misuse of the organization's assets

6.1.3 Contact with Appropriate contacts with relevant authorities

authorities shall be maintained

6.1.4 Contact with Appropriate contacts with special interest

sepcial interest groups or other specialist ssecurity forums
groups and professional associations shall be
maintained
6.1.5 Information security Information security shall be addressed in
in project project management, regardless of the type of
management project.

6.2 Mobile devices and Ensure the security of teleworking and the use
teleworking of mobile devices.

6.2.1 Mobile device policy A policy and supporting security measures

shall be adopted to manage the risks
introduced by mobile devices

6.2.2 Teleworking A policy supporting security measures shall be

implemented to protect information accessed,
processed, or stored at teleworking sites

7 HUMAN RESOURCE SECURITY

7.1 Prior to employment Ensure that employees and contractors
understand their responsibilities and are
suitable for the rules for which they are
considered.
7.1.1 Screening Background verification checks on all
candidates for employment shall be carried
out in accordance with relevant laws,
regulations, and ethics and shall be
proportional to the business requirements, the
classification of the information to be
accessed, and the perceived risks
7.1.2 Terms and The contractual agreements with employees
conditions of and contractors shall state their and the
employement organization's responsibilites for information
security
7.2 During employment Ensure that employees and contractors are
aware of and fulfil their information security
responsibilities.

7.2.1 Management Management shall require all employees and

responsibilities contractors to apply information security in
accordance with the established policies and
procedures of the organization
7.2.2 Information security All employees of the organization and relevant
awareness, contractors shall receive appropriate
education, and awareness education and training and regular
training updates in organizational policies and
procedures as relevant to their job function
7.2.3 Disciplinary process There shall be a formal and communicated
disciplinary process in place to take action
against employees who have committed an
information security breach
7.3 Termination or Protect the organization's interests as part of
change of the process of changing or terminating
employment employment.

7.3.1 Termination of Information security responsibilities and duties

rchange of that remain valid after termination or change
employment of employment shall be defined,
responsibilities communicated to the employee or contractor,
and enforced
8 ASSET MANAGEMENT
8.1 Responsibility for Identify organizational assets and define
assets appropriate protection responsibilities.

8.1.1 Inventory of assets Assets associated with information and

information processing facilities shall be
identified and an inventory of these assets
shall be drawn up and maintained

8.1.2 Ownership of assets Assets maintained in the inventory shall be

owned

8.1.3 Acceptable use of Rules for the acceptable use of information

assets and assets associated with information and
information processing facilities shall be
identified, documented, and implemented

8.1.4 Return of assets All employees and external party users shall
return all of the organizational assets in their
possession upon termination of their
employment, contract, or agreement
8.2 Information Ensure that information received an
classification appropriate level of protection in accordance
with its importance to the organization.

8.2.1 Classification of Information shall be classified in terms of legal

information requirements, value, criticality, and sensitivitiy
to unauthorized disclosure or modification

8.2.2 Labelling of An appropriate set of procedures for

information information labeling shall be developed and
implemented in accordance with the
information classification scheme adopted by
the organization
8.2.3 Handling of assets Procedures for handling assets shall be
developed and implemented in accordance
with the information classification scheme
adopted by the organization

8.3 Media handling Prevent unauthorized disclosure, modification,

removal or destruction of information stored
on media.

8.3.1 Management of Procedures shall be implemented for the

removable media management of removable media in
accordance with the classification scheme
adopted by the organization
8.3.2 Disposal of media Media shall be disposed of securely when no
longer required, using formal procedures

8.3.3 Physical media Media containing inforation shall be protected

transfer against unauthorized access, misuse, or
corruption during transportation

9 ACCESS CONTROL
9.1 Business Limit access to information and information
requirements of processing facilities.
access control

9.1.1 Access control An access control policy shall be established,

policy documented, and reviewed based on business
and information security requirements

9.1.2 Access to networks Users shall only be provided with access to

and network the network and network services that they
services have been specifically authorized to use

9.2 User access Ensure authorized user access and to prevent

management unauthorized access to systems and services.

9.2.1 User registration A formal user registration and de-registration

and de-registration process shall be implemented to enable
assignment of access rights

9.2.2 User access A formal user access provisioning process

provisioning shall be implemented to assign or revoke
access rights for all user types to all systems
and services
9.2.3 Management of The allocation and use of privileged access
privileged access rights shall be restricted and controlled
rights
9.2.4 Management of The allocation of secret authentication
secret information shall be controlled through a
authentication formal management proces
information of users
9.2.5 Review of user Asset owners shall review users' access rights
access rights at regular intervals

9.2.6 Removal or The access rights of all employees and

adjustment of external party users to information and
access rights information processing facilities shall be
removed upon termination of their
employment, contract, or agreement, or
adjusted upon change
9.3 User responsibilities Make users accountable for safeguarding their
authentication information.

9.3.1 Use of secret Users shall be required to follow the

authentication organization's practices in the use of secret
information authentication informatioin

9.4 System and Prevent unauthorized access to systems and

application access applications.
control

9.4.1 Information access Access to information and application system

restriction functions shall be restricted in accordance
with the access control policy

9.4.2 Secure log-on Where required by the access control policy,

procedures access to systems and applications shall be
controlled by a secure log on procedure

9.4.3 Password Password management systems shall be

management interactive and shall ensure quality passwords
system
9.4.4 Use of privileged The use of utility programs that might be
utility programs capable of overriding system and application
controls shall be restricted and tightly
controlled
9.4.5 Access control to Access to program source code shall be
program source restricted
code

10 CRYPTOGRAPHY
10.1 Cryptographic Ensure proper and effective use of
controls cryptography to protect the confidentiality,
authenticity and/or integrity of information.

10.1.1 Policy on the use of A policy on the use of cryptographic controls

cryptographic for protection of information shall be
controls developed and implemented

10.1.2 Key management A policy on the use, protection, and lifetime of

cryptographic keys shall be developed and
implemented through their whole lifecycle

11 PHYSICAL AND ENVIRONMENTAL SECURITY

11.1 Secure areas Prevent unauthorized physical access,
damage and interference to the organization's
information and information processing
facilities.
11.1.1 Physical security Security perimeters shall be defined and used
perimeter to protect areas that contain either sensitive
or critical information and information
processing facilites
11.1.2 Physical entry Secure areas shall be protected by
controls appropriate entry controls to ensure that only
authorized personnel are allowed access

11.1.3 Securing offices, Physical security for offices, rooms, and

rooms and facilities facilities shall be designed and applied

11.1.4 Protecting against Physical protection gainst natural disasters,

11.1.5 external in
Working endsecure malicious attacks,
Procedures or accidents
for working shall
in secure be shall
areas
environmental
areas designed
be andand
designed applied
appiled
threats
11.1.6 Delivery and Access points such as delivery and loading
loading areas areas and other points where unauthorized
personsl could enter the premises shall be
controlled, and if possible, isolation from
information processing facilities to prevent
unauthorized access
11.2 Equipment Prevent loss, damage, theft or compromise of
assets and interruption to the organization's
operations.

11.2.1 Equipment siting Equipment shall be sited and protected to

and protection reduce risks of environmental threats and
hazards, and opportunities for unauthorized
acces

11.2.2 Supporting utilities Equipment shall be protected from power

failures and other disruptions caused by
failures in supporting utilities
11.2.3 Cabling security Power and telecommunications cabling
carrying data or supporting information
services shall be protected from interception,
interference, or damage
11.2.4 Equipment Equipment shall be correctly maintained to
maintenance ensure its continued availability and integrity

11.2.5 Removal of assets Equipment, information, or software shall not

be taken off-site without prior authorization

11.2.6 Security of Security shall be aplied to off-site assets

equipment and taking into account the different risks of
assets off-premises working outside the organization's premises

11.2.7 Secure disposal or All equipment containing storage media shall

reuse of equipment be verified to ensure that any sensitive data
and licensed software has been removed or
securely overwritten prior to disposal or re-use

11.2.8 Unattended user Users shall ensure that unattended equipment

equipment has appropriate protection

11.2.9 Clear desk and A clear desk policy for papers and removable
clear screen policy storage media and a clear screen policy for
information processing facilities shall be
adopted
12 OPERATIONS SECURITY
12.1 Operational Ensure correct and secure operations of
procedures and information processing facilities.
responsibilities

12.1.1 Documented Operating procedures shall be documented

operating and made available to all users who need
procedures them
12.1.2 Change Changes to the organization, business
management processes, information processing facilities,
and systems that affect information security
shall be controlled
12.1.3 Capacity The use of resources shall be monitored,
management tuned, and projections made of future
capacity requirements to ensure the required
system performance
12.1.4 Separation of Development, testing, and operational
12.2 development,
Protection from environments
Ensure shall be separated
that information to reduce the
and information
testing and
malware risks of unauthorized
processing access
facilities are or changes
protected to the
against
operational operational environment
malware.
12.2.1 Controls against Detection, prevention, and recovery controls
12.3 malware
Backups to protect
Protect against
against lossmalware
of data. shall be
implemented, combined with appropriate user
awareness
12.3.1 Information backup Backup copies of information, software, and
system images shall be taken and tested
regularly in accordance with an agreed
backup policy
12.4 Logging and Record events and generate evidence.
monitoring

12.4.1 Event logging Event logs recording user activities,

exceptions, faults, and information security
events shall be produced, kept, and regularly
reviewed
12.4.2 Protection of log Logging facilities and log information shall be
information protected against tampering and unauthorized
access
12.4.3 Administrator and System administrator and system operator
operator logs activities shall be logged and the logs
protected and regularly reviewed
12.4.4 Clock The clocks of all relevant information
synchronisation processing systems within an organization or
security domain shall be synchornized to a
single reference time source
12.5 Control of Ensure the integrity of operational systems.
operational
software
12.5.1 Installation of Procedures should be implemented to control
software on the installation of software on operational
operational systems
12.6 systems
Technical Prevent exploitation of technical vulnerabilities.
vulnerability
management
12.6.1 Management of Information about technical vulnerabilities of
technical information systems being used should be
vulnerabilities obtained in a timely fashion, the
organization’s exposure to such vulnerabilities
evaluated and appropriate measures taken to
address the associated risk
12.6.2 Restrictions on Rules governing the installation of software by
software users should be established and implemented
installation
12.7 Information Minimize the impact of audit activities on
systems audit operational systems.
considerations

12.7.1 Information Audit requirements and activities involving

systems audit verification of operational systems should be
controls carefully planned and agreed to minimize
disruptions to business processes

13 COMMUNICATIONS SECURITY
13.1 Network security Ensure the protection of information in
management networks and its supporting information
processing facilities.

13.1.1 Network controls Networks shall be manged and controlled to

protect information in systems and
applications
13.1.2 Security of network Security mechanisms, service levels, and
services management requirements of all network
services shall be identified and included in
network service agreements, whether these
services are provided in-house or outsourced
13.1.3 Segregation in Groups of information services, users, and
networks information systems shall be segregated on
networks
13.2 Information transfer Maintain the security of information
transferred within an organization and with
any external entity.
13.2.1 Information transfer Formal transfer policies, procedures, and
policies and controls shall be in plce to protect the transfer
procedures of information through the use of all types of
communication facilities
13.2.2 Agreements on Agreements shall address the secure transfer
information transfer of business information between the
organization and external parties
13.2.3 Electronic Information involved in electronic messaging
messaging shall be appropriately protected

13.2.4 Confidentiality or Requirements for confidentiality or non-

non-disclosure disclosure agreements reflecting the
agreements organization's needs for the protection of
information shall be identified, regularly
reviewed, and documented

14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

14.1 Security Ensure that information security is an integral
requirements of part of information systems across the entire
information lifecycle. This also includes the requirements
systems for information systems which provide
services over public networks.

14.1.1 Information security The information security related requirements

requirements shall be included in the requirements for new
analysis and information systems or enhancements to
specification existing information systems
14.1.2 Securing Information involved in application services
application services passing over pubic networks shall be
on public networks protected from fraudulent activity, contract
dispute, and unauthorized disclousre and
modification
14.1.3 Protecting Information involved in application service
application services transactions shall be protected to prevent
transactions incomplete transmission, misrouting,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication, or replay
14.2 Security in Ensure that information security is designed
development and and implemented within the development
support processes lifecycle of information systems.

14.2.1 Secure Rules for the development of software and

development policy systems shall be established and applied to
developments within the organization

14.2.2 System change Changes to systems within the development

control procedures lifecycle shall be controlled by the use of
formal change control procedures

14.2.3 Technical review of When operating platforms are changed,

14.2.4 applications on
Restrictions after business critical
Modifications applications
to software shall be
packages reviewed
shall be
operating
changes toplatform and tested to limited
discouraged, ensure tothere is no adverse
necessary changes,
changes packages and
software impct
allon organization
changes operations
shall be or security
strictly controlled

14.2.5 Secure system Principles for engineering secure systems shall

engineering be established, documented, maintained, and
principles applied to any information system
implementation efforts
14.2.6 Secure Organizations shall establish and
development appropriately protect secure development
environment environments for system development and
integration efforts that cover the entire
system development lifecycle
14.2.7 Outsourced The organization shall supervise and monitor
development the activity of outsourced system
development
14.2.8 System security Testing of security functionality shall be
testing carried out during development

14.2.9 System acceptance Acceptance testing programs and related

14.3 testing
Test data criteria shall
Ensure the be established
protection of datafor newfor testing.
used
information systems, upgrades, and new
verisons
14.3.1 Protection of test Test data shall be selected carefully,
data protected, and controlled

15 SUPPLIER RELATIONSHIPS
15.1 Information security Ensure protection of the organization's assets
in supplier that is accessible by suppliers.
relationships
15.1.1 Information security Information security requirements for
policy for supplier mitigating the risks associated with supplier
relationships access to the organization's assets shall be
agreed on with the supplier and documented

15.1.2 Addressing security All relevant information security requirements

within supplier should be established and agreed upon with
agreements each supplier that may access, process, store,
communicate, or provide IT infrastructure
components for the organization's information

15.1.3 Information and Agreements with suppliers should include

communication requirements to address the information
technology supply security risks associated with information and
chain communications technology services and
product supply chains
15.2 Supplier service Maintain an agreed level of information
delivery security and service delivery in line with
management supplier agreements.
15.2.1 Monitoring and Organizations should regularly monitor,
review of supplier review, and audit supplier service delivery
services
15.2.2 Managing changes Changes to the provision of services by
to supplier services suppliers, including maintaining and improving
existing information security policies,
procedures, and controls, should be managed,
taking account of the criticality of business
information, systems, and processes involved
and re-assessment of risks

16 INFORMATION SECURITY INCIDENT MANAGEMENT

16.1 Management of Ensure a consistent and effective approach to
information security the management of information security
incidents and incidents, including communication on
improvements security events and weaknesses.

16.1.1 Responsibilities and Management responsibilities and procedures

procedures shall be established to ensure a quick,
effective, and orderly response to information
security incidents
16.1.2 Reporting Management responsibilities and procedures
information security should be established to ensure a quick,
events effective and orderly response to information
security incidents
16.1.3 Reporting Information security events should be
information security reported through appropriate management
weaknesses channels as quickly as possible
16.1.4 Assessment of and Information security events should be
decision on assessed and it should be decided if they are
information security to be classified as information security
events incidents
16.1.5 Response to Information security incidents should be
information security responded to in accordance with the
incidents documented procedures
16.1.6 Learning from Knowledge gained from analyzing and
information security resolving information security incidents should
incidents be used to reduce the likelihood or impact of
future incidents
16.1.7 Collection of The organization should define and apply
evidence procedures for the identification, collection,
acquisition, and preservation of information,
which can serve as evidence

17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

17.1 Information security Information security continuity shall be
continuity embedded in the organization's business
continuity management systems.

17.1.1 Planning The organization should determine its

information security requirements for information security and the
continuity continuity of information security
management in adverse situations, e.g. during
a crisis or disaster
17.1.2 Implementing The organization should establish, document,
information security implement and maintain processes,
continuity procedures, and controls to ensure the
required level of continuity for information
security during an adverse situation
17.1.3 Verify, review and The organization must verify the established
evaluate and implemented information security
information security continuity controls at regular intervals in order
continuity to ensure that they are valid and effective
during these situations
17.2 Redundancies Ensure availability of information processing
facilities.

17.2.1 Availability of Information processing facilities should be

information implemented with redundancy sufficient to
processing facilities meet availability requirements

18 COMPLIANCE
18.1 Compliance with Avoid breaches of legal, statutory, regulatory
legal and or contractual obligations related to
contractual information security and of any security
requirements requirements.
18.1.1 Identification of All relevant legislative statutory, regulatory,
applicable contractual requirements and the
legislation and organization’s approach to meet these
contractual requirements should be explicitly identified,
requirements documented and kept up to date for each
information system and the organization
18.1.2 Intellectual Appropriate procedures should be
property rights implemented to ensure compliance with
legislative, regulatory and contractual
requirements related to intellectual property
rights and use of proprietary software
products
18.1.3 Protection of Records should be protected from loss,
records destruction, falsification, unauthorized access
and unauthorized release, in accordance with
legislator, regulatory, contractual and
business requirements
18.1.4 Privacy and Privacy and protection of personally
protection of identifiable information should be ensured as
personally required in relevant legislation and regulation
identifiable where applicable
18.1.5 information
Regulation of Cryptographic controls should be used in
cryptographic compliance with all relevant agreements,
controls legislation and regulations
18.2 Information security Ensure that information security is
reviews implemented and operated in accordance with
the organizational policies and procedures.

18.2.1 Independent review The organization’s approach to managing

of information information security and its implementation
security (i.e. control objectives, controls, policies,
processes and procedures for information
security) should be reviewed independently at
planned intervals or when significant changes
occur
18.2.2 Compliance with Managers should regularly review the
security policies compliance of information processing and
and standards procedures within their area of responsibility
with the appropriate security policies,
standards and any other security
requirements
18.2.3 Technical Information systems should be regularly
compliance review reviewed for compliance with the
organization’s information security policies
and standards
[COMPANY] ISO 27001 Statement of Applicability
*This template is provided as a reference only and is in no way intended as legal or security compliance advice.

Classification: Confidential

VERSION HISTORY: LAST MODIFIED BY: DESCRIPTION OF CHANGES: DATE:

DATE OF
ANNEX A CONTROL CONTROL CONTROL DATE OF LAST
TITLE CONTROL OBJECTIVE CONTROL NOTES AND DETAILS JUSTIFICATION FOR EXCLUSION IMPLEMENTATI
CONTROL APPLIED? REQUIREMENT OWNER ASSESSMENT
ON

5 INFORMATION SECURITY POLICIES

A.5.1 Policies for A.5.1 Policies for Define, approve by management, publish,
information security information communicate and acknowledge by relevant
security personnel and interested parties, all Yes
information security policy and topic-specific
policies. The Policies must be reviewed at
planned intervals and in case of significant
A.5.2 Information A.5.2 Information Define and allocate roles and responsibilities
Security Roles and Security Roles for information security, according to needs of Business
Responsibilities and the organization. No
requirement
Responsibilities
A.5.3 Segregation of A.5.3 Segregation of Conflicting duties and areas of responsibility
Duties Duties shall be segregated to reduce opportunities ISO 27001
for unauthorized or unintentional modification Partial
requirement
or misuse of the organization's assets
6.1 Internal A.5.4 Management Management shall require all employees and
organization Responsibilities contractors to apply information security in
accordance with the established policies and Not Applicable
procedures of the organization
6.1.1 Information security A.5.5 Contact with Appropriate contacts with relevant authorities
roles and Authorities shall be established and maintained
responsibilities

6.1.2 Segregation of A.5.6 Contact with Appropriate contacts with special interest
duties Special Interest groups or other specialist ssecurity forums
Groups and professional associations shall be
established and maintained

6.1.3 Contact with A.5.7 Threat Collect and analyze information relating to
authorities Intelligence information security threats to produce threat
intelligence.

6.1.4 Contact with A.5.8 Information Information security shall be addressed and
sepcial interest security in integrated in project management, regardless
groups project of the type of project.
management
6.1.5 Information security A.5.9 Inventory of Develop and maintain an inventory of
in project information and information and other associated assets,
management other associated including owners.
assets
6.2 Mobile devices and A.5.10 Acceptable use of Identify, document and implement rules for
teleworking information and the acceptable use and procedures for
other associated handling information and other associated
assets assets.
6.2.1 Mobile device A.5.11 Return of assets Ensure personnel and other interested parties
policy return the assets in their possession and
belonging to the organization, when their
employment, contract or agreement is
terminated or changed.
6.2.2 Teleworking A.5.12 Classification of Classify information in accordance with the
information information security needs of the organization,
based on confidentiality, integrity, availability
and the relevant requirements of interested
parties.
7.1 Prior to A.5.13 Labelling of Develop and implement an appropriate set of
employment information procedures for information labelling, in
accordance with the classification scheme
adopted.
7.1.1 Screening A.5.14 Information Ensure the rules, procedures or agreements
transfer are in place for the transfer of information
within the organization and between the
organization and other parties, for all types of
transfer facilities.

7.1.2 Terms and A.5.15 Access control Rules to control the physical and logical
conditions of access to information and other associated
employement assets shall be established and implemented
based on business and information security
requirements
7.2 During employment A.5.16 Identity The full life cycle of identities shall be
management managed

7.2.1 Management A.5.17 Authentication Control the allocation and management of

responsibilities information authentication information with a
management process, including advising
personnel on appropriate handling of
authentication information.
7.2.2 Information security A.5.18 Access rights Provide, review, modify and remove access
awareness, rights to information and other associate
education, and assets in accordance with the topic-specific
training policy and rules on access control.

7.2.3 Disciplinary process A.5.19 Information Define and implement processes and
security in procedures to manage the information
supplier security risks that are associated with the use
relationships of products and services obtained from
suppliers.
7.3 Termination or A.5.20 Addressing Establish and agree with each supplier
change of information relevant information security requirements
employment security within based on the type of supplier relationship.
supplier
agreements
7.3.1 Termination of A.5.21 Managing Define and implement processes and
rchange of information procedures to manage the information
employment security in the security risks associated with the ICT products
responsibilities ICT supply chain and services supply chain.

8.1 Responsibility for A.5.22 Monitoring, Regularly monitor, review, evaluate and
assets review and manage change in supplier information
change security practices and service delivery.
management of
supplier services
8.1.1 Inventory of assets A.5.23 Information Establish processes for the acquisition, use,
security for use management and exit from cloud services in
of cloud services accordance with the information security
requirements of the organization.

8.1.2 Ownership of A.5.24 Information Plan and prepare for managing information
assets security incident security incidents by defining, establishing
management and communicating information security
planning and incident management processes, roles and
preparation responsibilities.
8.1.3 Acceptable use of A.5.25 Assessment and Assess information security events and decide
assets decision on if they will be categorized as incidents.
information
security events

8.1.4 Return of assets A.5.26 Response to Respond to information security incidents in

information accordance with documented procedures.
security incidents

8.2 Information A.5.27 Learning from Use the knowledge gained from information
classification information security incidents to strengthen and improve
security incidents the information security controls.

8.2.1 Classification of A.5.28 Collection of Establish and implement procedures for the
information evidence identification, collection, acquisition and
preservation of evidence related to
information security events.
8.2.2 Labelling of A.5.29 Information Plan how to maintain information security at
information security during an appropriate level during disruption.
disruption

8.2.3 Handling of assets A.5.30 ICT readiness for Plan, implement, maintain and test ICT
business readiness based on the business continuity
continuity objectives and ICT continuity requirements.

8.3 Media handling A.5.31 Legal, statutory, Identify, document and keep up to date the
regulatory and legal, statutory, regulatory and contractual
contractual requirements relevant for information security
requirements along with the organization’s approach to
meet them.
8.3.1 Management of A.5.32 Intellectual Implement appropriate procedures to protect
removable media property rights intellectual property rights.

8.3.2 Disposal of media A.5.33 Protection of Protect records from loss, destruction,
records falsification, unauthorized access and
unauthorized release.
8.3.3 Physical media A.5.34 Privacy and Identify and meet the requirements regarding
transfer protection of PII the preservation of privacy and protection of
PII according to applicable laws, regulations
and contractual requirements.
9.1 Business A.5.35 Independent Review independently at planned intervals
requirements of review of and whenever significant changes occur, the
access control information approach to managing information security
security and its implementation, including people,
processes and technology.
9.1.1 Access control A.5.36 Compliance with Review regularly compliance with the
policy policies, rules organization’s information security policy,
and standards for topic-specific policies, rules and standards.
information
security
9.1.2 Access to networks A.5.37 Documented Document and make available to the
and network operating personnel who need the operating procedures
services procedures for information processing facilities.

10 PEOPLE CONTROLS
9.2 User access A.6.1 Screening Ensure authorized user access and to prevent
management unauthorized access to systems and services.

9.2.1 User registration A.6.2 Terms and A formal user registration and de-registration
and de-registration Conditions of process shall be implemented to enable
Employment assignment of access rights

9.2.2 User access A.6.3 Information A formal user access provisioning process
provisioning Security shall be implemented to assign or revoke
Awareness, access rights for all user types to all systems
Education, and and services
9.2.3 Management of A.6.4 Training
Disciplinary The allocation and use of privileged access
privileged access Process rights shall be restricted and controlled
rights
9.2.4 Management of A.6.5 Responsibilities The allocation of secret authentication
secret After Termination information shall be controlled through a
authentication or Change of formal management proces
information of users Employment
9.2.5 Review of user A.6.6 Confidentiality or Asset owners shall review users' access rights
access rights Non-Disclosure at regular intervals
Agreements

9.2.6 Removal or A.6.7 Remote Working The access rights of all employees and
adjustment of external party users to information and
access rights information processing facilities shall be
removed upon termination of their
employment, contract, or agreement, or
adjusted upon change
9.3 User responsibilities A.6.8 Information Make users accountable for safeguarding their
Security Event authentication information.
Reporting

11 PHYSICAL CONTROLS
9.3.1 Use of secret A.7.1 Physical security Users shall be required to follow the
authentication perimeters organization's practices in the use of secret
information authentication informatioin

9.4 System and A.7.2 Physical entry Prevent unauthorized access to systems and
application access applications.
control

9.4.1 Information access A.7.3 Securing offices, Access to information and application system
restriction rooms and functions shall be restricted in accordance
facilities with the access control policy

9.4.2 Secure log-on A.7.4 Physical security Where required by the access control policy,
procedures monitoring access to systems and applications shall be
controlled by a secure log on procedure

9.4.3 Password A.7.5 Protecting Password management systems shall be

management against physical interactive and shall ensure quality passwords
system and
environmental
9.4.4 Use of privileged A.7.6 Working in The use of utility programs that might be
utility programs secure areas capable of overriding system and application
controls shall be restricted and tightly
controlled
9.4.5 Access control to A.7.7 Clear desk and Access to program source code shall be
program source clear screen restricted
code
10.1 Cryptographic A.7.8 Equipment siting Ensure proper and effective use of
controls and protection cryptography to protect the confidentiality,
authenticity and/or integrity of information.

10.1.1 Policy on the use of A.7.9 Security of assets A policy on the use of cryptographic controls
cryptographic off-premises for protection of information shall be
controls developed and implemented

10.1.2 Key management A.7.10 Storage media A policy on the use, protection, and lifetime of
cryptographic keys shall be developed and
implemented through their whole lifecycle

11.1 Secure areas A.7.11 Supporting Prevent unauthorized physical access,

utilities damage and interference to the organization's
information and information processing
facilities.
11.1.1 Physical security A.7.12 Cabling security Security perimeters shall be defined and used
perimeter to protect areas that contain either sensitive
or critical information and information
processing facilites
11.1.2 Physical entry A.7.13 Equipment Secure areas shall be protected by
controls maintenance appropriate entry controls to ensure that only
authorized personnel are allowed access

11.1.3 Securing offices, A.7.14 Secure disposal Physical security for offices, rooms, and
rooms and facilities or re-use of facilities shall be designed and applied
equipment

12 TECHNOLOGICAL CONTROLS
11.1.4 Protecting against A.8.1 User endpoint Physical protection gainst natural disasters,
11.1.5 external in
Working endsecure A.8.2 devices
Information malicious attacks,
Procedures or accidents
for working shall
in secure be shall
areas
environmental
areas designed
access restriction be andand
designed applied
appiled
threats
11.1.6 Delivery and A.8.3 Information Access points such as delivery and loading
loading areas access restriction areas and other points where unauthorized
personsl could enter the premises shall be
controlled, and if possible, isolation from
information processing facilities to prevent
unauthorized access
11.2 Equipment A.8.4 Access to source Prevent loss, damage, theft or compromise of
code assets and interruption to the organization's
operations.
11.2.1 Equipment siting A.8.5 Secure Equipment shall be sited and protected to
and protection authentication reduce risks of environmental threats and
hazards, and opportunities for unauthorized
acces

11.2.2 Supporting utilities A.8.6 Capacity Equipment shall be protected from power
management failures and other disruptions caused by
failures in supporting utilities
11.2.3 Cabling security A.8.7 Protection Power and telecommunications cabling
against malware carrying data or supporting information
services shall be protected from interception,
interference, or damage
11.2.4 Equipment A.8.8 Management of Equipment shall be correctly maintained to
maintenance technical ensure its continued availability and integrity
vulnerabilities
11.2.5 Removal of assets A.8.9 Configuration Equipment, information, or software shall not
management be taken off-site without prior authorization

11.2.6 Security of A.8.10 Information Security shall be aplied to off-site assets

equipment and deletion taking into account the different risks of
assets off-premises working outside the organization's premises

11.2.7 Secure disposal or A.8.11 Data masking All equipment containing storage media shall
reuse of equipment be verified to ensure that any sensitive data
and licensed software has been removed or
securely overwritten prior to disposal or re-use

11.2.8 Unattended user A.8.12 Data leakage Users shall ensure that unattended equipment
equipment prevention has appropriate protection

11.2.9 Clear desk and A.8.13 Information A clear desk policy for papers and removable
clear screen policy backup storage media and a clear screen policy for
information processing facilities shall be
adopted
12.1 Operational A.8.14 Redundancy of Ensure correct and secure operations of
procedures and information information processing facilities.
responsibilities processing
facilities
12.1.1 Documented A.8.15 Logging Operating procedures shall be documented
operating and made available to all users who need
procedures them
12.1.2 Change A.8.16 Monitoring Changes to the organization, business
management activities processes, information processing facilities,
and systems that affect information security
shall be controlled
12.1.3 Capacity A.8.17 Clock The use of resources shall be monitored,
management synchronization tuned, and projections made of future
capacity requirements to ensure the required
system performance
12.1.4 Separation of A.8.18 Use of privileged Development, testing, and operational
12.2 development,
Protection from A.8.19 utility programs
Installation of environments
Ensure shall be separated
that information to reduce the
and information
testing and
malware software on risks of unauthorized
processing access
facilities are or changes
protected to the
against
operational operational operational environment
malware.
systems
12.2.1 Controls against A.8.20 Networks Detection, prevention, and recovery controls
12.3 malware
Backups A.8.21 security of
Security to protect
Protect against
against malware
loss of data.shall be
network services implemented, combined with appropriate user
awareness
12.3.1 Information backup A.8.22 Segregation of Backup copies of information, software, and
networks system images shall be taken and tested
regularly in accordance with an agreed
backup policy
12.4 Logging and A.8.23 Web filtering Record events and generate evidence.
monitoring

12.4.1 Event logging A.8.24 Use of Event logs recording user activities,
cryptography exceptions, faults, and information security
events shall be produced, kept, and regularly
reviewed
12.4.2 Protection of log A.8.25 Secure Logging facilities and log information shall be
information development life protected against tampering and unauthorized
cycle access
12.4.3 Administrator and A.8.26 Application System administrator and system operator
operator logs security activities shall be logged and the logs
requirements protected and regularly reviewed
12.4.4 Clock A.8.27 Secure system The clocks of all relevant information
synchronisation architecture and processing systems within an organization or
engineering security domain shall be synchornized to a
principles single reference time source
12.5 Control of A.8.28 Secure coding Ensure the integrity of operational systems.
operational
software
12.5.1 Installation of A.8.29 Security testing Procedures should be implemented to control
software on in development the installation of software on operational
operational and acceptance systems
12.6 systems
Technical A.8.30 Outsourced Prevent exploitation of technical
vulnerability development vulnerabilities.
management
12.6.1 Management of A.8.31 Separation of Information about technical vulnerabilities of
technical development, information systems being used should be
vulnerabilities test and obtained in a timely fashion, the
production organization’s exposure to such vulnerabilities
environments evaluated and appropriate measures taken to
address the associated risk
12.6.2 Restrictions on A.8.32 Change Rules governing the installation of software by
software management users should be established and implemented
installation
12.7 Information A.8.33 Test information Minimize the impact of audit activities on
systems audit operational systems.
considerations

12.7.1 Information A.8.34 Protection of Audit requirements and activities involving

systems audit information verification of operational systems should be
controls systems during carefully planned and agreed to minimize
audit testing disruptions to business processes

13 COMMUNICATIONS SECURITY
13.1 Network security Ensure the protection of information in
management networks and its supporting information
processing facilities.

13.1.1 Network controls Networks shall be manged and controlled to

protect information in systems and
applications
13.1.2 Security of network Security mechanisms, service levels, and
services management requirements of all network
services shall be identified and included in
network service agreements, whether these
services are provided in-house or outsourced
13.1.3 Segregation in Groups of information services, users, and
networks information systems shall be segregated on
networks
13.2 Information transfer Maintain the security of information
transferred within an organization and with
any external entity.
13.2.1 Information transfer Formal transfer policies, procedures, and
policies and controls shall be in plce to protect the transfer
procedures of information through the use of all types of
communication facilities
13.2.2 Agreements on Agreements shall address the secure transfer
information transfer of business information between the
organization and external parties
13.2.3 Electronic Information involved in electronic messaging
messaging shall be appropriately protected

13.2.4 Confidentiality or Requirements for confidentiality or non-

non-disclosure disclosure agreements reflecting the
agreements organization's needs for the protection of
information shall be identified, regularly
reviewed, and documented

14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

14.1 Security Ensure that information security is an integral
requirements of part of information systems across the entire
information lifecycle. This also includes the requirements
systems for information systems which provide
services over public networks.

14.1.1 Information security The information security related requirements

requirements shall be included in the requirements for new
analysis and information systems or enhancements to
specification existing information systems
14.1.2 Securing Information involved in application services
application services passing over pubic networks shall be
on public networks protected from fraudulent activity, contract
dispute, and unauthorized disclousre and
modification
14.1.3 Protecting Information involved in application service
application services transactions shall be protected to prevent
transactions incomplete transmission, misrouting,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication, or replay
14.2 Security in Ensure that information security is designed
development and and implemented within the development
support processes lifecycle of information systems.

14.2.1 Secure Rules for the development of software and

development policy systems shall be established and applied to
developments within the organization

14.2.2 System change Changes to systems within the development

control procedures lifecycle shall be controlled by the use of
formal change control procedures

14.2.3 Technical review of When operating platforms are changed,

14.2.4 applications on
Restrictions after business critical
Modifications applications
to software shall be
packages reviewed
shall be
operatingtoplatform
changes and tested to limited
discouraged, ensure tothere is no adverse
necessary changes,
changes
software packages impct
and allon organization
changes operations
shall be or security
strictly controlled

14.2.5 Secure system Principles for engineering secure systems shall

engineering be established, documented, maintained, and
principles applied to any information system
implementation efforts
14.2.6 Secure Organizations shall establish and
development appropriately protect secure development
environment environments for system development and
integration efforts that cover the entire
system development lifecycle
14.2.7 Outsourced The organization shall supervise and monitor
development the activity of outsourced system
development
14.2.8 System security Testing of security functionality shall be
testing carried out during development

14.2.9 System acceptance Acceptance testing programs and related

14.3 testing
Test data criteria shallprotection
Ensure the be established forused
of data newfor testing.
information systems, upgrades, and new
verisons
14.3.1 Protection of test Test data shall be selected carefully,
data protected, and controlled

15 SUPPLIER RELATIONSHIPS
15.1 Information security Ensure protection of the organization's assets
in supplier that is accessible by suppliers.
relationships
15.1.1 Information security Information security requirements for
policy for supplier mitigating the risks associated with supplier
relationships access to the organization's assets shall be
agreed on with the supplier and documented

15.1.2 Addressing security All relevant information security requirements

within supplier should be established and agreed upon with
agreements each supplier that may access, process, store,
communicate, or provide IT infrastructure
components for the organization's information

15.1.3 Information and Agreements with suppliers should include

communication requirements to address the information
technology supply security risks associated with information and
chain communications technology services and
product supply chains
15.2 Supplier service Maintain an agreed level of information
delivery security and service delivery in line with
management supplier agreements.
15.2.1 Monitoring and Organizations should regularly monitor,
review of supplier review, and audit supplier service delivery
services
15.2.2 Managing changes Changes to the provision of services by
to supplier services suppliers, including maintaining and improving
existing information security policies,
procedures, and controls, should be managed,
taking account of the criticality of business
information, systems, and processes involved
and re-assessment of risks

16 INFORMATION SECURITY INCIDENT MANAGEMENT

16.1 Management of Ensure a consistent and effective approach to
information security the management of information security
incidents and incidents, including communication on
improvements security events and weaknesses.

16.1.1 Responsibilities and Management responsibilities and procedures

procedures shall be established to ensure a quick,
effective, and orderly response to information
security incidents
16.1.2 Reporting Management responsibilities and procedures
information security should be established to ensure a quick,
events effective and orderly response to information
security incidents
16.1.3 Reporting Information security events should be
information security reported through appropriate management
weaknesses channels as quickly as possible
16.1.4 Assessment of and Information security events should be
decision on assessed and it should be decided if they are
information security to be classified as information security
events incidents
16.1.5 Response to Information security incidents should be
information security responded to in accordance with the
incidents documented procedures
16.1.6 Learning from Knowledge gained from analyzing and
information security resolving information security incidents should
incidents be used to reduce the likelihood or impact of
future incidents
16.1.7 Collection of The organization should define and apply
evidence procedures for the identification, collection,
acquisition, and preservation of information,
which can serve as evidence

17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

17.1 Information security Information security continuity shall be
continuity embedded in the organization's business
continuity management systems.

17.1.1 Planning The organization should determine its

information security requirements for information security and the
continuity continuity of information security
management in adverse situations, e.g. during
a crisis or disaster
17.1.2 Implementing The organization should establish, document,
information security implement and maintain processes,
continuity procedures, and controls to ensure the
required level of continuity for information
security during an adverse situation
17.1.3 Verify, review and The organization must verify the established
evaluate and implemented information security
information security continuity controls at regular intervals in order
continuity to ensure that they are valid and effective
during these situations
17.2 Redundancies Ensure availability of information processing
facilities.

17.2.1 Availability of Information processing facilities should be

information implemented with redundancy sufficient to
processing facilities meet availability requirements

18 COMPLIANCE
18.1 Compliance with Avoid breaches of legal, statutory, regulatory
legal and or contractual obligations related to
contractual information security and of any security
requirements requirements.
18.1.1 Identification of All relevant legislative statutory, regulatory,
applicable contractual requirements and the
legislation and organization’s approach to meet these
contractual requirements should be explicitly identified,
requirements documented and kept up to date for each
information system and the organization
18.1.2 Intellectual Appropriate procedures should be
property rights implemented to ensure compliance with
legislative, regulatory and contractual
requirements related to intellectual property
rights and use of proprietary software
products
18.1.3 Protection of Records should be protected from loss,
records destruction, falsification, unauthorized access
and unauthorized release, in accordance with
legislator, regulatory, contractual and
business requirements
18.1.4 Privacy and Privacy and protection of personally
protection of identifiable information should be ensured as
personally required in relevant legislation and regulation
identifiable where applicable
18.1.5 information
Regulation of Cryptographic controls should be used in
cryptographic compliance with all relevant agreements,
controls legislation and regulations
18.2 Information security Ensure that information security is
reviews implemented and operated in accordance with
the organizational policies and procedures.

18.2.1 Independent review The organization’s approach to managing

of information information security and its implementation
security (i.e. control objectives, controls, policies,
processes and procedures for information
security) should be reviewed independently at
planned intervals or when significant changes
occur
18.2.2 Compliance with Managers should regularly review the
security policies compliance of information processing and
and standards procedures within their area of responsibility
with the appropriate security policies,
standards and any other security
requirements
18.2.3 Technical Information systems should be regularly
compliance review reviewed for compliance with the
organization’s information security policies
and standards