100% found this document useful (3 votes)

713 views

CIS Controls v8 Mapping To ISO - IEC 27002.2022 2022 0406

This document contains mappings between the CIS Controls and ISO 27002:2022. It describes the methodology used to map the frameworks and ensure accurate relationships are identified. Users can provide feedback on the mappings through an online community.

Uploaded by

Carlos Garcia Jacome Darker

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

100% found this document useful (3 votes)

713 views

CIS Controls v8 Mapping To ISO - IEC 27002.2022 2022 0406

Uploaded by

Carlos Garcia Jacome Darker

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 121

This document contains mappings of the CIS Controls and Safeguards to ISO (the International Organizatio

International Electrotechnical Commission) 27002:2022 - Information Security, cybersecurity and privacy pr

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
Tony Krzyzewski
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to ISO/IEC 21002:202
Reference link for ISO/IEC 27002:2022: https://www.iso.org/standard/54533.html

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
Where the CIS Controls are written to be a single ask per safeguard, ISO/IEC 27002
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of 5 possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to ISO/IEC 8.31
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of ISO/IEC 7.14 "Secure disposal or re-use of

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
the relationship will often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS CIS Security
Asset Type Title
Control Safeguard Function

1 Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and corr

mobile; network devices; non-computing/In
infrastructure physically, virtually, remotely
totality of assets that need to be monitored
identifying unauthorized and unmanaged as

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host
Configuration Protocol (DHCP)
1 1.4 Devices Identify
Logging to Update Enterprise
Asset Inventory

Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool

2 Inventory and Control of Software Assets

Actively manage (inventory, track, and corr

network so that only authorized software is
software is found and prevented from insta

Establish and Maintain a

2 2.1 Applications Identify
Software Inventory

Utilize Automated Software

2 2.4 Applications Detect
Inventory Tools

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

3 Data Protection

Develop processes and technical controls t

Establish and Maintain a Data
3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

Encrypt Data on End-User
3 3.6 Devices Protect
Devices

Encrypt Data on End-User

3 3.6 Devices Protect
Devices

Encrypt Data on End-User

3 3.6 Devices Protect
Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

Encrypt Data on Removable

3 3.9 Data Protect
Media
Encrypt Data on Removable
3 3.9 Data Protect
Media

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets a

Establish and maintain the secure configura

mobile; network devices; non-computing/Io
applications).

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process
Establish and Maintain a
4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Configure Trusted DNS Servers

4 4.9 Devices Protect
on Enterprise Assets
Enforce Automatic Device
4 4.10 Devices Respond Lockout on Portable End-User
Devices

Enforce Remote Wipe

4 4.11 Devices Protect Capability on Portable End-
User Devices
Enforce Remote Wipe
4 4.11 Devices Protect Capability on Portable End-
User Devices

Separate Enterprise
4 4.12 Devices Protect Workspaces on Mobile End-
User Devices

5 Account Management

Use processes and tools to assign and man

administrator accounts, as well as service a

Establish and Maintain an

5 5.1 Users Identify
Inventory of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges

5 5.4 Users Protect to Dedicated Administrator
Accounts
Restrict Administrator Privileges
5 5.4 Users Protect to Dedicated Administrator
Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

Centralize Account
5 5.6 Users Protect
Management

6 Access Control Management

Use processes and tools to create, assign,

administrator, and service accounts for ent

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process
Establish an Access Revoking
6 6.2 Users Protect
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

Require MFA for Remote

6 6.4 Users Protect
Network Access

Require MFA for Administrative

6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control
7 Continuous Vulnerability Management

Develop a plan to continuously assess and

infrastructure, in order to remediate, and m
private industry sources for new threat and

Establish and Maintain a

7 7.1 Applications Protect Vulnerability Management
Process

Establish and Maintain a

7 7.2 Applications Respond
Remediation Process

Perform Automated Operating

7 7.3 Applications Protect
System Patch Management

Perform Automated Application

7 7.4 Applications Protect
Patch Management

Perform Automated
7 7.5 Applications Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
Vulnerability Scans of
7 7.6 Applications Identify
Externally-Exposed Enterprise
Assets

Remediate Detected
7 7.7 Applications Respond
Vulnerabilities

8 Audit Log Management

Collect, alert, review, and retain audit logs o
attack.

Establish and Maintain an Audit

8 8.1 Network Protect
Log Management Process

Establish and Maintain an Audit

8 8.1 Network
Log Management Process

8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Network Protect
Storage

Standardize Time
8 8.4 Network Protect
Synchronization

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

Collect URL Request Audit
8 8.7 Network Detect
Logs

Collect Command-Line Audit

8 8.8 Devices Detect
Logs

8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections

Improve protections and detections of threa

attackers to manipulate human behavior thr

Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients

9 9.2 Network Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and
Email Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email

9 9.7 Network Protect Server Anti-Malware
Protections
10 Malware Defenses

Prevent or control the installation, spread, a

enterprise assets.
Deploy and Maintain Anti-
10 10.1 Devices Protect
Malware Software
Deploy and Maintain Anti-
10 10.1 Devices Protect
Malware Software
Configure Automatic Anti-
10 10.2 Devices Protect
Malware Signature Updates

Disable Autorun and Autoplay

10 10.3 Devices Protect
for Removable Media

Configure Automatic Anti-

10 10.4 Devices Detect Malware Scanning of
Removable Media

Configure Automatic Anti-

10 10.4 Devices Detect Malware Scanning of
Removable Media

Enable Anti-Exploitation
10 10.5 Devices Protect
Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software
Use Behavior-Based Anti-
10 10.7 Devices Detect
Malware Software

11 Data Recovery

Establish and maintain data recovery practi

and trusted state.

Establish and Maintain a Data

11 11.1 Data Recover
Recovery Process
11 11.2 Data Recover Perform Automated Backups

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an

11 11.4 Data Recover Isolated Instance of Recovery
Data

11 11.5 Data Recover Test Data Recovery

Network Infrastructure
12
Management

Establish, implement, and actively manage

attackers from exploiting vulnerable networ

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Securely Manage Network

12 12.3 Network Protect
Infrastructure

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)

Centralize Network
12 12.5 Network Protect Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
12 12.6 Network Protect Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure

Ensure Remote Devices Utilize

a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure

Ensure Remote Devices Utilize

a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
12 12.8 Devices Protect
Resources for All Administrative
Work
Establish and Maintain
Dedicated Computing
12 12.8 Devices Protect
Resources for All Administrative
Work

Network Monitoring and

13
Defense

Operate processes and tooling to establish

against security threats across the enterpri

Centralize Security Event

13 13.1 Network Detect
Alerting

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution
Deploy a Network Intrusion
13 13.3 Network Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution
Deploy a Network Intrusion
13 13.8 Network Protect
Prevention Solution

Deploy Port-Level Access

13 13.9 Devices Protect
Control

Perform Application Layer

13 13.10 Network Protect
Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds

14 Security Awareness and Skills Training

Establish and maintain a security awarenes

conscious and properly skilled to reduce cy

Establish and Maintain a

14 14.1 N/A Protect
Security Awareness Program

Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks

Train Workforce Members on

14 14.3 N/A Protect
Authentication Best Practices

Train Workforce on Data

14 14.4 N/A Protect
Handling Best Practices
Train Workforce Members on
14 14.5 N/A Protect Causes of Unintentional Data
Exposure

Train Workforce Members on

14 14.6 N/A Protect Recognizing and Reporting
Security Incidents

Train Workforce on How to

Identify and Report if Their
14 14.7 N/A Protect
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
14 14.8 N/A Protect
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service prov

critical IT platforms or processes, to ensure
appropriately.

Establish and Maintain an

15 15.1 N/A Identify
Inventory of Service Providers
Establish and Maintain a
15 15.2 N/A Identify Service Provider Management
Policy

Establish and Maintain a

15 15.2 N/A Identify Service Provider Management
Policy

Establish and Maintain a

15 15.2 N/A Identify Service Provider Management
Policy

Establish and Maintain a

15 15.2 N/A Identify Service Provider Management
Policy

Establish and Maintain a

15 15.2 N/A Identify Service Provider Management
Policy

15 15.3 N/A Identify Classify Service Providers

Ensure Service Provider

15 15.4 N/A Protect Contracts Include Security
Requirements

Ensure Service Provider

15 15.4 N/A Protect Contracts Include Security
Requirements
Ensure Service Provider
15 15.4 N/A Protect Contracts Include Security
Requirements

15 15.5 N/A Identify Assess Service Providers

15 15.6 Data Detect Monitor Service Providers

Securely Decommission
15 15.7 Data Protect
Service Providers

16 Application Software Security

Manage the security life cycle of in-house d

remediate security weaknesses before they

Establish and Maintain a

16 16.1 Applications Protect Secure Application
Development Process

Establish and Maintain a

16 16.1 Applications Protect Secure Application
Development Process

Establish and Maintain a

16 16.1 Applications Protect Secure Application
Development Process

Establish and Maintain a

16 16.1 Applications Protect Secure Application
Development Process
Establish and Maintain a
16 16.2 Applications Protect Process to Accept and Address
Software Vulnerabilities

Perform Root Cause Analysis

16 16.3 Applications Protect
on Security Vulnerabilities

Establish and Manage an

16 16.4 Applications Protect Inventory of Third-Party
Software Components

Establish and Manage an

16 16.4 Applications Protect Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted

16 16.5 Applications Protect Third-Party Software
Components

Establish and Maintain a

Severity Rating System and
16 16.6 Applications Protect
Process for Application
Vulnerabilities

Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure
Separate Production and Non-
16 16.8 Applications Protect
Production Systems

Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding

Apply Secure Design Principles

16 16.10 Applications Protect
in Application Architectures

Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application
Security Components

Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application
Security Components

Implement Code-Level Security

16 16.12 Applications Protect
Checks
Implement Code-Level Security
16 16.12 Applications Protect
Checks

Implement Code-Level Security

16 16.12 Applications Protect
Checks
Conduct Application
16 16.13 Applications Protect
Penetration Testing

Conduct Application
16 16.13 Applications Protect
Penetration Testing

16 16.14 Applications Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and maintai

defined roles, training, and communications

Designate Personnel to
17 17.1 N/A Respond
Manage Incident Handling

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting
Security Incidents

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting
Security Incidents
Establish and Maintain Contact
17 17.2 N/A Respond Information for Reporting
Security Incidents

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting
Security Incidents

Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for
Reporting Incidents

Establish and Maintain an

17 17.4 N/A Respond
Incident Response Process

Establish and Maintain an

17 17.4 N/A Respond
Incident Response Process

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises
17 17.8 N/A Recover Conduct Post-Incident Reviews

17 17.8 N/A Recover Conduct Post-Incident Reviews

Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds

Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds

18 Penetration Testing

Test the effectiveness and resiliency of ente

controls (people, processes, and technolog

Establish and Maintain a

18 18.1 N/A Identify
Penetration Testing Program

Perform Periodic External

18 18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings
18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 N/A Identify
Penetration Tests
Description

l of Enterprise Assets

entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected
to the enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.

l of Software Assets

entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.

Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.

Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Encrypt data on end-user devices containing sensitive data. Example implementations

can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Encrypt data on end-user devices containing sensitive data. Example implementations

can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Log sensitive data access, including modification and disposal.

of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and

Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are
explicitly allowed.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are
explicitly allowed.

Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations

include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.

ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum,

must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Establish and maintain an inventory of service accounts. The inventory, at a minimum,
must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.

Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA,

where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and authorization

systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.

Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management

ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.

Establish and maintain a documented vulnerability management process for enterprise

assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation

process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or

more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a

SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a

monthly, or more frequent, basis, based on the remediation process.
and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.

Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources

across enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and supported.

Collect command-line audit logs. Example implementations include collecting audit

logs from PowerShell®, BASH™, and remote administrative terminals.

Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include

collecting authentication and authorization events, data creation and disposal events,
and user management events.

ser Protections

and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.

Use DNS filtering services on all enterprise assets to block access to known malicious
domains.

Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment

scanning and/or sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible,

such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident

Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.

Establish and maintain an isolated instance of recovery data. Example

implementations include, version controlling backup destinations through offline, cloud,
or off-site systems or services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope

enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.

Ensure network infrastructure is kept up-to-date. Example implementations include

running the latest stable release of software and/or using currently supported network-
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services
prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically

separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
Establish and maintain dedicated computing resources, either physically or logically
separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.

nd tooling to establish and maintain comprehensive network monitoring and defense

ats across the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Deploy a network intrusion detection solution on enterprise assets, where appropriate.

Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources.

Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where

appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be security

rly skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security

awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant enterprise
changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing,

pre-texting, and tailgating.

Train workforce members on authentication best practices. Example topics include

MFA, password composition, and credential management.

Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to

report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations

include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data

Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.

Ensure service provider contracts include security requirements. Example

requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management
policy. Monitoring may include periodic reassessment of service provider compliance,
monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and
service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Securely decommission service providers. Example considerations include user and
service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.

Security

ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.

Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software
vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that

helps to set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,

root cause analysis is the task of evaluating underlying issues that create
vulnerabilities in code, and allows development teams to move beyond just fixing
individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.

Establish and manage an updated inventory of third-party components used in

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.

Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for application

infrastructure components. This includes underlying servers, databases, and web
servers, and applies to cloud containers, Platform as a Service (PaaS) components,
and SaaS components. Do not allow in-house developed software to weaken
configuration hardening.
Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct training
at least annually and design in a way to promote security within the development team,
and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

Leverage vetted modules or services for application security components, such as

Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.

Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.

anagement

o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate and
report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum,

differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

s and resiliency of enterprise assets through identifying and exploiting weaknesses in

cesses, and technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size,

complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information; remediation,
such as how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.

Perform periodic internal penetration tests based on program requirements, no less

than annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Control # Control Title

Inventory of information and

X X X Subset 5.9
other associated assets

Management of technical
X X X Subset 8.8
vulnerabilities

X X X

X X
X X

Inventory of information and

X X X Subset 5.9
other associated assets

X X

X X Subset 8.7 Protection against malware

Installation of software on
X X Subset 8.19
operational systems

X
Acceptable use of
X X X Subset 5.10 information and other
associated assets

Inventory of information and

X X X Subset 5.9
other associated assets

X X X Subset 8.1 User endpoint devices

Inventory of information and

X X X Subset 5.9
other associated assets

Acceptable use of
X X X Subset 5.10 information and other
associated assets

X X X Subset 5.15 Access control

X X X Subset 8.3 Information access restriction

X X X Subset 8.4 Access to source code

X X X Subset 5.33 Protection of records

Acceptable use of
X X X Subset 5.10 information and other
associated assets

X X X Subset 7.10 Storage media

Secure disposal or re-use of

X X X Subset 7.14
equipment
X X X Subset 6.7 Remote working

X X X Subset 7.10 Storage media

X X X Subset 8.1 User endpoint devices

Inventory of information and

X X Subset 5.9
other associated assets

X X Subset 5.12 Classification of information

X X Subset 5.13 Labelling of information

X X Subset 5.33 Protection of records

X X Subset 8.12 Data leakage prevention

X X Subset 5.14 Information transfer

X X Subset 7.10 Storage media

X X Subset 5.14 Information transfer

X X Subset 5.33 Protection of records

X X Subset 8.20 Networks security

X X Subset 8.22 Segregation of networks

X Subset 5.14 Information transfer

X Subset 8.12 Data leakage prevention

X Subset 8.15 Logging

X X X Subset 8.1 User endpoint devices

X X X Subset 8.9 Configuration management

X X X Subset 8.5 Secure authentication

X X X Subset 8.9 Configuration management

X X X

X X X Subset 6.7 Remote working

X X X Subset 8.1 User endpoint devices

X X X Subset 8.9 Configuration management

X X X Subset 8.2 Privileged access rights

X X Subset 8.9 Configuration management

X X
X X Subset 8.5 Secure authentication

X X Equivalent 8.10 Information Deletion

X X Subset 8.1 User endpoint devices

X Subset 6.7 Remote working

X Subset 8.1 User endpoint devices

X X X Subset 5.16 Identity management

X X X Subset 5.17 Authentication information

X X X Subset

X X X Subset 5.15 Access control

X X X Subset 8.2 Privileged access rights

X X Subset 5.15 Access control

Use of privileged utility

X X Subset 8.18
programs

X X Subset 5.15 Access Control

X X X Subset 5.15 Access control

X X X Subset 5.16 Identity management

X X X Subset 5.18 Access rights

X X X Subset 5.16 Identity management

X X X Subset 5.18 Access rights

Responsibilities after
X X X Subset 6.5 termination or change of
employment

X X X Subset 5.15 Access Control

X X X Subset 6.7 Remote working

X X X Subset 8.2 Privileged access rights

X X Subset 8.5 Secure authentication

X X Subset 5.18 Access rights

X Superset 5.3 Segregation of duties

X Subset 5.15 Access control

X Subset 8.2 Privileged access rights

X Subset 8.3 Information access restriction

Management of technical
X X X Subset 8.8
vulnerabilities

Management of technical
X X Subset 8.8
vulnerabilities

Management of technical
X X Subset 8.8
vulnerabilities
X X X Equivalent 8.15 Logging

x x x Subset 8.15 Logging

X X X Subset 8.15 Logging

X X X Subset 8.20 Networks security

X X X Subset 8.6 Capacity management

X X Equivalent 8.17 Clock synchronization

X X Subset 5.28 Collection of evidence

X X Subset 8.15 Logging

X X Subset

X X Subset 8.15 Logging

X X
X X Subset 5.28 Collection of evidence

Assessment and decision on

X X Subset 5.25
information security events

X Subset

X X X Subset 8.1 User endpoint devices

X X X Subset 8.23 Web filtering

X X Subset 8.7 Protection against malware

X X Subset 8.23 Web filtering

X X

X Subset 8.7 Protection against malware

X X X Subset 8.1 User endpoint devices

X X X Subset 8.7 Protection against malware

X X X Subset 7.10 Storage media

X X Subset 7.10 Storage media

X X Subset 8.7 Protection against malware

X X Subset 8.1 User endpoint devices

X X X Subset 8.13 Information backup

X X X Subset 8.12 Data leakage prevention

X X X Subset 8.13 Information backup

X X Subset 8.13 Information backup

X X X

X X Subset 8.22 Segregation of networks

X X Subset 8.21 Security of network services

X X

X X Subset 8.21 Security of network services

X X Subset 6.7 Remote working

X X Subset 8.1 User endpoint devices

X X Subset 8.21 Security of network services

X Subset 8.2 Privileged access rights

X Subset 8.22 Segregation of networks

X X Subset 8.15 Logging

X X Subset 8.16 Monitoring activities

X X Subset 8.21 Security of network services

X X Subset 8.16 Monitoring activities

X X Subset 8.22 Segregation of networks

X X Subset 6.7 Remote working

X X Subset 8.1 User endpoint devices

X X Subset 8.3 Information access restriction

X X Subset 8.15 Logging

X X Subset 8.16 Monitoring activities

Management of Technical
X Subset 8.8
Vulnerabilities
Management of Technical
X Subset 8.8
Vulnerabilities

Management of Technical
X Subset 8.8
Vulnerabilities

X Subset 5.7 Threat intellgigence

Information security
X X X Equivalent 6.3 awareness, education and
training

X X X Subset 8.7 Protection against malware

Information security
X X X 6.3 awareness, education and
training

Acceptable use of
X X X Subset 5.10 information and other
associated assets
Information security
X X X Subset 6.3 awareness, education and
training

Information security event

X X X Subset 6.8
reporting

Information security
X X X subset 6.3 awareness, education and
training

Information security
X X X Subset 6.3 awareness, education and
training

Information security
X X Subset 6.3 awareness, education and
training

Information security in
X X X Subset 5.19
supplier relationships
Policies for information
X X Subset 5.1
security

Acceptable use of
X X Subset 5.10 information and other
associated assets

Information security in
X X Subset 5.19
supplier relationships

Addressing information
X X Subset 5.20 security within supplier
agreements

Information security for use

X X Subset 5.23
of cloud services

Information security in
X X Subset 5.19
supplier relationships

Addressing information
X X Subset 5.20 security within supplier
agreements

Managing information
X X Subset 5.21 security in the ICT supply
chain
Information security for use
X X Subset 5.23
of cloud services

Information security in
X Subset 5.19
supplier relationships

Monitoring, review and

X Subset 5.22 change management of
supplier services

Information security for use

X Subset 5.23
of cloud services

Information security in
X Subset 5.19
supplier relationships

Addressing information
X Subset 5.20 security within supplier
agreements

Managing information
X Subset 5.21 security in the ICT supply
chain

Monitoring, review and

X Subset 5.22 change management of
supplier services
Information security in
X Subset 5.19
supplier relationships

Addressing information
X Subset 5.20 security within supplier
agreements

Information security in project

X X Subset 5.8
management

X X Superset 8.4 Access to source code

Secure development life

X X Superset 8.25
cycle

X X Superset 8.28 Secure coding

Management of Technical
X X Subset 8.8
vulnerabilities

Application security
X X Subset 8.26
requirements

X X Subset 8.30 Outsourced development

Application security
X X Subset 8.26
requirements

Management of Technical
X X Subset 8.8
vulnerabilities

Management of Technical
X X Subset 8.8
vulnerabilities
Separation of development,
X X Equivalent 8.31 test and production
environments

X X Subset 8.28 Secure coding

Secure system architecture

X X Subset 8.27
and engineering principles

Secure development life

X X Superset 8.25
cycle

Application security
X X Subset 8.26
requirements

Secure development life

X Subset 8.25
cycle
X Subset 8.28 Secure coding

Security testing in
X Subset 8.29
development and acceptance
Management of Technical
X Subset 8.8
vulnerabilities

Security testing in
X Subset 8.29
development and acceptance

Information security incident

X X X Subset 5.24 management planning and
preparation

X X X Superset 5.5 Contact with authorities

Contact with special interest

X X X Subset 5.6
groups
Addressing information
X X X Subset 5.20 security within supplier
agreements

Information security incident

X X X Subset 5.24 management planning and
preparation

Information security event

X X X Equivalent 6.8
reporting

Information security incident

X X Subset 5.24 management planning and
preparation

Response to information
X X Subset 5.26
security incidents

Information security roles

X X Subset 5.2
and responsibilities

Information security incident

X X Subset 5.24 management planning and
preparation

Information security incident

X X Subset 5.24 management planning and
preparation

ICT readiness for business

X X Subset 5.30
continuity
Information security incident
X X Subset 5.24 management planning and
preparation

Learning from information

X X Subset 5.27
security incidents

Information security incident

X Subset 5.24 management planning and
preparation

Assessment and decision on

X Subset 5.25
information security events

Management of Technical
X X Subset 8.8
vulnerabilities

Management of technical
X X Subset 8.8
vulnerabilities

Management of Technical
X X Subset 8.8
vulnerabilities
Management of Technical
X Subset 8.8
vulnerabilities

Management of Technical
X Subset 8.8
vulnerabilities
Control Text

An inventory of information and other associated assets,

including owners, should be developed and maintained.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.
An inventory of information and other associated assets,
including owners, should be developed and maintained.

Protection against malware should be implemented and

supported by appropriate user awareness.

Procedures and measures should be implemented to

securely manage software installation on operational
systems.

Procedures and measures should be implemented to

securely manage software installation on operational
systems.
Rules for the acceptable use and procedures for handling
information and other associated assets should be
identified, documented and implemented.

An inventory of information and other associated assets,

including owners, should be developed and maintained.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

An inventory of information and other associated assets,

including owners, should be developed and maintained.

Rules for the acceptable use and procedures for handling

information and other associated assets should be
identified, documented and implemented.
Rules to control physical and logical access to information
and other associated assets should be established and
implemented based on business and information security
requirements.
Access to information and other associated assets should
be restricted in accordance with the established topic-
specific policy on access control.

Read and write access to source code, development tools

and software libraries should be appropriately managed.

Records should be protected from loss, destruction,

falsification, unauthorized access and unauthorized
release.
Rules for the acceptable use and procedures for handling
information and other associated assets should be
identified, documented and implemented.
Storage media should be managed through its life cycle of
acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.
Items of equipment containing storage media should be
verified to ensure that any sensitive data and licensed
software has been removed or securely overwritten prior
to disposal or re-use.
Security measures should be implemented when
personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.
Storage media should be managed through its life cycle of
acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

An inventory of information and other associated assets,

including owners, should be developed and maintained.

Information should be classified according to the

information security needs of the organization based on
confidentiality, integrity, availability and relevant interested
party requirements.

An appropriate set of procedures for information labelling

should be developed and implemented in accordance with
the information classification scheme adopted by the
organization.

Records should be protected from loss, destruction,

falsification, unauthorized access and unauthorized
release.

Data leakage prevention measures should be applied to

systems, networks and any other devices that process,
store or transmit sensitive information.

Information transfer rules, procedures, or agreements

should be in place for all types of transfer facilities within
the organization and between the organization and other
parties.
Information transfer rules, procedures, or agreements
should be in place for all types of transfer facilities within
the organization and between the organization and other
parties.
Storage media should be managed through its life cycle of
acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.
Information transfer rules, procedures, or agreements
should be in place for all types of transfer facilities within
the organization and between the organization and other
parties.

Records should be protected from loss, destruction,

falsification, unauthorized access and unauthorized
release.

Networks and network devices should be secured,

managed and controlled to protect information in systems
and applications.
Groups of information services, users and information
systems should be segregated in the organization’s
networks.
Information transfer rules, procedures, or agreements
should be in place for all types of transfer facilities within
the organization and between the organization and other
parties.

Data leakage prevention measures should be applied to

systems, networks and any other devices that process,
store or transmit sensitive information.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.

Information stored on, processed by or accessible via user

endpoint devices should be protected.
Configurations, including security configurations, of
hardware, software, services and networks should be
established, documented, implemented, monitored and
reviewed.

Configurations, including security configurations, of

hardware, software, services and networks should be
established, documented, implemented, monitored and
reviewed.

Secure authentication technologies and procedures

should be implemented based on information access
restrictions and the topic-specific policy on access control.

Configurations, including security configurations, of

hardware, software, services and networks should be
established, documented, implemented, monitored and
reviewed.

Security measures should be implemented when

personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

Configurations, including security configurations, of

hardware, software, services and networks should be
established, documented, implemented, monitored and
reviewed.

The allocation and use of privileged access rights should

be restricted and managed.

Configurations, including security configurations, of

hardware, software, services and networks should be
established, documented, implemented, monitored and
reviewed.
Secure authentication technologies and procedures
should be implemented based on information access
restrictions and the topic-specific policy on access control.

Information stored in information systems, devices or in

any other storage media should be deleted when no
longer required.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

Security measures should be implemented when

personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

The full life cycle of identities should be managed.

Allocation and management of authentication information

should be controlled by a management process, including
advising personnel of appropriate handling of
authentication information.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.
The allocation and use of privileged access rights should
be restricted and managed.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.

The use of utility programs that can be capable of

overriding system and application controls should be
restricted and tightly controlled.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.

The full life cycle of identities should be managed.

Access rights to information and other associated assets

should be provisioned, reviewed, modified and removed in
accordance with the organization’s topic-specific policy on
and rules for access control.

The full life cycle of identities should be managed.

Access rights to information and other associated assets

should be provisioned, reviewed, modified and removed in
accordance with the organization’s topic-specific policy on
and rules for access control.
Information security responsibilities and duties that remain
valid after termination or change of employment should be
defined, enforced and communicated to relevant
personnel and other interested parties.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.
Security measures should be implemented when
personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.
The allocation and use of privileged access rights should
be restricted and managed.

Secure authentication technologies and procedures

should be implemented based on information access
restrictions and the topic-specific policy on access control.

Access rights to information and other associated assets

should be provisioned, reviewed, modified and removed in
accordance with the organization’s topic-specific policy on
and rules for access control.

Conflicting duties and areas of responsibility should be

segregated.

Rules to control physical and logical access to information

and other associated assets should be established and
implemented based on business and information security
requirements.

The allocation and use of privileged access rights should

be restricted and managed.

Access to information and other associated assets should

be restricted in accordance with the established topic-
specific policy on access control.
Information about technical vulnerabilities of information
systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.
Logs that record activities, exceptions, faults and other
relevant events should be produced, stored, protected and
analysed.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.
Networks and network devices should be secured,
managed and controlled to protect information in systems
and applications.

The use of resources should be monitored and adjusted in

line with current and expected capacity requirements.

The clocks of information processing systems used by the

organization should be synchronized to approved time
sources.
The organization should establish and implement
procedures for the identification, collection, acquisition and
preservation of evidence related to information security
events.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.
The organization should establish and implement
procedures for the identification, collection, acquisition and
preservation of evidence related to information security
events.
The organization should assess information security
events and decide if they are to be categorized as
information security incidents.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

Access to external websites should be managed to reduce

exposure to malicious content.

Protection against malware should be implemented and

supported by appropriate user awareness.

Access to external websites should be managed to reduce

exposure to malicious content.

Protection against malware should be implemented and

supported by appropriate user awareness.
Information stored on, processed by or accessible via user
endpoint devices should be protected.
Protection against malware should be implemented and
supported by appropriate user awareness.
Protection against malware should be implemented and
supported by appropriate user awareness.
Storage media should be managed through its life cycle of
acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.
Storage media should be managed through its life cycle of
acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.

Protection against malware should be implemented and

supported by appropriate user awareness.

Protection against malware should be implemented and

supported by appropriate user awareness.

Protection against malware should be implemented and

supported by appropriate user awareness.
Information stored on, processed by or accessible via user
endpoint devices should be protected.

Backup copies of information, software and systems

should be maintained and regularly tested in accordance
with the agreed topic-specific policy on backup.
Backup copies of information, software and systems
should be maintained and regularly tested in accordance
with the agreed topic-specific policy on backup.

Data leakage prevention measures should be applied to

systems, networks and any other devices that process,
store or transmit sensitive information.

Backup copies of information, software and systems

should be maintained and regularly tested in accordance
with the agreed topic-specific policy on backup.

Backup copies of information, software and systems

should be maintained and regularly tested in accordance
with the agreed topic-specific policy on backup.

Backup copies of information, software and systems

should be maintained and regularly tested in accordance
with the agreed topic-specific policy on backup.

Groups of information services, users and information

systems should be segregated in the organization’s
networks.
Security mechanisms, service levels and service
requirements of network services should be identified,
implemented and monitored.

Security mechanisms, service levels and service

requirements of network services should be identified,
implemented and monitored.
Security measures should be implemented when
personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

Security mechanisms, service levels and service

requirements of network services should be identified,
implemented and monitored.

The allocation and use of privileged access rights should

be restricted and managed.

Groups of information services, users and information

systems should be segregated in the organization’s
networks.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.

Networks, systems and applications should be monitored

for anomalous behaviour and appropriate actions taken to
evaluate potential information security incidents.
Networks, systems and applications should be monitored
for anomalous behaviour and appropriate actions taken to
evaluate potential information security incidents.

Security mechanisms, service levels and service

requirements of network services should be identified,
implemented and monitored.

Networks, systems and applications should be monitored

for anomalous behaviour and appropriate actions taken to
evaluate potential information security incidents.

Groups of information services, users and information

systems should be segregated in the organization’s
networks.

Security measures should be implemented when

personnel are working remotely to protect information
accessed, processed or stored outside the organization’s
premises.

Information stored on, processed by or accessible via user

endpoint devices should be protected.

Access to information and other associated assets should

be restricted in accordance with the established topic-
specific policy on access control.

Logs that record activities, exceptions, faults and other

relevant events should be produced, stored, protected and
analysed.

Networks, systems and applications should be monitored

for anomalous behaviour and appropriate actions taken to
evaluate potential information security incidents.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.
Information about technical vulnerabilities of information
systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information relating to information security threats should

be collected and analysed to produce threat intelligence.

Personnel of the organization and relevant interested

Protection against malware should be implemented and

supported by appropriate user awareness.
Personnel of the organization and relevant interested
parties should receive appropriate information security
awareness, education and training and regular updates of
the organization's information security policy, topic-
specific policies and procedures, as relevant for their job
function.
Rules for the acceptable use and procedures for handling
information and other associated assets should be
identified, documented and implemented.
Personnel of the organization and relevant interested
parties should receive appropriate information security
awareness, education and training and regular updates of
the organization's information security policy, topic-
specific policies and procedures, as relevant for their job
function.

The organization should provide a mechanism for

personnel to report observed or suspected information
security events through appropriate channels in a timely
manner.

Personnel of the organization and relevant interested

parties should receive appropriate information security
awareness, education and training and regular updates of
the organization's information security policy, topic-
specific policies and procedures, as relevant for their job
function.
Personnel of the organization and relevant interested
parties should receive appropriate information security
awareness, education and training and regular updates of
the organization's information security policy, topic-
specific policies and procedures, as relevant for their job
function.

Processes and procedures should be defined and

implemented to manage the information security risks
associated with the use of supplier’s products or services.
Information security policy and topic-specific policies
should be defined, approved by management, published,
communicated to and acknowledged by relevant
personnel and relevant interested parties, and reviewed at
planned intervals and if significant changes occur.

Rules for the acceptable use and procedures for handling

information and other associated assets should be
identified, documented and implemented.

Processes and procedures should be defined and

implemented to manage the information security risks
associated with the use of supplier’s products or services.

Relevant information security requirements should be

established and agreed with each supplier based on the
type of supplier relationship.

Processes for acquisition, use, management and exit from

cloud services should be established in accordance with
the organization’s information security requirements.

Processes and procedures should be defined and

implemented to manage the information security risks
associated with the use of supplier’s products or services.

Relevant information security requirements should be

established and agreed with each supplier based on the
type of supplier relationship.

Processes and procedures should be defined and

implemented to manage information security risks
associated with the ICT products and services supply
chain.
Processes for acquisition, use, management and exit from
cloud services should be established in accordance with
the organization’s information security requirements.

Processes and procedures should be defined and

implemented to manage the information security risks
associated with the use of supplier’s products or services.

The organization should regularly monitor, review,

evaluate and manage change in supplier information
security practices and service delivery.

Processes for acquisition, use, management and exit from

cloud services should be established in accordance with
the organization’s information security requirements.

Processes and procedures should be defined and

implemented to manage the information security risks
associated with the use of supplier’s products or services.

Relevant information security requirements should be

established and agreed with each supplier based on the
type of supplier relationship.

Processes and procedures should be defined and

implemented to manage information security risks
associated with the ICT products and services supply
chain.

The organization should regularly monitor, review,

evaluate and manage change in supplier information
security practices and service delivery.
Processes and procedures should be defined and
implemented to manage the information security risks
associated with the use of supplier’s products or services.
Relevant information security requirements should be
established and agreed with each supplier based on the
type of supplier relationship.

Information security should be integrated into project

management.

Read and write access to source code, development tools

and software libraries should be appropriately managed.

Rules for the secure development of software and

systems should be established and applied.

Secure coding principles should be applied to software

development.
Information about technical vulnerabilities of information
systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information security requirements should be identified,

specified and approved when developing or acquiring
applications.

The organization should direct, monitor and review the

activities related to outsourced system development.

Information security requirements should be identified,

specified and approved when developing or acquiring
applications.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.
Development, testing and production environments should
be separated and secured.

Secure coding principles should be applied to software

development.

Principles for engineering secure systems to be

established, documented, maintained and applied to any
information system development activities.

Rules for the secure development of software and

systems should be established and applied.

Information security requirements should be identified,

specified and approved when developing or acquiring
applications.

Rules for the secure development of software and

systems should be established and applied.
Secure coding principles should be applied to software
development.

Security testing processes should be defined and

implemented in the development life cycle.
Information about technical vulnerabilities of information
systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Security testing processes should be defined and

implemented in the development life cycle.

Security testing processes should be defined and

implemented in the development life cycle.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

The organization should establish and maintain contact

with relevant authorities.

The organization should establish and maintain contact

with special interest groups or other specialist security
forums and professional associations.
Relevant information security requirements should be
established and agreed with each supplier based on the
type of supplier relationship.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

The organization should provide a mechanism for

personnel to report observed or suspected information
security events through appropriate channels in a timely
manner.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

Information security incidents should be responded to in

accordance with the documented procedures.

Information security roles and responsibilities should be

defined and allocated according to the organization
needs.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

ICT readiness should be planned, implemented,

maintained and tested based on business continuity
objectives and ICT continuity requirements.
The organization should plan and prepare for managing
information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.
Knowledge gained from information security incidents
should be used to strengthen and improve the information
security controls.

The organization should plan and prepare for managing

information security incidents by defining, establishing and
communicating information security incident management
processes, roles and responsibilities.

The organization should assess information security

events and decide if they are to be categorized as
information security incidents.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Information about technical vulnerabilities of information

systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.
ISO/IEC
Control Title
Control #

5.4 Management responsibilities

5.7 Threat intelligence
5.29 Information security during disruption

5.31 Legislation, regulations and statutory and contractual requirements

5.32 Intellectual property rights

5.34 Privacy and protection of PII

5.35 Independent review of information security

5.36 Conformance with policies, rules and standards for information security
5.37 Documented operating procedures

6.1 Screening
6.2 Terms and conditions of employment

6.4 Disciplinary process

6.6 Confidentiality or non-disclosure agreements

7.1 Physical security perimeters
7.2 Physical entry
7.3 Securing offices, rooms and facilities
7.4 Physical security monitoring

7.5 Protecting against physical and environmental threats

7.6 Working in secure areas

7.7 Clear desk and clear screen

7.8 Equipment siting and protection
7.9 Security of assets off-premises
7.11 Supporting utilities
7.12 Cabling security
7.13 Equipment maintenance

7.14 Secure disposal or re-use of equipment

8.10 Information deletion

8.11 Data masking

8.14 Redundancy of information processing facilities
8.24 Use of cryptography
8.32 Change management
8.33 Test information
Management should require all personnel to apply information security in accordance with the established
procedures of the organization.
Information relating to information security threats should be collected and analysed to produce threat intel
The organization should plan how to maintain information security at an appropriate level during disruption
Legislation, regulations and statutory and contractual requirements relevant to information security and the
should be identified, documented and kept up to date.
The organization should implement appropriate procedures to protect intellectual property rights.
The organization should identify and meet the requirements regarding the preservation of privacy and prot
regulations and contractual requirements.
The organization’s approach to managing information security and its implementation including people, pro
independently at planned intervals, or when significant changes occur.
Conformance with the organization’s information security policy, topic-specific policies, rules and standards
Operating procedures for information processing facilities should be documented and made available to pe
Background verification checks on all candidates to become personnel should be carried out prior to joinin
consideration applicable laws, regulations and ethics and be proportional to the business requirements, the
the perceived risks.
The employment contractual agreements should state the personnel’s and the organization’s responsibilitie
A disciplinary process should be formalized and communicated to take actions against personnel and othe
information security policy violation.
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of inform
reviewed and signed by personnel and other relevant interested parties.
Security perimeters should be defined and used to protect areas that contain information and other associa
Secure areas should be protected by appropriate entry controls and access points.
Physical security for offices, rooms and facilities should be designed and implemented.
Premises should be continuously monitored for unauthorized physical access.
Protection against physical and environmental threats, such as natural disasters and other intentional or un
designed and implemented.
Security measures for working in secure areas should be designed and implemented.
Clear desk rules for papers and removable storage media and clear screen rules for information processin
enforced.
Equipment should be sited securely and protected.
Off-site assets should be protected.
Information processing facilities should be protected from power failures and other disruptions caused by f
Cables carrying power, data or supporting information services should be protected from interception, inter
Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.
Items of equipment containing storage media should be verified to ensure that any sensitive data and licen
overwritten prior to disposal or re-use.
Information stored in information systems, devices or in any other storage media should be deleted when n
Data masking should be used in accordance with the organization’s topic-specific policy on access control
requirements, taking applicable legislation into consideration.
Information processing facilities should be implemented with redundancy sufficient to meet availability requ
Rules for the effective use of cryptography, including cryptographic key management, should be defined an
Changes to information processing facilities and information systems should be subject to change manage
Test information should be appropriately selected, protected and managed.

ISO 27001 Controls – A guide to implementing and auditing
From Everand
ISO 27001 Controls – A guide to implementing and auditing
Bridget Kenyon
No ratings yet
ISMS Implementation Toolkit (ISO 27001 - 2022) - 240624 - 164559
80% (5)
ISMS Implementation Toolkit (ISO 27001 - 2022) - 240624 - 164559
12 pages
DOWNLOADABLE List of Documents in The ISO 27001 Toolkit
100% (1)
DOWNLOADABLE List of Documents in The ISO 27001 Toolkit
2 pages
Example Iso 27001 27002 Policy Standard Mapping
100% (1)
Example Iso 27001 27002 Policy Standard Mapping
2 pages
Exam MTCTCE
No ratings yet
Exam MTCTCE
6 pages
ISO 27001 2022 Gap Analysis Tool
100% (1)
ISO 27001 2022 Gap Analysis Tool
11 pages
ISO/IEC 27002 Implementation Guidance and Metrics
100% (20)
ISO/IEC 27002 Implementation Guidance and Metrics
14 pages
DRAFT - Jan 13 - Ethernet Lock Interface For Allure
No ratings yet
DRAFT - Jan 13 - Ethernet Lock Interface For Allure
16 pages
ISO27k Generic Business Case For ISO IEC 27001 ISMS v2
No ratings yet
ISO27k Generic Business Case For ISO IEC 27001 ISMS v2
5 pages
Nine Steps to Success: An ISO27001:2013 Implementation Overview
From Everand
Nine Steps to Success: An ISO27001:2013 Implementation Overview
Alan Calder
1/5 (1)
Example Iso 27001 27002 Policies Standards
50% (2)
Example Iso 27001 27002 Policies Standards
23 pages
Operationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work
From Everand
Operationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work
Scott Gordon
No ratings yet
ISMS Manual: Version: 2.9 Date: 07 May' 2012
No ratings yet
ISMS Manual: Version: 2.9 Date: 07 May' 2012
45 pages
Policy Template Guide: NIST Cybersecurity Framework
100% (4)
Policy Template Guide: NIST Cybersecurity Framework
17 pages
ISO 27002 New Standards
No ratings yet
ISO 27002 New Standards
1 page
IC ISO 27001 Business Continuity Checklist 10838
100% (1)
IC ISO 27001 Business Continuity Checklist 10838
8 pages
CIS Controls v8 Mapping To NIST CSF FINAL 06 11 2021
No ratings yet
CIS Controls v8 Mapping To NIST CSF FINAL 06 11 2021
111 pages
ISO27001 Tool Kit
0% (1)
ISO27001 Tool Kit
4 pages
ISMS The Ultimate Step-By-Step Guide
From Everand
ISMS The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Generic ISMS Documentation Checklist v1
No ratings yet
Generic ISMS Documentation Checklist v1
5 pages
Iso 27001 Annex S Control Mapping PDF
No ratings yet
Iso 27001 Annex S Control Mapping PDF
22 pages
ISO27001 Compliance With Netwrix
No ratings yet
ISO27001 Compliance With Netwrix
27 pages
Implementing An ISMS: The Nine-Step Approach
No ratings yet
Implementing An ISMS: The Nine-Step Approach
13 pages
Iso 27001
100% (1)
Iso 27001
100 pages
NQA ISO 27001 Implementation Guide
No ratings yet
NQA ISO 27001 Implementation Guide
18 pages
ISO27001:2013 Assessment Status: Compliance Status - by Section
No ratings yet
ISO27001:2013 Assessment Status: Compliance Status - by Section
21 pages
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
No ratings yet
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
99 pages
Iso 27001
100% (2)
Iso 27001
35 pages
ISMSPoloicy 1
No ratings yet
ISMSPoloicy 1
14 pages
Iso 27001
100% (1)
Iso 27001
43 pages
Pecb Whitepaper Iso 27001 CTS
0% (1)
Pecb Whitepaper Iso 27001 CTS
17 pages
ISO27k SOA 2013 in 5 Languages
No ratings yet
ISO27k SOA 2013 in 5 Languages
54 pages
GAP Analysis V1
100% (1)
GAP Analysis V1
79 pages
Iso27002 2022
No ratings yet
Iso27002 2022
1 page
ISO27k Standards Listing
No ratings yet
ISO27k Standards Listing
8 pages
0B Implemenation Guide
No ratings yet
0B Implemenation Guide
71 pages
Iso 27001 Implementation Roadmap
100% (7)
Iso 27001 Implementation Roadmap
1 page
Module-1 (The Process of Auditing Information Systems-T)
No ratings yet
Module-1 (The Process of Auditing Information Systems-T)
61 pages
ISO27k Toolkit Overview and Contents 3v2
100% (1)
ISO27k Toolkit Overview and Contents 3v2
8 pages
ISO27k Intro and Gap Analysis Email Template v2
No ratings yet
ISO27k Intro and Gap Analysis Email Template v2
2 pages
NIST Docs Guide
100% (2)
NIST Docs Guide
36 pages
ISO 27001 Auditor Checklist PDF
No ratings yet
ISO 27001 Auditor Checklist PDF
9 pages
Information Security Strategy - Guide
100% (1)
Information Security Strategy - Guide
14 pages
13 Effective Security Controls For ISO 27001 Compliance
No ratings yet
13 Effective Security Controls For ISO 27001 Compliance
55 pages
Statement of Applicability v3 1123 EXTERNAL
100% (1)
Statement of Applicability v3 1123 EXTERNAL
5 pages
ISMS Control Checklist 2022
50% (2)
ISMS Control Checklist 2022
31 pages
ISO27001 Checklist
82% (11)
ISO27001 Checklist
98 pages
Iso 27001
No ratings yet
Iso 27001
6 pages
Implementing ISMS 9 Steps Aug 19
No ratings yet
Implementing ISMS 9 Steps Aug 19
12 pages
Iso 27001
No ratings yet
Iso 27001
10 pages
2018.1 Example CSOP WISP NIST CSF Mapping
No ratings yet
2018.1 Example CSOP WISP NIST CSF Mapping
12 pages
ISO 27005 Lista-Am+Vu PDF
No ratings yet
ISO 27005 Lista-Am+Vu PDF
6 pages
Internal - Audit Checklist ISMS
No ratings yet
Internal - Audit Checklist ISMS
6 pages
Risk Control Report Sample
No ratings yet
Risk Control Report Sample
21 pages
ISO27k Controls Cross Check 2013
No ratings yet
ISO27k Controls Cross Check 2013
6 pages
ISO 27001 Annex A.9 - Access Control PDF
0% (1)
ISO 27001 Annex A.9 - Access Control PDF
12 pages
NIST CSF Worksheet
100% (1)
NIST CSF Worksheet
17 pages
ISO/IEC Information & ICT Security and Governance Standards in Practice
No ratings yet
ISO/IEC Information & ICT Security and Governance Standards in Practice
19 pages
BS ISO / IEC 27001: 2005: Isms - Audit Checklist
0% (1)
BS ISO / IEC 27001: 2005: Isms - Audit Checklist
9 pages
Awareness ISO 27001 V1.1
No ratings yet
Awareness ISO 27001 V1.1
15 pages
ISO27701 and GDPR Gaps and Overlaps
No ratings yet
ISO27701 and GDPR Gaps and Overlaps
13 pages
ISO IEC 27006 The Ultimate Step-By-Step Guide
From Everand
ISO IEC 27006 The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Reporte de Threat Modeling Proyecto
No ratings yet
Reporte de Threat Modeling Proyecto
19 pages
Superficie de Ataque
No ratings yet
Superficie de Ataque
2 pages
GoBrother Smart Home Products Pricelist-1 (V201906A)
No ratings yet
GoBrother Smart Home Products Pricelist-1 (V201906A)
11 pages
Descifrar
No ratings yet
Descifrar
2 pages
BVMS - Iec62676-1
No ratings yet
BVMS - Iec62676-1
41 pages
BVMS - Iec62676-1
No ratings yet
BVMS - Iec62676-1
41 pages
Bis Praesideo Integration PDF
No ratings yet
Bis Praesideo Integration PDF
2 pages
BVMS - Iec62676-1
No ratings yet
BVMS - Iec62676-1
41 pages
Moxa Eds P506e Series Datasheet v1.0
No ratings yet
Moxa Eds P506e Series Datasheet v1.0
6 pages
9.8 ZoneDirector 9.8 User Guide - Rev A - 20140614
No ratings yet
9.8 ZoneDirector 9.8 User Guide - Rev A - 20140614
430 pages
AirLive AirMax5 Manual
No ratings yet
AirLive AirMax5 Manual
146 pages
Kerberos
No ratings yet
Kerberos
15 pages
User'S Manual: 3-Megapixel Outdoor 25 Meter Ir Ipcam
No ratings yet
User'S Manual: 3-Megapixel Outdoor 25 Meter Ir Ipcam
74 pages
Cisco UCS C-Series GUI Configuration Guide 131 Chapter8
No ratings yet
Cisco UCS C-Series GUI Configuration Guide 131 Chapter8
6 pages
BTPT ONU Configuration Guide: This Guidance Document Is Applicable To BT-BCM6838 Series Models ONU Equipment of BTPT
No ratings yet
BTPT ONU Configuration Guide: This Guidance Document Is Applicable To BT-BCM6838 Series Models ONU Equipment of BTPT
10 pages
Protocolo OSPF
No ratings yet
Protocolo OSPF
6 pages
ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)
No ratings yet
ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)
498 pages
Lab 5 Ch-2 & 3 - Switch Security Part B - Apr18 - 2013
No ratings yet
Lab 5 Ch-2 & 3 - Switch Security Part B - Apr18 - 2013
3 pages
AOS 10.4.0.1 Release Notes
No ratings yet
AOS 10.4.0.1 Release Notes
21 pages
Etx-1p Ds
No ratings yet
Etx-1p Ds
6 pages
Cucm Lab 1
No ratings yet
Cucm Lab 1
17 pages
Netcom NTC 6000 User Manual v2.2
No ratings yet
Netcom NTC 6000 User Manual v2.2
63 pages
HPE Storage Switch M-Series SN3700M-a00067749enw
No ratings yet
HPE Storage Switch M-Series SN3700M-a00067749enw
29 pages
D Link DCS 5000L A1 Camera Manual v1 00
No ratings yet
D Link DCS 5000L A1 Camera Manual v1 00
78 pages
Read Fireware Log MSG
No ratings yet
Read Fireware Log MSG
17 pages
WL-203 MFP Server Full Manual (UK)
No ratings yet
WL-203 MFP Server Full Manual (UK)
46 pages
TripleCare User Guide V8.6 R1
No ratings yet
TripleCare User Guide V8.6 R1
165 pages
CSS Summary Lessons
No ratings yet
CSS Summary Lessons
3 pages
DHCP Presentation
No ratings yet
DHCP Presentation
25 pages
DHCP and DNS
No ratings yet
DHCP and DNS
23 pages
Desain Jaringan Lan Menggunakan Packet Tracer: Sovia Rosalin, M.AB
No ratings yet
Desain Jaringan Lan Menggunakan Packet Tracer: Sovia Rosalin, M.AB
61 pages
Cyberoam Virtual UTM Appliance Installation Guide For Microsoft Hyper-V
No ratings yet
Cyberoam Virtual UTM Appliance Installation Guide For Microsoft Hyper-V
26 pages
Altos EasyStore Manual 021907
No ratings yet
Altos EasyStore Manual 021907
169 pages
Checkpoint R65 VPN Admin Guide
No ratings yet
Checkpoint R65 VPN Admin Guide
668 pages
VZLT Profinet
No ratings yet
VZLT Profinet
60 pages
User Manual: Insight IC-D and IC-M DC Electric Tool Controller
No ratings yet
User Manual: Insight IC-D and IC-M DC Electric Tool Controller
48 pages
Networking n1500 Series Setup Guide en Us
No ratings yet
Networking n1500 Series Setup Guide en Us
136 pages
TP Link Archer C50 Datasheet
No ratings yet
TP Link Archer C50 Datasheet
6 pages
By: Pratik Pranav - 2018CS10368: WWW - Cse.iitd - Ac.in
No ratings yet
By: Pratik Pranav - 2018CS10368: WWW - Cse.iitd - Ac.in
6 pages
Lab 3.1: Prepare Installation: Objective
No ratings yet
Lab 3.1: Prepare Installation: Objective
34 pages
B WAP150 361 Admin Guide
No ratings yet
B WAP150 361 Admin Guide
136 pages