[COMPANY] ISO 27001 Statement of Applicability

*This template is provided as a reference only and is in no way intended as legal or security compliance advice.

Classification: Confidential

VERSION HISTORY: LAST MODIFIED BY: DESCRIPTION OF CHANGES: DATE:

DATE OF
CONTROL CONTROL DATE OF LAST
ANNEX A CONTROL TITLE CONTROL OBJECTIVE CONTROL APPLIED? CONTROL NOTES AND DETAILS JUSTIFICATION FOR EXCLUSION IMPLEMENTATI
REQUIREMENT OWNER ASSESSMENT
ON

5 INFORMATION SECURITY POLICIES

5.1 Management direction Provide management direction and support for
for information security information security in accordance with business
requirements and relevant laws and regulations.

5.1.1 Policies for information A set of policies for information security shall be defined,
security approved by management, published, and communicated Business
to all employees and relevant external parties. Yes
requirement

5.1.2 Review of the policies The policies for information security shall be reviewed at
for information security planned intervals or if significant changes occur to ensure ISO 27001
their continuing suitability, adequacy, and effectiveness No
requirement

6 ORGANIZATION OF INFORMATION SECURITY

6.1 Internal organization Establish a management framework to initiate and control
the implementation and operation of information security
within the organization.

6.1.1 Information security All information security responsibilities shall be defined

roles and responsibilities and allocated

6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be

segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organization's
assets

6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be
maintained

6.1.4 Contact with sepcial Appropriate contacts with special interest groups or other
interest groups specialist ssecurity forums and professional associations
shall be maintained

6.1.5 Information security in Information security shall be addressed in project

project management management, regardless of the type of project.

6.2 Mobile devices and Ensure the security of teleworking and the use of mobile
teleworking devices.

6.2.1 Mobile device policy A policy and supporting security measures shall be
adopted to manage the risks introduced by mobile devices

6.2.2 Teleworking A policy supporting security measures shall be

implemented to protect information accessed, processed,
or stored at teleworking sites

7 HUMAN RESOURCE SECURITY

7.1 Prior to employment Ensure that employees and contractors understand their
responsibilities and are suitable for the rules for which
they are considered.

7.1.1 Screening Background verification checks on all candidates for

employment shall be carried out in accordance with
relevant laws, regulations, and ethics and shall be
proportional to the business requirements, the
classification of the information to be accessed, and the
perceived risks

7.1.2 Terms and conditions of The contractual agreements with employees and
employement contractors shall state their and the organization's
responsibilites for information security

7.2 During employment Ensure that employees and contractors are aware of and
fulfil their information security responsibilities.

7.2.1 Management Management shall require all employees and contractors

responsibilities to apply information security in accordance with the
established policies and procedures of the organization

7.2.2 Information security All employees of the organization and relevant contractors
awareness, education, shall receive appropriate awareness education and training
and training and regular updates in organizational policies and
procedures as relevant to their job function

7.2.3 Disciplinary process There shall be a formal and communicated disciplinary

process in place to take action against employees who
have committed an information security breach

7.3 Termination or change Protect the organization's interests as part of the process of
of employment changing or terminating employment.

7.3.1 Termination of rchange Information security responsibilities and duties that remain
of employment valid after termination or change of employment shall be
responsibilities defined, communicated to the employee or contractor, and
enforced

8 ASSET MANAGEMENT
8.1 Responsibility for assets Identify organizational assets and define appropriate
protection responsibilities.

8.1.1 Inventory of assets Assets associated with information and information

processing facilities shall be identified and an inventory of
these assets shall be drawn up and maintained

8.1.2 Ownership of assets Assets maintained in the inventory shall be owned

8.1.3 Acceptable use of assets Rules for the acceptable use of information and assets
associated with information and information processing
facilities shall be identified, documented, and
implemented

8.1.4 Return of assets All employees and external party users shall return all of
the organizational assets in their possession upon
termination of their employment, contract, or agreement

8.2 Information Ensure that information received an appropriate level of

classification protection in accordance with its importance to the
organization.

8.2.1 Classification of Information shall be classified in terms of legal

information requirements, value, criticality, and sensitivitiy to
unauthorized disclosure or modification

8.2.2 Labelling of information An appropriate set of procedures for information labeling

shall be developed and implemented in accordance with
the information classification scheme adopted by the
organization

8.2.3 Handling of assets Procedures for handling assets shall be developed and
implemented in accordance with the information
classification scheme adopted by the organization

8.3 Media handling Prevent unauthorized disclosure, modification, removal or

destruction of information stored on media.

8.3.1 Management of Procedures shall be implemented for the management of

removable media removable media in accordance with the classification
scheme adopted by the organization

8.3.2 Disposal of media Media shall be disposed of securely when no longer

required, using formal procedures

8.3.3 Physical media transfer Media containing inforation shall be protected against
unauthorized access, misuse, or corruption during
transportation

9 ACCESS CONTROL
9.1 Business requirements of Limit access to information and information processing
access control facilities.

9.1.1 Access control policy An access control policy shall be established, documented,
and reviewed based on business and information security
requirements

9.1.2 Access to networks and Users shall only be provided with access to the network
network services and network services that they have been specifically
authorized to use

9.2 User access management Ensure authorized user access and to prevent unauthorized
access to systems and services.

9.2.1 User registration and de- A formal user registration and de-registration process shall
registration be implemented to enable assignment of access rights

9.2.2 User access provisioning A formal user access provisioning process shall be
implemented to assign or revoke access rights for all user
types to all systems and services

9.2.3 Management of The allocation and use of privileged access rights shall be
privileged access rights restricted and controlled

9.2.4 Management of secret The allocation of secret authentication information shall

authentication be controlled through a formal management proces
information of users

9.2.5 Review of user access Asset owners shall review users' access rights at regular
rights intervals

9.2.6 Removal or adjustment The access rights of all employees and external party users
of access rights to information and information processing facilities shall
be removed upon termination of their employment,
contract, or agreement, or adjusted upon change
9.3 User responsibilities Make users accountable for safeguarding their
authentication information.

9.3.1 Use of secret Users shall be required to follow the organization's

authentication practices in the use of secret authentication informatioin
information

9.4 System and application Prevent unauthorized access to systems and applications.
access control

9.4.1 Information access Access to information and application system functions

restriction shall be restricted in accordance with the access control
policy

9.4.2 Secure log-on Where required by the access control policy, access to
procedures systems and applications shall be controlled by a secure
log on procedure

9.4.3 Password management Password management systems shall be interactive and

system shall ensure quality passwords

9.4.4 Use of privileged utility The use of utility programs that might be capable of
programs overriding system and application controls shall be
restricted and tightly controlled

9.4.5 Access control to Access to program source code shall be restricted

program source code

10 CRYPTOGRAPHY
10.1 Cryptographic controls Ensure proper and effective use of cryptography to protect
the confidentiality, authenticity and/or integrity of
information.

10.1.1 Policy on the use of A policy on the use of cryptographic controls for
cryptographic controls protection of information shall be developed and
implemented

10.1.2 Key management A policy on the use, protection, and lifetime of

cryptographic keys shall be developed and implemented
through their whole lifecycle

11 PHYSICAL AND ENVIRONMENTAL SECURITY

11.1 Secure areas Prevent unauthorized physical access, damage and
interference to the organization's information and
information processing facilities.

11.1.1 Physical security Security perimeters shall be defined and used to protect
perimeter areas that contain either sensitive or critical information
and information processing facilites

11.1.2 Physical entry controls Secure areas shall be protected by appropriate entry
controls to ensure that only authorized personnel are
allowed access

11.1.3 Securing offices, rooms Physical security for offices, rooms, and facilities shall be
and facilities designed and applied

11.1.4 Protecting against Physical protection gainst natural disasters, malicious

11.1.5 external
Workingend attacks, or accidents
in secure areas Procedures shall
for working inbe designed
secure areasand applied
shall be designed
environmental threats and appiled

11.1.6 Delivery and loading Access points such as delivery and loading areas and other
areas points where unauthorized personsl could enter the
premises shall be controlled, and if possible, isolation
from information processing facilities to prevent
unauthorized access

11.2 Equipment Prevent loss, damage, theft or compromise of assets and

interruption to the organization's operations.

11.2.1 Equipment siting and Equipment shall be sited and protected to reduce risks of
protection environmental threats and hazards, and opportunities for
unauthorized acces

11.2.2 Supporting utilities Equipment shall be protected from power failures and
other disruptions caused by failures in supporting utilities

11.2.3 Cabling security Power and telecommunications cabling carrying data or

supporting information services shall be protected from
interception, interference, or damage

11.2.4 Equipment maintenance Equipment shall be correctly maintained to ensure its

continued availability and integrity

11.2.5 Removal of assets Equipment, information, or software shall not be taken

off-site without prior authorization

11.2.6 Security of equipment Security shall be aplied to off-site assets taking into
and assets off-premises account the different risks of working outside the
organization's premises

11.2.7 Secure disposal or reuse All equipment containing storage media shall be verified
of equipment to ensure that any sensitive data and licensed software has
been removed or securely overwritten prior to disposal or
re-use

11.2.8 Unattended user Users shall ensure that unattended equipment has
equipment appropriate protection

11.2.9 Clear desk and clear A clear desk policy for papers and removable storage
screen policy media and a clear screen policy for information processing
facilities shall be adopted

12 OPERATIONS SECURITY
12.1 Operational procedures Ensure correct and secure operations of information
and responsibilities processing facilities.

12.1.1 Documented operating Operating procedures shall be documented and made

procedures available to all users who need them

12.1.2 Change management Changes to the organization, business processes,

information processing facilities, and systems that affect
information security shall be controlled

12.1.3 Capacity management The use of resources shall be monitored, tuned, and
projections made of future capacity requirements to ensure
the required system performance

12.1.4 Separation of Development, testing, and operational environments shall

12.2 development,
Protection testing
from and be
malware separated
Ensure to reduce the
that information risks
and of unauthorized
information access or
processing
operational changes to
facilities arethe operational
protected environment
against malware.
environments

12.2.1 Controls against Detection, prevention, and recovery controls to protect

12.3 malware
Backups against malwareloss
Protect against shall
of be implemented, combined with
data.
appropriate user awareness
12.3.1 Information backup Backup copies of information, software, and system
images shall be taken and tested regularly in accordance
with an agreed backup policy

12.4 Logging and monitoring Record events and generate evidence.

12.4.1 Event logging Event logs recording user activities, exceptions, faults, and
information security events shall be produced, kept, and
regularly reviewed

12.4.2 Protection of log Logging facilities and log information shall be protected
information against tampering and unauthorized access

12.4.3 Administrator and System administrator and system operator activities shall
operator logs be logged and the logs protected and regularly reviewed

12.4.4 Clock synchronisation The clocks of all relevant information processing systems
within an organization or security domain shall be
synchornized to a single reference time source

12.5 Control of operational Ensure the integrity of operational systems.

software

12.5.1 Installation of software Procedures should be implemented to control the

on operational systems installation of software on operational systems

12.6 Technical vulnerability Prevent exploitation of technical vulnerabilities.

management

12.6.1 Management of Information about technical vulnerabilities of information

technical vulnerabilities systems being used should be obtained in a timely fashion,
the organization’s exposure to such vulnerabilities
evaluated and appropriate measures taken to address the
associated risk

12.6.2 Restrictions on software Rules governing the installation of software by users

installation should be established and implemented

12.7 Information systems Minimize the impact of audit activities on operational

audit considerations systems.

12.7.1 Information systems Audit requirements and activities involving verification of

audit controls operational systems should be carefully planned and
agreed to minimize disruptions to business processes

13 COMMUNICATIONS SECURITY
13.1 Network security Ensure the protection of information in networks and its
management supporting information processing facilities.

13.1.1 Network controls Networks shall be manged and controlled to protect

information in systems and applications

13.1.2 Security of network Security mechanisms, service levels, and management

services requirements of all network services shall be identified
and included in network service agreements, whether
these services are provided in-house or outsourced

13.1.3 Segregation in networks Groups of information services, users, and information

systems shall be segregated on networks

13.2 Information transfer Maintain the security of information transferred within an

organization and with any external entity.

13.2.1 Information transfer Formal transfer policies, procedures, and controls shall be
policies and procedures in plce to protect the transfer of information through the
use of all types of communication facilities

13.2.2 Agreements on Agreements shall address the secure transfer of business

information transfer information between the organization and external parties

13.2.3 Electronic messaging Information involved in electronic messaging shall be

appropriately protected

13.2.4 Confidentiality or non- Requirements for confidentiality or non-disclosure

disclosure agreements agreements reflecting the organization's needs for the
protection of information shall be identified, regularly
reviewed, and documented

14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

14.1 Security requirements of Ensure that information security is an integral part of
information systems information systems across the entire lifecycle. This also
includes the requirements for information systems which
provide services over public networks.

14.1.1 Information security The information security related requirements shall be

requirements analysis included in the requirements for new information systems
and specification or enhancements to existing information systems

14.1.2 Securing application Information involved in application services passing over

services on public pubic networks shall be protected from fraudulent activity,
networks contract dispute, and unauthorized disclousre and
modification

14.1.3 Protecting application Information involved in application service transactions

services transactions shall be protected to prevent incomplete transmission,
misrouting, unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication, or replay

14.2 Security in development Ensure that information security is designed and

and support processes implemented within the development lifecycle of
information systems.

14.2.1 Secure development Rules for the development of software and systems shall
policy be established and applied to developments within the
organization

14.2.2 System change control Changes to systems within the development lifecycle shall
procedures be controlled by the use of formal change control
procedures

14.2.3 Technical review of When operating platforms are changed, business critical
14.2.4 applications on
Restrictions after applications shall
changes Modifications be reviewed
to software and tested
packages shall to
be ensure there is
discouraged,
operating
to softwareplatform
packages no adverse
limited impct on changes,
to necessary organization
and operations
all changesorshall
security
be
changes strictly controlled

14.2.5 Secure system Principles for engineering secure systems shall be

engineering principles established, documented, maintained, and applied to any
information system implementation efforts

14.2.6 Secure development Organizations shall establish and appropriately protect

environment secure development environments for system development
and integration efforts that cover the entire system
development lifecycle

14.2.7 Outsourced development The organization shall supervise and monitor the activity
of outsourced system development

14.2.8 System security testing Testing of security functionality shall be carried out during
development

14.2.9 System acceptance Acceptance testing programs and related criteria shall be
14.3 testing
Test data established for new information
Ensure the protection systems,
of data used upgrades, and
for testing.
new verisons

14.3.1 Protection of test data Test data shall be selected carefully, protected, and
controlled

15 SUPPLIER RELATIONSHIPS
15.1 Information security in Ensure protection of the organization's assets that is
supplier relationships accessible by suppliers.

15.1.1 Information security Information security requirements for mitigating the risks
policy for supplier associated with supplier access to the organization's assets
relationships shall be agreed on with the supplier and documented

15.1.2 Addressing security All relevant information security requirements should be

within supplier established and agreed upon with each supplier that may
agreements access, process, store, communicate, or provide IT
infrastructure components for the organization's
information

15.1.3 Information and Agreements with suppliers should include requirements to

communication address the information security risks associated with
technology supply chain information and communications technology services and
product supply chains

15.2 Supplier service delivery Maintain an agreed level of information security and
management service delivery in line with supplier agreements.

15.2.1 Monitoring and review Organizations should regularly monitor, review, and audit
of supplier services supplier service delivery

15.2.2 Managing changes to Changes to the provision of services by suppliers,

supplier services including maintaining and improving existing information
security policies, procedures, and controls, should be
managed, taking account of the criticality of business
information, systems, and processes involved and re-
assessment of risks

16 INFORMATION SECURITY INCIDENT MANAGEMENT

16.1 Management of Ensure a consistent and effective approach to the
information security management of information security incidents, including
incidents and communication on security events and weaknesses.
improvements

16.1.1 Responsibilities and Management responsibilities and procedures shall be

procedures established to ensure a quick, effective, and orderly
response to information security incidents

16.1.2 Reporting information Management responsibilities and procedures should be

security events established to ensure a quick, effective and orderly
response to information security incidents

16.1.3 Reporting information Information security events should be reported through

security weaknesses appropriate management channels as quickly as possible

16.1.4 Assessment of and Information security events should be assessed and it

decision on information should be decided if they are to be classified as
security events information security incidents

16.1.5 Response to information Information security incidents should be responded to in

security incidents accordance with the documented procedures

16.1.6 Learning from Knowledge gained from analyzing and resolving

information security information security incidents should be used to reduce
incidents the likelihood or impact of future incidents

16.1.7 Collection of evidence The organization should define and apply procedures for
the identification, collection, acquisition, and preservation
of information, which can serve as evidence

17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

17.1 Information security Information security continuity shall be embedded in the
continuity organization's business continuity management systems.

17.1.1 Planning information The organization should determine its requirements for
security continuity information security and the continuity of information
security management in adverse situations, e.g. during a
crisis or disaster

17.1.2 Implementing The organization should establish, document, implement

information security and maintain processes, procedures, and controls to ensure
continuity the required level of continuity for information security
during an adverse situation

17.1.3 Verify, review and The organization must verify the established and
evaluate information implemented information security continuity controls at
security continuity regular intervals in order to ensure that they are valid and
effective during these situations

17.2 Redundancies Ensure availability of information processing facilities.

17.2.1 Availability of Information processing facilities should be implemented

information processing with redundancy sufficient to meet availability
facilities requirements

18 COMPLIANCE
18.1 Compliance with legal Avoid breaches of legal, statutory, regulatory or
and contractual contractual obligations related to information security and
requirements of any security requirements.

18.1.1 Identification of All relevant legislative statutory, regulatory, contractual

applicable legislation requirements and the organization’s approach to meet
and contractual these requirements should be explicitly identified,
requirements documented and kept up to date for each information
system and the organization

18.1.2 Intellectual property Appropriate procedures should be implemented to ensure

rights compliance with legislative, regulatory and contractual
requirements related to intellectual property rights and use
of proprietary software products

18.1.3 Protection of records Records should be protected from loss, destruction,

falsification, unauthorized access and unauthorized
release, in accordance with legislator, regulatory,
contractual and business requirements

18.1.4 Privacy and protection Privacy and protection of personally identifiable

of personally identifiable information should be ensured as required in relevant
information legislation and regulation where applicable

18.1.5 Regulation of Cryptographic controls should be used in compliance with

cryptographic controls all relevant agreements, legislation and regulations

18.2 Information security Ensure that information security is implemented and

reviews operated in accordance with the organizational policies
and procedures.

18.2.1 Independent review of The organization’s approach to managing information

information security security and its implementation (i.e. control objectives,
controls, policies, processes and procedures for
information security) should be reviewed independently at
planned intervals or when significant changes occur

18.2.2 Compliance with Managers should regularly review the compliance of

security policies and information processing and procedures within their area of
standards responsibility with the appropriate security policies,
standards and any other security requirements

18.2.3 Technical compliance Information systems should be regularly reviewed for

review compliance with the organization’s information security
policies and standards
[COMPANY] ISO 27001 Statement of Applicability
*This template is provided as a reference only and is in no way intended as legal or security compliance advice.

Classification: Confidential

VERSION HISTORY: LAST MODIFIED BY: DESCRIPTION OF CHANGES: DATE:

DATE OF
CONTROL DATE OF LAST
ANNEX A CONTROL TITLE CONTROL OBJECTIVE CONTROL APPLIED? CONTROL NOTES AND DETAILS CONTROL OWNER JUSTIFICATION FOR EXCLUSION IMPLEMENTATI
REQUIREMENT ASSESSMENT
ON

5 INFORMATION SECURITY POLICIES

A.5.1 Policies for information A.5.1 Policies for information Define, approve by management, publish, communicate
security security and acknowledge by relevant personnel and interested
parties, all information security policy and topic-specific
policies. The Policies must be reviewed at planned
intervals and in case of significant changes.

A.5.2 Information Security A.5.2 Information Security Define and allocate roles and responsibilities for
Roles and Roles and information security, according to needs of the Business
Responsibilities Responsibilities organization. Yes
requirement

A.5.3 Segregation of Duties A.5.3 Segregation of Duties Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or ISO 27001
unintentional modification or misuse of the organization's No
requirement
assets

6.1 Internal organization A.5.4 Management Management shall require all employees and contractors
Responsibilities to apply information security in accordance with the
established policies and procedures of the organization

6.1.1 Information security A.5.5 Contact with Appropriate contacts with relevant authorities shall be
roles and responsibilities Authorities established and maintained

6.1.2 Segregation of duties A.5.6 Contact with Special Appropriate contacts with special interest groups or other
Interest Groups specialist ssecurity forums and professional associations
shall be established and maintained

6.1.3 Contact with authorities A.5.7 Threat Intelligence Collect and analyze information relating to information
security threats to produce threat intelligence.

6.1.4 Contact with sepcial A.5.8 Information security in Information security shall be addressed and integrated in
interest groups project management project management, regardless of the type of project.

6.1.5 Information security in A.5.9 Inventory of Develop and maintain an inventory of information and
project management information and other other associated assets, including owners.
associated assets

6.2 Mobile devices and A.5.10 Acceptable use of Identify, document and implement rules for the acceptable
teleworking information and other use and procedures for handling information and other
associated assets associated assets.

6.2.1 Mobile device policy A.5.11 Return of assets Ensure personnel and other interested parties return the
assets in their possession and belonging to the
organization, when their employment, contract or
agreement is terminated or changed.

6.2.2 Teleworking A.5.12 Classification of Classify information in accordance with the information
information security needs of the organization, based on
confidentiality, integrity, availability and the relevant
requirements of interested parties.

7.1 Prior to employment A.5.13 Labelling of Develop and implement an appropriate set of procedures
information for information labelling, in accordance with the
classification scheme adopted.

7.1.1 Screening A.5.14 Information transfer Ensure the rules, procedures or agreements are in place for
the transfer of information within the organization and
between the organization and other parties, for all types of
transfer facilities.

7.1.2 Terms and conditions of A.5.15 Access control Rules to control the physical and logical access to
employement information and other associated assets shall be
established and implemented based on business and
information security requirements

7.2 During employment A.5.16 Identity management The full life cycle of identities shall be managed

7.2.1 Management A.5.17 Authentication Control the allocation and management of authentication
responsibilities information information with a management process, including
advising personnel on appropriate handling of
authentication information.

7.2.2 Information security A.5.18 Access rights Provide, review, modify and remove access rights to
awareness, education, information and other associate assets in accordance with
and training the topic-specific policy and rules on access control.

7.2.3 Disciplinary process A.5.19 Information security in Define and implement processes and procedures to
supplier relationships manage the information security risks that are associated
with the use of products and services obtained from
suppliers.

7.3 Termination or change A.5.20 Addressing Establish and agree with each supplier relevant
of employment information security information security requirements based on the type of
within supplier supplier relationship.
agreements

7.3.1 Termination of rchange A.5.21 Managing information Define and implement processes and procedures to
of employment security in the ICT manage the information security risks associated with the
responsibilities supply chain ICT products and services supply chain.

8.1 Responsibility for assets A.5.22 Monitoring, review and Regularly monitor, review, evaluate and manage change in
change management of supplier information security practices and service
supplier services delivery.

8.1.1 Inventory of assets A.5.23 Information security Establish processes for the acquisition, use, management
for use of cloud and exit from cloud services in accordance with the
services information security requirements of the organization.

8.1.2 Ownership of assets A.5.24 Information security Plan and prepare for managing information security
incident management incidents by defining, establishing and communicating
planning and information security incident management processes, roles
preparation and responsibilities.

8.1.3 Acceptable use of assets A.5.25 Assessment and Assess information security events and decide if they will
decision on information be categorized as incidents.
security events

8.1.4 Return of assets A.5.26 Response to Respond to information security incidents in accordance
information security with documented procedures.
incidents

8.2 Information A.5.27 Learning from Use the knowledge gained from information security
classification information security incidents to strengthen and improve the information
incidents security controls.

8.2.1 Classification of A.5.28 Collection of evidence Establish and implement procedures for the identification,
information collection, acquisition and preservation of evidence related
to information security events.

8.2.2 Labelling of information A.5.29 Information security Plan how to maintain information security at an
during disruption appropriate level during disruption.

8.2.3 Handling of assets A.5.30 ICT readiness for Plan, implement, maintain and test ICT readiness based on
business continuity the business continuity objectives and ICT continuity
requirements.

8.3 Media handling A.5.31 Legal, statutory, Identify, document and keep up to date the legal, statutory,
regulatory and regulatory and contractual requirements relevant for
contractual information security along with the organization’s
requirements approach to meet them.

8.3.1 Management of A.5.32 Intellectual property Implement appropriate procedures to protect intellectual
removable media rights property rights.

8.3.2 Disposal of media A.5.33 Protection of records Protect records from loss, destruction, falsification,
unauthorized access and unauthorized release.

8.3.3 Physical media transfer A.5.34 Privacy and protection Identify and meet the requirements regarding the
of PII preservation of privacy and protection of PII according to
applicable laws, regulations and contractual requirements.

9.1 Business requirements of A.5.35 Independent review of Review independently at planned intervals and whenever
access control information security significant changes occur, the approach to managing
information security and its implementation, including
people, processes and technology.

9.1.1 Access control policy A.5.36 Compliance with Review regularly compliance with the organization’s
policies, rules and information security policy, topic-specific policies, rules
standards for and standards.
information security
9.1.2 Access to networks and A.5.37 Documented operating Document and make available to the personnel who need
network services procedures the operating procedures for information processing
facilities.

10 PEOPLE CONTROLS
9.2 User access management A.6.1 Screening Ensure authorized user access and to prevent unauthorized
access to systems and services.

9.2.1 User registration and de- A.6.2 Terms and Conditions A formal user registration and de-registration process shall
registration of Employment be implemented to enable assignment of access rights

9.2.2 User access provisioning A.6.3 Information Security A formal user access provisioning process shall be
Awareness, Education, implemented to assign or revoke access rights for all user
and Training types to all systems and services

9.2.3 Management of A.6.4 Disciplinary Process The allocation and use of privileged access rights shall be
privileged access rights restricted and controlled

9.2.4 Management of secret A.6.5 Responsibilities After The allocation of secret authentication information shall
authentication Termination or Change be controlled through a formal management proces
information of users of Employment

9.2.5 Review of user access A.6.6 Confidentiality or Non- Asset owners shall review users' access rights at regular
rights Disclosure Agreements intervals

9.2.6 Removal or adjustment A.6.7 Remote Working The access rights of all employees and external party users
of access rights to information and information processing facilities shall
be removed upon termination of their employment,
contract, or agreement, or adjusted upon change

9.3 User responsibilities A.6.8 Information Security Make users accountable for safeguarding their
Event Reporting authentication information.

11 PHYSICAL CONTROLS
9.3.1 Use of secret A.7.1 Physical security Users shall be required to follow the organization's
authentication perimeters practices in the use of secret authentication informatioin
information

9.4 System and application A.7.2 Physical entry Prevent unauthorized access to systems and applications.
access control

9.4.1 Information access A.7.3 Securing offices, rooms Access to information and application system functions
restriction and facilities shall be restricted in accordance with the access control
policy

9.4.2 Secure log-on A.7.4 Physical security Where required by the access control policy, access to
procedures monitoring systems and applications shall be controlled by a secure
log on procedure

9.4.3 Password management A.7.5 Protecting against Password management systems shall be interactive and
system physical and shall ensure quality passwords
environmental threats
9.4.4 Use of privileged utility A.7.6 Working in secure The use of utility programs that might be capable of
programs areas overriding system and application controls shall be
restricted and tightly controlled

9.4.5 Access control to A.7.7 Clear desk and clear Access to program source code shall be restricted
program source code screen

10.1 Cryptographic controls A.7.8 Equipment siting and Ensure proper and effective use of cryptography to protect
protection the confidentiality, authenticity and/or integrity of
information.

10.1.1 Policy on the use of A.7.9 Security of assets off- A policy on the use of cryptographic controls for
cryptographic controls premises protection of information shall be developed and
implemented

10.1.2 Key management A.7.10 Storage media A policy on the use, protection, and lifetime of
cryptographic keys shall be developed and implemented
through their whole lifecycle

11.1 Secure areas A.7.11 Supporting utilities Prevent unauthorized physical access, damage and
interference to the organization's information and
information processing facilities.

11.1.1 Physical security A.7.12 Cabling security Security perimeters shall be defined and used to protect
perimeter areas that contain either sensitive or critical information
and information processing facilites

11.1.2 Physical entry controls A.7.13 Equipment Secure areas shall be protected by appropriate entry
maintenance controls to ensure that only authorized personnel are
allowed access

11.1.3 Securing offices, rooms A.7.14 Secure disposal or re- Physical security for offices, rooms, and facilities shall be
and facilities use of equipment designed and applied

12 TECHNOLOGICAL CONTROLS
11.1.4 Protecting against A.8.1 User endpoint devices Physical protection gainst natural disasters, malicious
11.1.5 external
Workingend
in secure areas A.8.2 Information access attacks, or accidents
Procedures shall
for working inbe designed
secure areasand applied
shall be designed
environmental threats restriction and appiled

11.1.6 Delivery and loading A.8.3 Information access Access points such as delivery and loading areas and other
areas restriction points where unauthorized personsl could enter the
premises shall be controlled, and if possible, isolation
from information processing facilities to prevent
unauthorized access

11.2 Equipment A.8.4 Access to source code Prevent loss, damage, theft or compromise of assets and
interruption to the organization's operations.

11.2.1 Equipment siting and A.8.5 Secure authentication Equipment shall be sited and protected to reduce risks of
protection environmental threats and hazards, and opportunities for
unauthorized acces

11.2.2 Supporting utilities A.8.6 Capacity management Equipment shall be protected from power failures and
other disruptions caused by failures in supporting utilities

11.2.3 Cabling security A.8.7 Protection against Power and telecommunications cabling carrying data or
malware supporting information services shall be protected from
interception, interference, or damage

11.2.4 Equipment maintenance A.8.8 Management of Equipment shall be correctly maintained to ensure its
technical continued availability and integrity
vulnerabilities
11.2.5 Removal of assets A.8.9 Configuration Equipment, information, or software shall not be taken
management off-site without prior authorization

11.2.6 Security of equipment A.8.10 Information deletion Security shall be aplied to off-site assets taking into
and assets off-premises account the different risks of working outside the
organization's premises

11.2.7 Secure disposal or reuse A.8.11 Data masking All equipment containing storage media shall be verified
of equipment to ensure that any sensitive data and licensed software has
been removed or securely overwritten prior to disposal or
re-use

11.2.8 Unattended user A.8.12 Data leakage Users shall ensure that unattended equipment has
equipment prevention appropriate protection

11.2.9 Clear desk and clear A.8.13 Information backup A clear desk policy for papers and removable storage
screen policy media and a clear screen policy for information processing
facilities shall be adopted

12.1 Operational procedures A.8.14 Redundancy of Ensure correct and secure operations of information
and responsibilities information processing processing facilities.
facilities

12.1.1 Documented operating A.8.15 Logging Operating procedures shall be documented and made
procedures available to all users who need them

12.1.2 Change management A.8.16 Monitoring activities Changes to the organization, business processes,
information processing facilities, and systems that affect
information security shall be controlled

12.1.3 Capacity management A.8.17 Clock synchronization The use of resources shall be monitored, tuned, and
projections made of future capacity requirements to ensure
the required system performance

12.1.4 Separation of A.8.18 Use of privileged utility Development, testing, and operational environments shall
12.2 development,
Protection testing
from and A.8.19
malware programs of software be
Installation separated
Ensure to reduce the
that information risks
and of unauthorized
information access or
processing
operational changes to
on operational systems facilities arethe operational
protected environment
against malware.
environments

12.2.1 Controls against A.8.20 Networks security Detection, prevention, and recovery controls to protect
12.3 malware
Backups A.8.21 Security of network against
Protect malware shall
against loss ofbe implemented, combined with
data.
services appropriate user awareness
12.3.1 Information backup A.8.22 Segregation of Backup copies of information, software, and system
networks images shall be taken and tested regularly in accordance
with an agreed backup policy

12.4 Logging and monitoring A.8.23 Web filtering Record events and generate evidence.

12.4.1 Event logging A.8.24 Use of cryptography Event logs recording user activities, exceptions, faults, and
information security events shall be produced, kept, and
regularly reviewed

12.4.2 Protection of log A.8.25 Secure development Logging facilities and log information shall be protected
information life cycle against tampering and unauthorized access

12.4.3 Administrator and A.8.26 Application security System administrator and system operator activities shall
operator logs requirements be logged and the logs protected and regularly reviewed

12.4.4 Clock synchronisation A.8.27 Secure system The clocks of all relevant information processing systems
architecture and within an organization or security domain shall be
engineering principles synchornized to a single reference time source

12.5 Control of operational A.8.28 Secure coding Ensure the integrity of operational systems.
software

12.5.1 Installation of software A.8.29 Security testing in Procedures should be implemented to control the
on operational systems development and installation of software on operational systems
acceptance
12.6 Technical vulnerability A.8.30 Outsourced Prevent exploitation of technical vulnerabilities.
management development

12.6.1 Management of A.8.31 Separation of Information about technical vulnerabilities of information

technical vulnerabilities development, test and systems being used should be obtained in a timely fashion,
production the organization’s exposure to such vulnerabilities
environments evaluated and appropriate measures taken to address the
associated risk

12.6.2 Restrictions on software A.8.32 Change management Rules governing the installation of software by users
installation should be established and implemented

12.7 Information systems A.8.33 Test information Minimize the impact of audit activities on operational
audit considerations systems.

12.7.1 Information systems A.8.34 Protection of Audit requirements and activities involving verification of
audit controls information systems operational systems should be carefully planned and
during audit testing agreed to minimize disruptions to business processes

13 COMMUNICATIONS SECURITY
13.1 Network security Ensure the protection of information in networks and its
management supporting information processing facilities.

13.1.1 Network controls Networks shall be manged and controlled to protect

information in systems and applications

13.1.2 Security of network Security mechanisms, service levels, and management

services requirements of all network services shall be identified
and included in network service agreements, whether
these services are provided in-house or outsourced

13.1.3 Segregation in networks Groups of information services, users, and information

systems shall be segregated on networks

13.2 Information transfer Maintain the security of information transferred within an

organization and with any external entity.

13.2.1 Information transfer Formal transfer policies, procedures, and controls shall be
policies and procedures in plce to protect the transfer of information through the
use of all types of communication facilities

13.2.2 Agreements on Agreements shall address the secure transfer of business

information transfer information between the organization and external parties

13.2.3 Electronic messaging Information involved in electronic messaging shall be

appropriately protected

13.2.4 Confidentiality or non- Requirements for confidentiality or non-disclosure

disclosure agreements agreements reflecting the organization's needs for the
protection of information shall be identified, regularly
reviewed, and documented

14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

14.1 Security requirements of Ensure that information security is an integral part of
information systems information systems across the entire lifecycle. This also
includes the requirements for information systems which
provide services over public networks.

14.1.1 Information security The information security related requirements shall be

requirements analysis included in the requirements for new information systems
and specification or enhancements to existing information systems

14.1.2 Securing application Information involved in application services passing over

services on public pubic networks shall be protected from fraudulent activity,
networks contract dispute, and unauthorized disclousre and
modification

14.1.3 Protecting application Information involved in application service transactions

services transactions shall be protected to prevent incomplete transmission,
misrouting, unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication, or replay

14.2 Security in development Ensure that information security is designed and

and support processes implemented within the development lifecycle of
information systems.

14.2.1 Secure development Rules for the development of software and systems shall
policy be established and applied to developments within the
organization

14.2.2 System change control Changes to systems within the development lifecycle shall
procedures be controlled by the use of formal change control
procedures

14.2.3 Technical review of When operating platforms are changed, business critical
14.2.4 applications on
Restrictions after
changes applications shall
Modifications be reviewed
to software and tested
packages shall to
be ensure there is
discouraged,
operating
to softwareplatform
packages no adverse
limited impct on changes,
to necessary organization
and operations
all changesorshall
security
be
changes strictly controlled

14.2.5 Secure system Principles for engineering secure systems shall be

engineering principles established, documented, maintained, and applied to any
information system implementation efforts

14.2.6 Secure development Organizations shall establish and appropriately protect

environment secure development environments for system development
and integration efforts that cover the entire system
development lifecycle

14.2.7 Outsourced development The organization shall supervise and monitor the activity
of outsourced system development
14.2.8 System security testing Testing of security functionality shall be carried out during
development

14.2.9 System acceptance Acceptance testing programs and related criteria shall be
14.3 testing
Test data established for new information
Ensure the protection systems,
of data used upgrades, and
for testing.
new verisons

14.3.1 Protection of test data Test data shall be selected carefully, protected, and
controlled

15 SUPPLIER RELATIONSHIPS
15.1 Information security in Ensure protection of the organization's assets that is
supplier relationships accessible by suppliers.

15.1.1 Information security Information security requirements for mitigating the risks
policy for supplier associated with supplier access to the organization's assets
relationships shall be agreed on with the supplier and documented

15.1.2 Addressing security All relevant information security requirements should be

within supplier established and agreed upon with each supplier that may
agreements access, process, store, communicate, or provide IT
infrastructure components for the organization's
information

15.1.3 Information and Agreements with suppliers should include requirements to

communication address the information security risks associated with
technology supply chain information and communications technology services and
product supply chains

15.2 Supplier service delivery Maintain an agreed level of information security and
management service delivery in line with supplier agreements.

15.2.1 Monitoring and review Organizations should regularly monitor, review, and audit
of supplier services supplier service delivery

15.2.2 Managing changes to Changes to the provision of services by suppliers,

supplier services including maintaining and improving existing information
security policies, procedures, and controls, should be
managed, taking account of the criticality of business
information, systems, and processes involved and re-
assessment of risks

16 INFORMATION SECURITY INCIDENT MANAGEMENT

16.1 Management of Ensure a consistent and effective approach to the
information security management of information security incidents, including
incidents and communication on security events and weaknesses.
improvements

16.1.1 Responsibilities and Management responsibilities and procedures shall be

procedures established to ensure a quick, effective, and orderly
response to information security incidents

16.1.2 Reporting information Management responsibilities and procedures should be

security events established to ensure a quick, effective and orderly
response to information security incidents

16.1.3 Reporting information Information security events should be reported through

security weaknesses appropriate management channels as quickly as possible

16.1.4 Assessment of and Information security events should be assessed and it

decision on information should be decided if they are to be classified as
security events information security incidents

16.1.5 Response to information Information security incidents should be responded to in

security incidents accordance with the documented procedures

16.1.6 Learning from Knowledge gained from analyzing and resolving

information security information security incidents should be used to reduce
incidents the likelihood or impact of future incidents

16.1.7 Collection of evidence The organization should define and apply procedures for
the identification, collection, acquisition, and preservation
of information, which can serve as evidence

17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

17.1 Information security Information security continuity shall be embedded in the
continuity organization's business continuity management systems.

17.1.1 Planning information The organization should determine its requirements for
security continuity information security and the continuity of information
security management in adverse situations, e.g. during a
crisis or disaster

17.1.2 Implementing The organization should establish, document, implement

information security and maintain processes, procedures, and controls to ensure
continuity the required level of continuity for information security
during an adverse situation

17.1.3 Verify, review and The organization must verify the established and
evaluate information implemented information security continuity controls at
security continuity regular intervals in order to ensure that they are valid and
effective during these situations

17.2 Redundancies Ensure availability of information processing facilities.

17.2.1 Availability of Information processing facilities should be implemented

information processing with redundancy sufficient to meet availability
facilities requirements

18 COMPLIANCE
18.1 Compliance with legal Avoid breaches of legal, statutory, regulatory or
and contractual contractual obligations related to information security and
requirements of any security requirements.

18.1.1 Identification of All relevant legislative statutory, regulatory, contractual

applicable legislation requirements and the organization’s approach to meet
and contractual these requirements should be explicitly identified,
requirements documented and kept up to date for each information
system and the organization

18.1.2 Intellectual property Appropriate procedures should be implemented to ensure

rights compliance with legislative, regulatory and contractual
requirements related to intellectual property rights and use
of proprietary software products

18.1.3 Protection of records Records should be protected from loss, destruction,

falsification, unauthorized access and unauthorized
release, in accordance with legislator, regulatory,
contractual and business requirements

18.1.4 Privacy and protection Privacy and protection of personally identifiable

of personally identifiable information should be ensured as required in relevant
information legislation and regulation where applicable

18.1.5 Regulation of Cryptographic controls should be used in compliance with

cryptographic controls all relevant agreements, legislation and regulations

18.2 Information security Ensure that information security is implemented and

reviews operated in accordance with the organizational policies
and procedures.

18.2.1 Independent review of The organization’s approach to managing information

information security security and its implementation (i.e. control objectives,
controls, policies, processes and procedures for
information security) should be reviewed independently at
planned intervals or when significant changes occur

18.2.2 Compliance with Managers should regularly review the compliance of

security policies and information processing and procedures within their area of
standards responsibility with the appropriate security policies,
standards and any other security requirements

18.2.3 Technical compliance Information systems should be regularly reviewed for

review compliance with the organization’s information security
policies and standards