ISO 27K2 Heade Domainwise Sheets

Sr.
No
27K2 Control Requirement Title
CR ID
Policies for information security Control A5.1.1
Review of the policies for information

security Control
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
A5.1.2
Control Requirement
A set of policies for information security shall be defined, approved by management, published & communicated to empl
relevant external parties.
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their
suitability, adequacy & effectiveness
CH ID
Control Header
CO ID
A5
Information security policies
A5.1
A5
A5.1
Control Objective
Management direction for
information security Objective
Sr. No
3

Information security roles &
responsibilities Control
CR ID
A6.1.1
Segregation of duties Control
A6.1.2
Contact with authorities Control
A6.1.3
Contact with special interest groups

Control
A6.1.4
Information security in project

management Control
A6.1.5
Mobile device policy Control
A6.2.1
Teleworking Control
A6.2.2
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
All information security responsibilities shall be defined & allocated.
Conflicting duties & areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional
misuse of the organizations assets.
Appropriate contacts with relevant authorities shall be maintained
Appropriate contacts with special interest groups or other specialist security forums & professional associations shall be
Information security shall be addressed in project management, regardless of the type of the project.
A policy & supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy & supporting security measures shall be implemented to protect information accessed, processed or stored at te
sites.
CH ID
A6
Control Header
Organization of information
security
CO ID
Control Objective
A6.1
Internal organization Objective
A6
security
A6.1
A6
security
A6.1
A6
security
A6.1
A6
security
A6.1
A6
security
A6.2
Mobile devices & teleworking

Objective
A6
security
A6.2

Objective
Sr. No
CR ID
10
Screening Control
A7.1.1
11
Terms & conditions of employment

Control
A7.1.2
12
Management responsibilities Control
A7.2.1
13
Information security awareness,

education and training Control
A7.2.2
14
Disciplinary process Control
A7.2.3
15
Termination or change of employment

A7.3.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, r
ethics & shall be proportional to the business requirements, the classification of the information to be accessed & the pe
The contractual agreements with employees & contractors shall state their & the organizations responsibilities for inform
Management shall require all employees & contractors to apply information security in accordance with the established p
procedures of the organization.
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education & train
updates in organizational policies & procedures, as relevant for their job function.
There shall be a formal & communicated disciplinary process in place to take action against employees who have commi
information security breach.
Information security responsibilities & duties that remain valid after termination or change of employment shall be define
communicated to the employee or contractor & enforced.
CH ID
Control Header
CO ID
Control Objective
A7
Human resource security
A7.1
Prior to employment Objective
A7
A7.1
A7
A7.2
During employment Objective
A7
A7.2
A7
A7.2
A7
A7.3
Termination & change of

employment Objective
Sr. No
CR ID
16
Inventory of assets Control
A8.1.1
17
Ownership of assets Control
A8.1.2
18
Acceptable use of assets Control
A8.1.3
19
Return of assets Control
A8.1.4
20
Classification of information Control
A8.2.1
21
Labelling of information Control
A8.2.2
22
Handling of assets Control
A8.2.3
24
Management of removable media

Control
Disposal of media Control
25
Physical media transfer Control
23
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
A8.3.1
A8.3.2
A8.3.3
144
145
146
147
148
149
150
151
Control Requirement
Assets associated with information & information processing facilities shall be identified & an inventory of these assets s
up & maintained.
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information & of assets associated with information & information processing facilities sh
identified, documented & implemented.
All employees & external party users shall return all of the organizational assets in their possession upon termination of t
employment, contract or agreement.
Information shall be classified in terms of legal requirements, value, criticality & sensitivity to unauthorized disclosure or
An appropriate set of procedures for information labelling shall be developed & implemented in accordance with the info
classification scheme adopted by the organization.
Procedures for handling assets shall be developed & implemented in accordance with the information classification schem
the organization
Procedures shall be implemented for the management of removable media in accordance with the classification scheme
organization.
Media shall be disposed of securely when no longer required, using formal procedures.
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation
CH ID
Control Header
CO ID
Control Objective
A8
Asset management
A8.1
Responsibility for assets Objective
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.2
Information classification Objective
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.3
Media handling Objective
A8
Asset management
A8.3
A8
Asset management
A8.3
Sr. No
CR ID
26
Access control policy Control
27
Access to networks & network services

A9.1.2
Control
28
User registration & de-registration

Control
A9.2.1
29
User access provisioning Control
A9.2.2
30
Management of privileged access rights

A9.2.3
Control
31
Management of secret authentication

information of users Control
A9.2.4
32
Review of user access rights Control
A9.2.5
33
Removal or adjustment of access rights

A9.2.6
Control
34
Use of secret authentication information

A9.3.1
Control
35
Information access restriction Control
A9.4.1
36
Secure log-on procedures Control
A9.4.2
37
Password management system Control A9.4.3
38
Use of privileged utility programs

Control
A9.4.4
39
Access control to program source code

Control
A9.4.5
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
A9.1.1
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
An access control policy shall be established, documented & reviewed based on business & information security requirem
Users shall only be provided with access to the network & network services that they have been specifically authorized t
A formal user registration & de-registration process shall be implemented to enable assignment of access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all
services.
The allocation & use of privileged access rights shall be restricted & controlled.
The allocation of secret authentication information shall be controlled through a formal management process.
Asset owners shall review users access rights at regular intervals.
The access rights of all employees & external party users to information & information processing facilities shall be remo
termination of their employment, contract or agreement, or adjusted upon change.
Users shall be required to follow the organizations practices in the use of secret authentication information.
Access to information & application system functions shall be restricted in accordance with the access control policy.
Where required by the access control policy, access to systems & applications shall be controlled by a secure log-on proc
Password management systems shall be interactive & shall ensure quality passwords.
The use of utility programs that might be capable of overriding system & application controls shall be restricted & tightly
Access to program source code shall be restricted.
CH ID
Control Header
CO ID
Control Objective
Business requirements of access
control Objective
A9
Access control
A9.1
A9
Access control
A9.1

control Objective
A9
Access control
A9.2
User access management Objective
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.3
User responsibilities Objective
A9
Access control
A9.4
System & application access control

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
Sr. No
40
41
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

Policy on the use of cryptographic
controls Control
Key management Control
CR ID
A10.1.1
A10.1.2
Control Requirement
A policy on the use of cryptographic controls for protection of information shall be developed & implemented.
A policy on the use, protection & lifetime of cryptographic keys shall be developed & implemented through their whole lif
CH ID
Control Header
CO ID
Control Objective
A10
Cryptography
A10.1
Cryptographic controls Objective
A10
Cryptography
A10.1
Sr. No
CR ID
42
Physical security perimeter Control
A11.1.1
43
Physical entry controls Control
A11.1.2
44
Securing offices, rooms & facilities

Control
A11.1.3
45
Protecting against external &

environmental threats Control
A11.1.4
46
Working in secure areas Control
A11.1.5
47
Delivery & loading areas Control
A11.1.6
48
Equipment siting & protection Control
A11.2.1
49
Supporting utilities Control
A11.2.2
50
Cabling security Control
A11.2.3
51
Equipment maintenance Control
A11.2.4
52
Removal of assets Control
A11.2.5
53
Security of equipment & assets offpremises Control
A11.2.6
54
Secure disposal or reuse of equipment

Control
A11.2.7
55
Unattended user equipment Control
A11.2.8
56
Clear desk & clear screen policy Control A11.2.9
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Security perimeters shall be defined & used to protect areas that contain either sensitive or critical information & informa
processing facilities.
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed acces
Physical security for offices, rooms & facilities shall be designed & applied.
Physical protection against natural disasters, malicious attack or accidents shall be designed & applied.
Procedures for working in secure areas shall be designed & applied.
Access points such as delivery & loading areas & other points where unauthorized persons could enter the premises shal
and, if possible, isolated from information processing facilities to avoid unauthorized access.
Equipment shall be sited & protected to reduce the risks from environmental threats & hazards, & opportunities for unau
access.
Equipment shall be protected from power failures & other disruptions caused by failures in supporting utilities.
Power & telecommunications cabling carrying data or supporting information services shall be protected from interceptio
or damage.
Equipment shall be correctly maintained to ensure its continued availability & integrity.
Equipment, information or software shall not be taken off-site without prior authorization.
Security shall be applied to off-site assets taking into account the different risks of working outside the organizations pre
All items of equipment containing storage media shall be verified to ensure that any sensitive data & licensed software h
removed or securely overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has appropriate protection.
A clear desk policy for papers & removable storage media & a clear screen policy for information processing facilities sha
CH ID
A11
Control Header
Physical & environmental
security
CO ID
Control Objective
A11.1
Secure areas Objective
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
Sr. No
57

Documented operating procedures
Control
CR ID
A12.1.1
58
Change management Control
A12.1.2
59
Capacity management Control
A12.1.3
60
Separation of development, testing &

operational environments Control
A12.1.4
61
Controls against malware Control
A12.2.1
62
Information backup Control
A12.3.1
63
Event logging Control
A12.4.1
64
Protection of log information Control
A12.4.2
65
Administrator & operator logs Control
A12.4.3
66
Clock synchronisation Control
A12.4.4
67
Installation of software on operational

systems Control
A12.5.1
68
Management of technical
vulnerabilities Control
A12.6.1
69
Restrictions on software installation

Control
A12.6.2
70
Information systems audit controls

Control
A12.7.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Operating procedures shall be documented & made available to all users who need them
Changes to the organization, business processes, information processing facilities & systems that affect information secu
controlled.
The use of resources shall be monitored, tuned & projections made of future capacity requirements to ensure the require
performance.
Development, testing, & operational environments shall be separated to reduce the risks of unauthorized access or chan
operational environment.
Detection, prevention & recovery controls to protect against malware shall be implemented, combined with appropriate u
awareness.
Backup copies of information, software & system images shall be taken & tested regularly in accordance with an agreed
Event logs recording user activities, exceptions, faults & information security events shall be produced, kept & regularly r
Logging facilities & log information shall be protected against tampering & unauthorized access.
System administrator & system operator activities shall be logged & the logs protected & regularly reviewed.
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised
reference time source.
Procedures shall be implemented to control the installation of software on operational systems.
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the o
exposure to such vulnerabilities evaluated & appropriate measures taken to address the associated risk.
Rules governing the installation of software by users shall be established & implemented.
Audit requirements & activities involving verification of operational systems shall be carefully planned & agreed to minim
to business processes.
CH ID
Control Header
CO ID
Control Objective
Operational procedures &
responsibilities Objective
A12
Operations security
A12.1
A12
Operations security
A12.1

A12
Operations security
A12.1

A12
Operations security
A12.1

A12
Operations security
A12.2
Protection from malware Objective
A12
Operations security
A12.3
Backup Objective
A12
Operations security
A12.4
Logging & monitoring Objective
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.5
Control of operational software

Objective
A12
Operations security
A12.6
Technical vulnerability management

Objective
A12
Operations security
A12.6

Objective
A12
Operations security
A12.7
Information systems audit

considerations Objective
Sr. No
CR ID
71
Network controls Control
A13.1.1
72
Security of network services Control
A13.1.2
73
Segregation in networks Control
A13.1.3
74
Information transfer policies &

procedures Control
A13.2.1
75
76
77
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Agreements on information transfer

Control
Electronic messaging Control
Confidentiality or nondisclosure
agreements Control
A13.2.2
A13.2.3
A13.2.4
149
150
151
Control Requirement
Networks shall be managed & controlled to protect information in systems & applications.
Security mechanisms, service levels & management requirements of all network services shall be identified & included in
services agreements, whether these services are provided in-house or outsourced.
Groups of information services, users & information systems shall be segregated on networks.
Formal transfer policies, procedures & controls shall be in place to protect the transfer of information through the use of
communication facilities.
Agreements shall address the secure transfer of business information between the organization & external parties.
Information involved in electronic messaging shall be appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of in
be identified, regularly reviewed & documented.
CH ID
Control Header
CO ID
Control Objective
Network security management
Objective
A13
Communications security
A13.1
A13
A13.1

Objective
A13
A13.1

Objective
A13
A13.2
Information transfer Objective
A13
A13.2
A13
A13.2
A13
A13.2
Sr. No
CR ID
78
Information security requirements

analysis & specification Control
79
Securing application services on public

A14.1.2
networks Control
80
Protecting application services

transactions Control
A14.1.3
81
Secure development policy Control
A14.2.1
82
System change control procedures

Control
A14.2.2
83
Technical review of applications after

operating platform changes Control
A14.2.3
84
Restrictions on changes to software

packages Control
A14.2.4
85
Secure system engineering principles

Control
A14.2.5
86
Secure developmentenvironment
Control
A14.2.6
87
Outsourced development Control
A14.2.7
88
System security testing Control
A14.2.8
89
System acceptance testing Control
A14.2.9
90
Protection of test data Control
A14.3.1
115
116
117
118
119
120
121
122
A14.1.1
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
The information security related requirements shall be included in the requirements for new information systems or enha
existing information systems.
Information involved in application services passing over public networks shall be protected from fraudulent activity, con
and unauthorized disclosure & modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routin
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software & systems shall be established and applied to developments within the organizati
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
When operating platforms are changed, business critical applications shall be reviewed & tested to ensure there is no ad
on organizational operations or security.
Modifications to software packages shall be discouraged, limited to necessary changes & all changes shall be strictly con
Principles for engineering secure systems shall be established, documented, maintained & applied to any information sys
implementation efforts.
Organizations shall establish & appropriately protect secure development environments for system development & integ
that cover the entire system development lifecycle.
The organization shall supervise & monitor the activity of outsourced system development.
Testing of security functionality shall be carried out during development.
Acceptance testing programs & related criteria shall be established for new information systems, upgrades & new versio
Test data shall be selected carefully, protected & controlled.
CH ID
Control Header
CO ID
Control Objective
A14
System acquisition,
development & maintenance
A14.1
Security requirements of information

systems Objective
A14
System acquisition,
A14.1

systems Objective
A14
System acquisition,
A14.1

systems Objective
A14
System acquisition,
A14.2
Security in development & support

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.3
Test data Objective
Sr. No
91

Information security policy for supplier
relationships Control
CR ID
A15.1.1
92
Addressing security within supplier

agreements Control
A15.1.2
93
Information & communication

technology supply chain Control
A15.1.3
94
Monitoring & review of supplier services

A15.2.1
Control
95
Managing changes to supplier services

A15.2.2
Control
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Information security requirements for mitigating the risks associated with suppliers access to the organizations assets s
with the supplier & documented.
All relevant information security requirements shall be established & agreed with each supplier that may access, process
communicate, or provide IT infrastructure components for, the organizations information.
Agreements with suppliers shall include requirements to address the information security risks associated with informatio
communications technology services & product supply chain.
Organizations shall regularly monitor, review & audit supplier service delivery.
Changes to the provision of services by suppliers, including maintaining & improving existing information security policie
& controls, shall be managed, taking account of the criticality of business information, systems & processes involved & re
of risks.
CH ID
Control Header
CO ID
Control Objective
Information security in supplier
relationships Objective
A15
Supplier relationships
A15.1
A15
A15.1

A15
A15.1

A15
A15.2
Supplier service delivery

management Objective
A15
A15.2

Sr. No
CR ID
96
Responsibilities & procedures Control
A16.1.1
97
Reporting information security events

Control
A16.1.2
98
Reporting information security

weaknesses Control
A16.1.3
99
Assessment of & decision on

information security events Control
A16.1.4
100
Response to information security

incidents Control
A16.1.5
101
Learning from information security

incidents Control
A16.1.6
102
Collection of evidence Control
A16.1.7
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
Management responsibilities & procedures shall be established to ensure a quick, effective & orderly response to informa
incidents.
Information security events shall be reported through appropriate management channels as quickly as possible.
Employees & contractors using the organizations information systems & services shall be required to note & report any
suspected information security or services.weaknesses in systems
Information security events shall be assessed & it shall be decided if they are to be classified as information security inci
Information security incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from analysing & resolving information security incidents shall be used to reduce the likelihood or imp
incidents.
The organization shall define & apply procedures for the identification, collection, acquisition & preservation of informatio
serve as evidence.
CH ID
Control Header
CO ID
Control Objective
A16
Information security incident

management
A16.1
Management of information security

incidents & improvements Objective
A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

Sr. No
CR ID
103
Planning information security continuity

A17.1.1
Control
104
Implementing information security

continuity Control
A17.1.2
105
Verify, review & evaluate information

security continuity Control
A17.1.3
106
Availability of information processing

facilities Control
A17.2.1
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
The organization shall determine its requirements for information security & the continuity of information security manag
adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement & maintain processes, procedures & controls to ensure the requir
continuity for information security during an adverse situation.
The organization shall verify the established & implemented information security continuity controls at regular intervals i
ensure that they are valid & effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
CH ID
Control Header
CO ID
Control Objective
A17
Information security aspects of

business continuity
management
A17.1
Information security continuity

Objective
A17

business continuity
management
A17.1

Objective
A17

business continuity
management
A17.1

Objective
A17

business continuity
management
A17.2
Redundancies Objective
Sr. No
CR ID
107
Identification of applicable legislation &

A18.1.1
contractual requirements Control
108
Intellectual property rights Control
A18.1.2
109
Protection of records Control
A18.1.3
110
Privacy & protection of personally

identifiable information Control
A18.1.4
111
Regulation of cryptographic controls

Control
A18.1.5
112
Independent review of information

security Control
A18.2.1
113
Compliance with security policies &

standards Control
A18.2.2
114
Technical compliance review Control
A18.2.3
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
All relevant legislative statutory, regulatory, contractual requirements and the organizations approach to meet these re
shall be explicitly identified, documented & kept up to date for each information system & the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory & contractual requiremen
intellectual property rights & use of proprietary software products.
Records shall be protected from loss, destruction, falsification, unauthorized access & unauthorized release, in accordanc
legislatory, regulatory, contractual & business requirements.
Privacy & protection of personally identifiable information shall be ensured as required in relevant legislation & regulation
applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation & regulations.
The organizations approach to managing information security & its implementation (i.e. control objectives, controls, poli
and procedures for information security) shall be reviewed independently at planned intervals or when significant change
Managers shall regularly review the compliance of information processing & procedures within their area of responsibility
appropriate security policies, standards & any other security requirements.
Information systems shall be regularly reviewed for compliance with the organizations information security policies & sta
Control
Header
CO ID
Control Objective
A18
Compliance
A18.1
Compliance with legal & contractual

requirements Objective
A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.2
Information security reviews

Objective
A18
Compliance
A18.2

Objective
A18
Compliance
A18.2

Objective
CH ID
Sr. No
CR ID
Policies for information security Control A5.1.1
Review of the policies for information

security Control
A5.1.2
Information security roles &

A6.1.1
Segregation of duties Control
A6.1.2
Contact with authorities Control
A6.1.3
Contact with special interest groups

Control
A6.1.4
Information security in project

management Control
A6.1.5
Mobile device policy Control
A6.2.1
Teleworking Control
A6.2.2
10
Screening Control
A7.1.1
11
Terms & conditions of employment

Control
A7.1.2
12
Management responsibilities Control
A7.2.1
13
Information security awareness,

education and training Control
A7.2.2
14
Disciplinary process Control
A7.2.3
15
Termination or change of employment

A7.3.1
16
Inventory of assets Control
A8.1.1
17
Ownership of assets Control
A8.1.2
18
Acceptable use of assets Control
A8.1.3
19
Return of assets Control
A8.1.4
20
Classification of information Control
A8.2.1
21
Labelling of information Control
A8.2.2
22
Handling of assets Control
A8.2.3
23
Management of removable media

Control
A8.3.1
24
Disposal of media Control
A8.3.2
25
Physical media transfer Control
A8.3.3
26
Access control policy Control
A9.1.1
27
Access to networks & network services

A9.1.2
Control
28
User registration & de-registration

Control
A9.2.1
29
User access provisioning Control
A9.2.2
30
Management of privileged access rights

A9.2.3
Control
31
Management of secret authentication

information of users Control
A9.2.4
32
Review of user access rights Control
A9.2.5
33
Removal or adjustment of access rights

A9.2.6
Control
34
Use of secret authentication information

A9.3.1
Control
35
Information access restriction Control
A9.4.1
36
Secure log-on procedures Control
A9.4.2
37
Password management system Control A9.4.3
38
Use of privileged utility programs

Control
A9.4.4
39
Access control to program source code

Control
A9.4.5
40
Policy on the use of cryptographic

controls Control
A10.1.1
41
Key management Control
A10.1.2
42
Physical security perimeter Control
A11.1.1
43
Physical entry controls Control
A11.1.2
44
Securing offices, rooms & facilities

Control
A11.1.3
45
Protecting against external &

environmental threats Control
A11.1.4
46
Working in secure areas Control
A11.1.5
47
Delivery & loading areas Control
A11.1.6
48
Equipment siting & protection Control
A11.2.1
49
Supporting utilities Control
A11.2.2
50
Cabling security Control
A11.2.3
51
Equipment maintenance Control
A11.2.4
52
Removal of assets Control
A11.2.5
53
Security of equipment & assets offpremises Control
A11.2.6
54
Secure disposal or reuse of equipment

Control
A11.2.7
55
Unattended user equipment Control
A11.2.8
56
Clear desk & clear screen policy Control A11.2.9
57
Documented operating procedures

Control
A12.1.1
58
Change management Control
A12.1.2
59
Capacity management Control
A12.1.3
60
Separation of development, testing &

operational environments Control
A12.1.4
61
Controls against malware Control
A12.2.1
62
Information backup Control
A12.3.1
63
Event logging Control
A12.4.1
64
Protection of log information Control
A12.4.2
65
Administrator & operator logs Control
A12.4.3
66
Clock synchronisation Control
A12.4.4
67
Installation of software on operational

systems Control
A12.5.1
68
Management of technical
vulnerabilities Control
A12.6.1
69
Restrictions on software installation

Control
A12.6.2
70
Information systems audit controls

Control
A12.7.1
71
Network controls Control
A13.1.1
72
Security of network services Control
A13.1.2
73
Segregation in networks Control
A13.1.3
74
Information transfer policies &

procedures Control
A13.2.1
75
76
77
Agreements on information transfer

Control
Electronic messaging Control
Confidentiality or nondisclosure
agreements Control
A13.2.2
A13.2.3
A13.2.4
78
Information security requirements

analysis & specification Control
79
Securing application services on public

A14.1.2
networks Control
80
Protecting application services

transactions Control
A14.1.3
81
Secure development policy Control
A14.2.1
82
System change control procedures

Control
A14.2.2
83
Technical review of applications after

operating platform changes Control
A14.2.3
84
Restrictions on changes to software

packages Control
A14.2.4
85
Secure system engineering principles

Control
A14.2.5
86
Secure developmentenvironment
Control
A14.2.6
87
Outsourced development Control
A14.2.7
88
System security testing Control
A14.2.8
89
System acceptance testing Control
A14.2.9
A14.1.1
90
Protection of test data Control
A14.3.1
91
Information security policy for supplier

relationships Control
A15.1.1
92
Addressing security within supplier

agreements Control
A15.1.2
93
Information & communication

technology supply chain Control
A15.1.3
94
Monitoring & review of supplier services

A15.2.1
Control
95
Managing changes to supplier services

A15.2.2
Control
96
Responsibilities & procedures Control
A16.1.1
97
Reporting information security events

Control
A16.1.2
98
Reporting information security

weaknesses Control
A16.1.3
99
Assessment of & decision on

information security events Control
A16.1.4
100
Response to information security

incidents Control
A16.1.5
101
Learning from information security

incidents Control
A16.1.6
102
Collection of evidence Control
A16.1.7
103
Planning information security continuity

A17.1.1
Control
104
Implementing information security

continuity Control
A17.1.2
105
Verify, review & evaluate information

security continuity Control
A17.1.3
106
Availability of information processing

facilities Control
A17.2.1
107
Identification of applicable legislation &

A18.1.1
contractual requirements Control
108
Intellectual property rights Control
A18.1.2
109
Protection of records Control
A18.1.3
110
Privacy & protection of personally

identifiable information Control
A18.1.4
111
Regulation of cryptographic controls

Control
A18.1.5
112
Independent review of information

security Control
A18.2.1
113
Compliance with security policies &

standards Control
A18.2.2
114
Technical compliance review Control
A18.2.3
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Control Requirement
A set of policies for information security shall be defined, approved by management, published & communicated to empl
relevant external parties.
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their
suitability, adequacy & effectiveness
All information security responsibilities shall be defined & allocated.
Conflicting duties & areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional
misuse of the organizations assets.
Appropriate contacts with relevant authorities shall be maintained
Appropriate contacts with special interest groups or other specialist security forums & professional associations shall be
Information security shall be addressed in project management, regardless of the type of the project.
A policy & supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy & supporting security measures shall be implemented to protect information accessed, processed or stored at te
sites.
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, r
ethics & shall be proportional to the business requirements, the classification of the information to be accessed & the pe
The contractual agreements with employees & contractors shall state their & the organizations responsibilities for inform
Management shall require all employees & contractors to apply information security in accordance with the established p
procedures of the organization.
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education & train
updates in organizational policies & procedures, as relevant for their job function.
There shall be a formal & communicated disciplinary process in place to take action against employees who have commi
information security breach.
Information security responsibilities & duties that remain valid after termination or change of employment shall be define
communicated to the employee or contractor & enforced.
Assets associated with information & information processing facilities shall be identified & an inventory of these assets s
up & maintained.
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information & of assets associated with information & information processing facilities sh
identified, documented & implemented.
All employees & external party users shall return all of the organizational assets in their possession upon termination of t
employment, contract or agreement.
Information shall be classified in terms of legal requirements, value, criticality & sensitivity to unauthorized disclosure or
An appropriate set of procedures for information labelling shall be developed & implemented in accordance with the info
classification scheme adopted by the organization.
Procedures for handling assets shall be developed & implemented in accordance with the information classification schem
the organization
Procedures shall be implemented for the management of removable media in accordance with the classification scheme
organization.
Media shall be disposed of securely when no longer required, using formal procedures.
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation
An access control policy shall be established, documented & reviewed based on business & information security requirem
Users shall only be provided with access to the network & network services that they have been specifically authorized t
A formal user registration & de-registration process shall be implemented to enable assignment of access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all
services.
The allocation & use of privileged access rights shall be restricted & controlled.
The allocation of secret authentication information shall be controlled through a formal management process.
Asset owners shall review users access rights at regular intervals.
The access rights of all employees & external party users to information & information processing facilities shall be remo
termination of their employment, contract or agreement, or adjusted upon change.
Users shall be required to follow the organizations practices in the use of secret authentication information.
Access to information & application system functions shall be restricted in accordance with the access control policy.
Where required by the access control policy, access to systems & applications shall be controlled by a secure log-on proc
Password management systems shall be interactive & shall ensure quality passwords.
The use of utility programs that might be capable of overriding system & application controls shall be restricted & tightly
Access to program source code shall be restricted.
A policy on the use of cryptographic controls for protection of information shall be developed & implemented.
A policy on the use, protection & lifetime of cryptographic keys shall be developed & implemented through their whole lif
Security perimeters shall be defined & used to protect areas that contain either sensitive or critical information & informa
processing facilities.
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed acces
Physical security for offices, rooms & facilities shall be designed & applied.
Physical protection against natural disasters, malicious attack or accidents shall be designed & applied.
Procedures for working in secure areas shall be designed & applied.
Access points such as delivery & loading areas & other points where unauthorized persons could enter the premises shal
and, if possible, isolated from information processing facilities to avoid unauthorized access.
Equipment shall be sited & protected to reduce the risks from environmental threats & hazards, & opportunities for unau
access.
Equipment shall be protected from power failures & other disruptions caused by failures in supporting utilities.
Power & telecommunications cabling carrying data or supporting information services shall be protected from interceptio
or damage.
Equipment shall be correctly maintained to ensure its continued availability & integrity.
Equipment, information or software shall not be taken off-site without prior authorization.
Security shall be applied to off-site assets taking into account the different risks of working outside the organizations pre
All items of equipment containing storage media shall be verified to ensure that any sensitive data & licensed software h
removed or securely overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has appropriate protection.
A clear desk policy for papers & removable storage media & a clear screen policy for information processing facilities sha
Operating procedures shall be documented & made available to all users who need them
Changes to the organization, business processes, information processing facilities & systems that affect information secu
controlled.
The use of resources shall be monitored, tuned & projections made of future capacity requirements to ensure the require
performance.
Development, testing, & operational environments shall be separated to reduce the risks of unauthorized access or chan
operational environment.
Detection, prevention & recovery controls to protect against malware shall be implemented, combined with appropriate u
awareness.
Backup copies of information, software & system images shall be taken & tested regularly in accordance with an agreed
Event logs recording user activities, exceptions, faults & information security events shall be produced, kept & regularly r
Logging facilities & log information shall be protected against tampering & unauthorized access.
System administrator & system operator activities shall be logged & the logs protected & regularly reviewed.
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised
reference time source.
Procedures shall be implemented to control the installation of software on operational systems.
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the o
exposure to such vulnerabilities evaluated & appropriate measures taken to address the associated risk.
Rules governing the installation of software by users shall be established & implemented.
Audit requirements & activities involving verification of operational systems shall be carefully planned & agreed to minim
to business processes.
Networks shall be managed & controlled to protect information in systems & applications.
Security mechanisms, service levels & management requirements of all network services shall be identified & included in
services agreements, whether these services are provided in-house or outsourced.
Groups of information services, users & information systems shall be segregated on networks.
Formal transfer policies, procedures & controls shall be in place to protect the transfer of information through the use of
communication facilities.
Agreements shall address the secure transfer of business information between the organization & external parties.
Information involved in electronic messaging shall be appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of in
be identified, regularly reviewed & documented.
The information security related requirements shall be included in the requirements for new information systems or enha
existing information systems.
Information involved in application services passing over public networks shall be protected from fraudulent activity, con
and unauthorized disclosure & modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routin
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software & systems shall be established and applied to developments within the organizati
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
When operating platforms are changed, business critical applications shall be reviewed & tested to ensure there is no ad
on organizational operations or security.
Modifications to software packages shall be discouraged, limited to necessary changes & all changes shall be strictly con
Principles for engineering secure systems shall be established, documented, maintained & applied to any information sys
implementation efforts.
Organizations shall establish & appropriately protect secure development environments for system development & integ
that cover the entire system development lifecycle.
The organization shall supervise & monitor the activity of outsourced system development.
Testing of security functionality shall be carried out during development.
Acceptance testing programs & related criteria shall be established for new information systems, upgrades & new versio
Test data shall be selected carefully, protected & controlled.
Information security requirements for mitigating the risks associated with suppliers access to the organizations assets s
with the supplier & documented.
All relevant information security requirements shall be established & agreed with each supplier that may access, process
communicate, or provide IT infrastructure components for, the organizations information.
Agreements with suppliers shall include requirements to address the information security risks associated with informatio
communications technology services & product supply chain.
Organizations shall regularly monitor, review & audit supplier service delivery.
Changes to the provision of services by suppliers, including maintaining & improving existing information security policie
& controls, shall be managed, taking account of the criticality of business information, systems & processes involved & re
of risks.
Management responsibilities & procedures shall be established to ensure a quick, effective & orderly response to informa
incidents.
Information security events shall be reported through appropriate management channels as quickly as possible.
Employees & contractors using the organizations information systems & services shall be required to note & report any
suspected information security or services.weaknesses in systems
Information security events shall be assessed & it shall be decided if they are to be classified as information security inci
Information security incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from analysing & resolving information security incidents shall be used to reduce the likelihood or imp
incidents.
The organization shall define & apply procedures for the identification, collection, acquisition & preservation of informatio
serve as evidence.
The organization shall determine its requirements for information security & the continuity of information security manag
adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement & maintain processes, procedures & controls to ensure the requir
continuity for information security during an adverse situation.
The organization shall verify the established & implemented information security continuity controls at regular intervals i
ensure that they are valid & effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
All relevant legislative statutory, regulatory, contractual requirements and the organizations approach to meet these re
shall be explicitly identified, documented & kept up to date for each information system & the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory & contractual requiremen
intellectual property rights & use of proprietary software products.
Records shall be protected from loss, destruction, falsification, unauthorized access & unauthorized release, in accordanc
legislatory, regulatory, contractual & business requirements.
Privacy & protection of personally identifiable information shall be ensured as required in relevant legislation & regulation
applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation & regulations.
The organizations approach to managing information security & its implementation (i.e. control objectives, controls, poli
and procedures for information security) shall be reviewed independently at planned intervals or when significant change
Managers shall regularly review the compliance of information processing & procedures within their area of responsibility
appropriate security policies, standards & any other security requirements.
Information systems shall be regularly reviewed for compliance with the organizations information security policies & sta
CH ID
Control Header
CO ID
Control Objective
A5
A5.1
A5
A5.1

A6
security
A6.1
A6
security
A6.1
A6
security
A6.1
A6
security
A6.1
A6
security
A6.1
A6
security
A6.2

Objective
A6
security
A6.2

Objective
A7
A7.1
A7
A7.1
A7
A7.2
A7
A7.2
A7
A7.2
A7
A7.3
Termination & change of

employment Objective
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.1
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.2
A8
Asset management
A8.3
A8
Asset management
A8.3
A8
Asset management
A8.3
A9
Access control
A9.1

control Objective
A9
Access control
A9.1

control Objective
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.2
A9
Access control
A9.3
User responsibilities Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A9
Access control
A9.4

Objective
A10
Cryptography
A10.1
A10
Cryptography
A10.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.1
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A11

security
A11.2
Equipment Objective
A12
Operations security
A12.1

A12
Operations security
A12.1

A12
Operations security
A12.1

A12
Operations security
A12.1

A12
Operations security
A12.2
Protection from malware Objective
A12
Operations security
A12.3
Backup Objective
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.4
A12
Operations security
A12.5
Control of operational software

Objective
A12
Operations security
A12.6

Objective
A12
Operations security
A12.6

Objective
A12
Operations security
A12.7
Information systems audit

considerations Objective
A13
A13.1

Objective
A13
A13.1

Objective
A13
A13.1

Objective
A13
A13.2
A13
A13.2
A13
A13.2
A13
A13.2
A14
System acquisition,
A14.1

systems Objective
A14
System acquisition,
A14.1

systems Objective
A14
System acquisition,
A14.1

systems Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.2

processes Objective
A14
System acquisition,
A14.3
Test data Objective
A15
A15.1

A15
A15.1

A15
A15.1

A15
A15.2

A15
A15.2

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A16

management
A16.1

A17

business continuity
management
A17.1

Objective
A17

business continuity
management
A17.1

Objective
A17

business continuity
management
A17.1

Objective
A17

business continuity
management
A17.2
Redundancies Objective
A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.1

A18
Compliance
A18.2

Objective
A18
Compliance
A18.2

Objective
A18
Compliance
A18.2

Objective

ISO 27K2 Heade Domainwise Sheets

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

ISO 27K2 Heade Domainwise Sheets

Cargado por

Copyright:

Formatos disponibles

Sr.

27K2 Control Requirement Title

Policies for information security Control A5.1.1

Review of the policies for information

Information security policies

Information security policies

27K2 Control Requirement Title

Segregation of duties Control

Contact with authorities Control

Contact with special interest groups

Information security in project

Mobile device policy Control

Internal organization Objective

Internal organization Objective

Internal organization Objective

Internal organization Objective

Internal organization Objective

Mobile devices & teleworking

Mobile devices & teleworking

27K2 Control Requirement Title

Terms & conditions of employment

Management responsibilities Control

Information security awareness,

Disciplinary process Control

Termination or change of employment

Human resource security

Prior to employment Objective

Human resource security

Prior to employment Objective

Human resource security

During employment Objective

Human resource security

During employment Objective

Human resource security

During employment Objective

Human resource security

Termination & change of

27K2 Control Requirement Title

Inventory of assets Control

Ownership of assets Control

Acceptable use of assets Control

Return of assets Control

Classification of information Control

Labelling of information Control

Handling of assets Control

Management of removable media

Physical media transfer Control

Responsibility for assets Objective

Responsibility for assets Objective

Responsibility for assets Objective

Responsibility for assets Objective

Information classification Objective

Information classification Objective

Information classification Objective

Media handling Objective

Media handling Objective

Media handling Objective

27K2 Control Requirement Title

Access control policy Control

Access to networks & network services

User registration & de-registration

User access provisioning Control

Management of privileged access rights

Management of secret authentication