Documentos de Académico
Documentos de Profesional
Documentos de Cultura
No
CR ID
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
A5.1.2
Control Requirement
A set of policies for information security shall be defined, approved by management, published & communicated to empl
relevant external parties.
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their
suitability, adequacy & effectiveness
CH ID
Control Header
CO ID
A5
A5.1
A5
A5.1
Control Objective
Management direction for
information security Objective
Management direction for
information security Objective
Sr. No
3
CR ID
A6.1.1
A6.1.2
A6.1.3
A6.1.4
A6.1.5
A6.2.1
Teleworking Control
A6.2.2
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
All information security responsibilities shall be defined & allocated.
Conflicting duties & areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional
misuse of the organizations assets.
Appropriate contacts with relevant authorities shall be maintained
Appropriate contacts with special interest groups or other specialist security forums & professional associations shall be
Information security shall be addressed in project management, regardless of the type of the project.
A policy & supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy & supporting security measures shall be implemented to protect information accessed, processed or stored at te
sites.
CH ID
A6
Control Header
Organization of information
security
CO ID
Control Objective
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.2
A6
Organization of information
security
A6.2
Sr. No
CR ID
10
Screening Control
A7.1.1
11
A7.1.2
12
A7.2.1
13
A7.2.2
14
A7.2.3
15
A7.3.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, r
ethics & shall be proportional to the business requirements, the classification of the information to be accessed & the pe
The contractual agreements with employees & contractors shall state their & the organizations responsibilities for inform
Management shall require all employees & contractors to apply information security in accordance with the established p
procedures of the organization.
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education & train
updates in organizational policies & procedures, as relevant for their job function.
There shall be a formal & communicated disciplinary process in place to take action against employees who have commi
information security breach.
Information security responsibilities & duties that remain valid after termination or change of employment shall be define
communicated to the employee or contractor & enforced.
CH ID
Control Header
CO ID
Control Objective
A7
A7.1
A7
A7.1
A7
A7.2
A7
A7.2
A7
A7.2
A7
A7.3
Sr. No
CR ID
16
A8.1.1
17
A8.1.2
18
A8.1.3
19
A8.1.4
20
A8.2.1
21
A8.2.2
22
A8.2.3
24
25
23
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
A8.3.1
A8.3.2
A8.3.3
144
145
146
147
148
149
150
151
Control Requirement
Assets associated with information & information processing facilities shall be identified & an inventory of these assets s
up & maintained.
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information & of assets associated with information & information processing facilities sh
identified, documented & implemented.
All employees & external party users shall return all of the organizational assets in their possession upon termination of t
employment, contract or agreement.
Information shall be classified in terms of legal requirements, value, criticality & sensitivity to unauthorized disclosure or
An appropriate set of procedures for information labelling shall be developed & implemented in accordance with the info
classification scheme adopted by the organization.
Procedures for handling assets shall be developed & implemented in accordance with the information classification schem
the organization
Procedures shall be implemented for the management of removable media in accordance with the classification scheme
organization.
Media shall be disposed of securely when no longer required, using formal procedures.
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation
CH ID
Control Header
CO ID
Control Objective
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.3
A8
Asset management
A8.3
A8
Asset management
A8.3
Sr. No
CR ID
26
27
28
A9.2.1
29
A9.2.2
30
31
A9.2.4
32
A9.2.5
33
34
35
A9.4.1
36
A9.4.2
37
38
A9.4.4
39
A9.4.5
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
A9.1.1
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
An access control policy shall be established, documented & reviewed based on business & information security requirem
Users shall only be provided with access to the network & network services that they have been specifically authorized t
A formal user registration & de-registration process shall be implemented to enable assignment of access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all
services.
The allocation & use of privileged access rights shall be restricted & controlled.
The allocation of secret authentication information shall be controlled through a formal management process.
The access rights of all employees & external party users to information & information processing facilities shall be remo
termination of their employment, contract or agreement, or adjusted upon change.
Users shall be required to follow the organizations practices in the use of secret authentication information.
Access to information & application system functions shall be restricted in accordance with the access control policy.
Where required by the access control policy, access to systems & applications shall be controlled by a secure log-on proc
Password management systems shall be interactive & shall ensure quality passwords.
The use of utility programs that might be capable of overriding system & application controls shall be restricted & tightly
Access to program source code shall be restricted.
CH ID
Control Header
CO ID
Control Objective
Business requirements of access
control Objective
A9
Access control
A9.1
A9
Access control
A9.1
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.3
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
Sr. No
40
41
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
CR ID
A10.1.1
A10.1.2
Control Requirement
A policy on the use of cryptographic controls for protection of information shall be developed & implemented.
A policy on the use, protection & lifetime of cryptographic keys shall be developed & implemented through their whole lif
CH ID
Control Header
CO ID
Control Objective
A10
Cryptography
A10.1
A10
Cryptography
A10.1
Sr. No
CR ID
42
A11.1.1
43
A11.1.2
44
A11.1.3
45
A11.1.4
46
A11.1.5
47
A11.1.6
48
A11.2.1
49
A11.2.2
50
A11.2.3
51
A11.2.4
52
A11.2.5
53
A11.2.6
54
A11.2.7
55
A11.2.8
56
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Security perimeters shall be defined & used to protect areas that contain either sensitive or critical information & informa
processing facilities.
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed acces
Physical security for offices, rooms & facilities shall be designed & applied.
Physical protection against natural disasters, malicious attack or accidents shall be designed & applied.
Procedures for working in secure areas shall be designed & applied.
Access points such as delivery & loading areas & other points where unauthorized persons could enter the premises shal
and, if possible, isolated from information processing facilities to avoid unauthorized access.
Equipment shall be sited & protected to reduce the risks from environmental threats & hazards, & opportunities for unau
access.
Equipment shall be protected from power failures & other disruptions caused by failures in supporting utilities.
Power & telecommunications cabling carrying data or supporting information services shall be protected from interceptio
or damage.
Equipment shall be correctly maintained to ensure its continued availability & integrity.
Equipment, information or software shall not be taken off-site without prior authorization.
Security shall be applied to off-site assets taking into account the different risks of working outside the organizations pre
All items of equipment containing storage media shall be verified to ensure that any sensitive data & licensed software h
removed or securely overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has appropriate protection.
A clear desk policy for papers & removable storage media & a clear screen policy for information processing facilities sha
CH ID
A11
Control Header
Physical & environmental
security
CO ID
Control Objective
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
Sr. No
57
CR ID
A12.1.1
58
A12.1.2
59
A12.1.3
60
A12.1.4
61
A12.2.1
62
A12.3.1
63
A12.4.1
64
A12.4.2
65
A12.4.3
66
A12.4.4
67
A12.5.1
68
Management of technical
vulnerabilities Control
A12.6.1
69
A12.6.2
70
A12.7.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Operating procedures shall be documented & made available to all users who need them
Changes to the organization, business processes, information processing facilities & systems that affect information secu
controlled.
The use of resources shall be monitored, tuned & projections made of future capacity requirements to ensure the require
performance.
Development, testing, & operational environments shall be separated to reduce the risks of unauthorized access or chan
operational environment.
Detection, prevention & recovery controls to protect against malware shall be implemented, combined with appropriate u
awareness.
Backup copies of information, software & system images shall be taken & tested regularly in accordance with an agreed
Event logs recording user activities, exceptions, faults & information security events shall be produced, kept & regularly r
Logging facilities & log information shall be protected against tampering & unauthorized access.
System administrator & system operator activities shall be logged & the logs protected & regularly reviewed.
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised
reference time source.
Procedures shall be implemented to control the installation of software on operational systems.
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the o
exposure to such vulnerabilities evaluated & appropriate measures taken to address the associated risk.
Rules governing the installation of software by users shall be established & implemented.
Audit requirements & activities involving verification of operational systems shall be carefully planned & agreed to minim
to business processes.
CH ID
Control Header
CO ID
Control Objective
Operational procedures &
responsibilities Objective
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.2
A12
Operations security
A12.3
Backup Objective
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.5
A12
Operations security
A12.6
A12
Operations security
A12.6
A12
Operations security
A12.7
Sr. No
CR ID
71
A13.1.1
72
A13.1.2
73
A13.1.3
74
A13.2.1
75
76
77
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
A13.2.2
A13.2.3
A13.2.4
149
150
151
Control Requirement
Networks shall be managed & controlled to protect information in systems & applications.
Security mechanisms, service levels & management requirements of all network services shall be identified & included in
services agreements, whether these services are provided in-house or outsourced.
Groups of information services, users & information systems shall be segregated on networks.
Formal transfer policies, procedures & controls shall be in place to protect the transfer of information through the use of
communication facilities.
Agreements shall address the secure transfer of business information between the organization & external parties.
Information involved in electronic messaging shall be appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of in
be identified, regularly reviewed & documented.
CH ID
Control Header
CO ID
Control Objective
Network security management
Objective
A13
Communications security
A13.1
A13
Communications security
A13.1
A13
Communications security
A13.1
A13
Communications security
A13.2
A13
Communications security
A13.2
A13
Communications security
A13.2
A13
Communications security
A13.2
Sr. No
CR ID
78
79
80
A14.1.3
81
A14.2.1
82
A14.2.2
83
A14.2.3
84
A14.2.4
85
A14.2.5
86
Secure developmentenvironment
Control
A14.2.6
87
A14.2.7
88
A14.2.8
89
A14.2.9
90
A14.3.1
115
116
117
118
119
120
121
122
A14.1.1
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
The information security related requirements shall be included in the requirements for new information systems or enha
existing information systems.
Information involved in application services passing over public networks shall be protected from fraudulent activity, con
and unauthorized disclosure & modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routin
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software & systems shall be established and applied to developments within the organizati
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
When operating platforms are changed, business critical applications shall be reviewed & tested to ensure there is no ad
on organizational operations or security.
Modifications to software packages shall be discouraged, limited to necessary changes & all changes shall be strictly con
Principles for engineering secure systems shall be established, documented, maintained & applied to any information sys
implementation efforts.
Organizations shall establish & appropriately protect secure development environments for system development & integ
that cover the entire system development lifecycle.
The organization shall supervise & monitor the activity of outsourced system development.
Acceptance testing programs & related criteria shall be established for new information systems, upgrades & new versio
CH ID
Control Header
CO ID
Control Objective
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.3
Sr. No
91
CR ID
A15.1.1
92
A15.1.2
93
A15.1.3
94
95
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Information security requirements for mitigating the risks associated with suppliers access to the organizations assets s
with the supplier & documented.
All relevant information security requirements shall be established & agreed with each supplier that may access, process
communicate, or provide IT infrastructure components for, the organizations information.
Agreements with suppliers shall include requirements to address the information security risks associated with informatio
communications technology services & product supply chain.
Organizations shall regularly monitor, review & audit supplier service delivery.
Changes to the provision of services by suppliers, including maintaining & improving existing information security policie
& controls, shall be managed, taking account of the criticality of business information, systems & processes involved & re
of risks.
CH ID
Control Header
CO ID
Control Objective
Information security in supplier
relationships Objective
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.2
A15
Supplier relationships
A15.2
Sr. No
CR ID
96
A16.1.1
97
A16.1.2
98
A16.1.3
99
A16.1.4
100
A16.1.5
101
A16.1.6
102
A16.1.7
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Management responsibilities & procedures shall be established to ensure a quick, effective & orderly response to informa
incidents.
Information security events shall be reported through appropriate management channels as quickly as possible.
Employees & contractors using the organizations information systems & services shall be required to note & report any
suspected information security or services.weaknesses in systems
Information security events shall be assessed & it shall be decided if they are to be classified as information security inci
Information security incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from analysing & resolving information security incidents shall be used to reduce the likelihood or imp
incidents.
The organization shall define & apply procedures for the identification, collection, acquisition & preservation of informatio
serve as evidence.
CH ID
Control Header
CO ID
Control Objective
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
Sr. No
CR ID
103
104
A17.1.2
105
A17.1.3
106
A17.2.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
The organization shall determine its requirements for information security & the continuity of information security manag
adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement & maintain processes, procedures & controls to ensure the requir
continuity for information security during an adverse situation.
The organization shall verify the established & implemented information security continuity controls at regular intervals i
ensure that they are valid & effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
CH ID
Control Header
CO ID
Control Objective
A17
A17.1
A17
A17.1
A17
A17.1
A17
A17.2
Redundancies Objective
Sr. No
CR ID
107
108
A18.1.2
109
A18.1.3
110
A18.1.4
111
A18.1.5
112
A18.2.1
113
A18.2.2
114
A18.2.3
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
All relevant legislative statutory, regulatory, contractual requirements and the organizations approach to meet these re
shall be explicitly identified, documented & kept up to date for each information system & the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory & contractual requiremen
intellectual property rights & use of proprietary software products.
Records shall be protected from loss, destruction, falsification, unauthorized access & unauthorized release, in accordanc
legislatory, regulatory, contractual & business requirements.
Privacy & protection of personally identifiable information shall be ensured as required in relevant legislation & regulation
applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation & regulations.
The organizations approach to managing information security & its implementation (i.e. control objectives, controls, poli
and procedures for information security) shall be reviewed independently at planned intervals or when significant change
Managers shall regularly review the compliance of information processing & procedures within their area of responsibility
appropriate security policies, standards & any other security requirements.
Information systems shall be regularly reviewed for compliance with the organizations information security policies & sta
Control
Header
CO ID
Control Objective
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.2
A18
Compliance
A18.2
A18
Compliance
A18.2
CH ID
Sr. No
CR ID
A5.1.2
A6.1.1
A6.1.2
A6.1.3
A6.1.4
A6.1.5
A6.2.1
Teleworking Control
A6.2.2
10
Screening Control
A7.1.1
11
A7.1.2
12
A7.2.1
13
A7.2.2
14
A7.2.3
15
A7.3.1
16
A8.1.1
17
A8.1.2
18
A8.1.3
19
A8.1.4
20
A8.2.1
21
A8.2.2
22
A8.2.3
23
A8.3.1
24
A8.3.2
25
A8.3.3
26
A9.1.1
27
28
A9.2.1
29
A9.2.2
30
31
A9.2.4
32
A9.2.5
33
34
35
A9.4.1
36
A9.4.2
37
38
A9.4.4
39
A9.4.5
40
A10.1.1
41
A10.1.2
42
A11.1.1
43
A11.1.2
44
A11.1.3
45
A11.1.4
46
A11.1.5
47
A11.1.6
48
A11.2.1
49
A11.2.2
50
A11.2.3
51
A11.2.4
52
A11.2.5
53
A11.2.6
54
A11.2.7
55
A11.2.8
56
57
A12.1.1
58
A12.1.2
59
A12.1.3
60
A12.1.4
61
A12.2.1
62
A12.3.1
63
A12.4.1
64
A12.4.2
65
A12.4.3
66
A12.4.4
67
A12.5.1
68
Management of technical
vulnerabilities Control
A12.6.1
69
A12.6.2
70
A12.7.1
71
A13.1.1
72
A13.1.2
73
A13.1.3
74
A13.2.1
75
76
77
A13.2.2
A13.2.3
A13.2.4
78
79
80
A14.1.3
81
A14.2.1
82
A14.2.2
83
A14.2.3
84
A14.2.4
85
A14.2.5
86
Secure developmentenvironment
Control
A14.2.6
87
A14.2.7
88
A14.2.8
89
A14.2.9
A14.1.1
90
A14.3.1
91
A15.1.1
92
A15.1.2
93
A15.1.3
94
95
96
A16.1.1
97
A16.1.2
98
A16.1.3
99
A16.1.4
100
A16.1.5
101
A16.1.6
102
A16.1.7
103
104
A17.1.2
105
A17.1.3
106
A17.2.1
107
108
A18.1.2
109
A18.1.3
110
A18.1.4
111
A18.1.5
112
A18.2.1
113
A18.2.2
114
A18.2.3
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
A set of policies for information security shall be defined, approved by management, published & communicated to empl
relevant external parties.
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their
suitability, adequacy & effectiveness
All information security responsibilities shall be defined & allocated.
Conflicting duties & areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional
misuse of the organizations assets.
Appropriate contacts with relevant authorities shall be maintained
Appropriate contacts with special interest groups or other specialist security forums & professional associations shall be
Information security shall be addressed in project management, regardless of the type of the project.
A policy & supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy & supporting security measures shall be implemented to protect information accessed, processed or stored at te
sites.
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, r
ethics & shall be proportional to the business requirements, the classification of the information to be accessed & the pe
The contractual agreements with employees & contractors shall state their & the organizations responsibilities for inform
Management shall require all employees & contractors to apply information security in accordance with the established p
procedures of the organization.
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education & train
updates in organizational policies & procedures, as relevant for their job function.
There shall be a formal & communicated disciplinary process in place to take action against employees who have commi
information security breach.
Information security responsibilities & duties that remain valid after termination or change of employment shall be define
communicated to the employee or contractor & enforced.
Assets associated with information & information processing facilities shall be identified & an inventory of these assets s
up & maintained.
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information & of assets associated with information & information processing facilities sh
identified, documented & implemented.
All employees & external party users shall return all of the organizational assets in their possession upon termination of t
employment, contract or agreement.
Information shall be classified in terms of legal requirements, value, criticality & sensitivity to unauthorized disclosure or
An appropriate set of procedures for information labelling shall be developed & implemented in accordance with the info
classification scheme adopted by the organization.
Procedures for handling assets shall be developed & implemented in accordance with the information classification schem
the organization
Procedures shall be implemented for the management of removable media in accordance with the classification scheme
organization.
Media shall be disposed of securely when no longer required, using formal procedures.
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation
An access control policy shall be established, documented & reviewed based on business & information security requirem
Users shall only be provided with access to the network & network services that they have been specifically authorized t
A formal user registration & de-registration process shall be implemented to enable assignment of access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all
services.
The allocation & use of privileged access rights shall be restricted & controlled.
The allocation of secret authentication information shall be controlled through a formal management process.
The access rights of all employees & external party users to information & information processing facilities shall be remo
termination of their employment, contract or agreement, or adjusted upon change.
Users shall be required to follow the organizations practices in the use of secret authentication information.
Access to information & application system functions shall be restricted in accordance with the access control policy.
Where required by the access control policy, access to systems & applications shall be controlled by a secure log-on proc
Password management systems shall be interactive & shall ensure quality passwords.
The use of utility programs that might be capable of overriding system & application controls shall be restricted & tightly
Access to program source code shall be restricted.
A policy on the use of cryptographic controls for protection of information shall be developed & implemented.
A policy on the use, protection & lifetime of cryptographic keys shall be developed & implemented through their whole lif
Security perimeters shall be defined & used to protect areas that contain either sensitive or critical information & informa
processing facilities.
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed acces
Physical security for offices, rooms & facilities shall be designed & applied.
Physical protection against natural disasters, malicious attack or accidents shall be designed & applied.
Procedures for working in secure areas shall be designed & applied.
Access points such as delivery & loading areas & other points where unauthorized persons could enter the premises shal
and, if possible, isolated from information processing facilities to avoid unauthorized access.
Equipment shall be sited & protected to reduce the risks from environmental threats & hazards, & opportunities for unau
access.
Equipment shall be protected from power failures & other disruptions caused by failures in supporting utilities.
Power & telecommunications cabling carrying data or supporting information services shall be protected from interceptio
or damage.
Equipment shall be correctly maintained to ensure its continued availability & integrity.
Equipment, information or software shall not be taken off-site without prior authorization.
Security shall be applied to off-site assets taking into account the different risks of working outside the organizations pre
All items of equipment containing storage media shall be verified to ensure that any sensitive data & licensed software h
removed or securely overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has appropriate protection.
A clear desk policy for papers & removable storage media & a clear screen policy for information processing facilities sha
Operating procedures shall be documented & made available to all users who need them
Changes to the organization, business processes, information processing facilities & systems that affect information secu
controlled.
The use of resources shall be monitored, tuned & projections made of future capacity requirements to ensure the require
performance.
Development, testing, & operational environments shall be separated to reduce the risks of unauthorized access or chan
operational environment.
Detection, prevention & recovery controls to protect against malware shall be implemented, combined with appropriate u
awareness.
Backup copies of information, software & system images shall be taken & tested regularly in accordance with an agreed
Event logs recording user activities, exceptions, faults & information security events shall be produced, kept & regularly r
Logging facilities & log information shall be protected against tampering & unauthorized access.
System administrator & system operator activities shall be logged & the logs protected & regularly reviewed.
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised
reference time source.
Procedures shall be implemented to control the installation of software on operational systems.
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the o
exposure to such vulnerabilities evaluated & appropriate measures taken to address the associated risk.
Rules governing the installation of software by users shall be established & implemented.
Audit requirements & activities involving verification of operational systems shall be carefully planned & agreed to minim
to business processes.
Networks shall be managed & controlled to protect information in systems & applications.
Security mechanisms, service levels & management requirements of all network services shall be identified & included in
services agreements, whether these services are provided in-house or outsourced.
Groups of information services, users & information systems shall be segregated on networks.
Formal transfer policies, procedures & controls shall be in place to protect the transfer of information through the use of
communication facilities.
Agreements shall address the secure transfer of business information between the organization & external parties.
Information involved in electronic messaging shall be appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of in
be identified, regularly reviewed & documented.
The information security related requirements shall be included in the requirements for new information systems or enha
existing information systems.
Information involved in application services passing over public networks shall be protected from fraudulent activity, con
and unauthorized disclosure & modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routin
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software & systems shall be established and applied to developments within the organizati
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
When operating platforms are changed, business critical applications shall be reviewed & tested to ensure there is no ad
on organizational operations or security.
Modifications to software packages shall be discouraged, limited to necessary changes & all changes shall be strictly con
Principles for engineering secure systems shall be established, documented, maintained & applied to any information sys
implementation efforts.
Organizations shall establish & appropriately protect secure development environments for system development & integ
that cover the entire system development lifecycle.
The organization shall supervise & monitor the activity of outsourced system development.
Acceptance testing programs & related criteria shall be established for new information systems, upgrades & new versio
Information security requirements for mitigating the risks associated with suppliers access to the organizations assets s
with the supplier & documented.
All relevant information security requirements shall be established & agreed with each supplier that may access, process
communicate, or provide IT infrastructure components for, the organizations information.
Agreements with suppliers shall include requirements to address the information security risks associated with informatio
communications technology services & product supply chain.
Organizations shall regularly monitor, review & audit supplier service delivery.
Changes to the provision of services by suppliers, including maintaining & improving existing information security policie
& controls, shall be managed, taking account of the criticality of business information, systems & processes involved & re
of risks.
Management responsibilities & procedures shall be established to ensure a quick, effective & orderly response to informa
incidents.
Information security events shall be reported through appropriate management channels as quickly as possible.
Employees & contractors using the organizations information systems & services shall be required to note & report any
suspected information security or services.weaknesses in systems
Information security events shall be assessed & it shall be decided if they are to be classified as information security inci
Information security incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from analysing & resolving information security incidents shall be used to reduce the likelihood or imp
incidents.
The organization shall define & apply procedures for the identification, collection, acquisition & preservation of informatio
serve as evidence.
The organization shall determine its requirements for information security & the continuity of information security manag
adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement & maintain processes, procedures & controls to ensure the requir
continuity for information security during an adverse situation.
The organization shall verify the established & implemented information security continuity controls at regular intervals i
ensure that they are valid & effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
All relevant legislative statutory, regulatory, contractual requirements and the organizations approach to meet these re
shall be explicitly identified, documented & kept up to date for each information system & the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory & contractual requiremen
intellectual property rights & use of proprietary software products.
Records shall be protected from loss, destruction, falsification, unauthorized access & unauthorized release, in accordanc
legislatory, regulatory, contractual & business requirements.
Privacy & protection of personally identifiable information shall be ensured as required in relevant legislation & regulation
applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation & regulations.
The organizations approach to managing information security & its implementation (i.e. control objectives, controls, poli
and procedures for information security) shall be reviewed independently at planned intervals or when significant change
Managers shall regularly review the compliance of information processing & procedures within their area of responsibility
appropriate security policies, standards & any other security requirements.
Information systems shall be regularly reviewed for compliance with the organizations information security policies & sta
CH ID
Control Header
CO ID
Control Objective
Management direction for
information security Objective
A5
A5.1
A5
A5.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.1
A6
Organization of information
security
A6.2
A6
Organization of information
security
A6.2
A7
A7.1
A7
A7.1
A7
A7.2
A7
A7.2
A7
A7.2
A7
A7.3
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.3
A8
Asset management
A8.3
A8
Asset management
A8.3
A9
Access control
A9.1
A9
Access control
A9.1
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.3
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
A9
Access control
A9.4
A10
Cryptography
A10.1
A10
Cryptography
A10.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.1
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A11
A11.2
Equipment Objective
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.1
A12
Operations security
A12.2
A12
Operations security
A12.3
Backup Objective
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.5
A12
Operations security
A12.6
A12
Operations security
A12.6
A12
Operations security
A12.7
A13
Communications security
A13.1
A13
Communications security
A13.1
A13
Communications security
A13.1
A13
Communications security
A13.2
A13
Communications security
A13.2
A13
Communications security
A13.2
A13
Communications security
A13.2
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.1
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.2
A14
System acquisition,
development & maintenance
A14.3
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.1
A15
Supplier relationships
A15.2
A15
Supplier relationships
A15.2
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A16
A16.1
A17
A17.1
A17
A17.1
A17
A17.1
A17
A17.2
Redundancies Objective
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.1
A18
Compliance
A18.2
A18
Compliance
A18.2
A18
Compliance
A18.2