background

ISO 27001

ISO 27001

ISO 27001

ISO/IEC 27001 is an international standard for information security management. It provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving an information security management system (ISMS). This standard ensures the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to stakeholders that risks are adequately managed​ (IT Governance)​​ (High Table)​.

Controls:

The Information Security Policies category (A.5) within the ISO 27001 framework focuses on the establishment, implementation, and maintenance of comprehensive policies that govern information security within an organization. These policies serve as a foundation for the overall information security management system and provide a framework for defining expectations, responsibilities, and guidelines related to information security. The category encompasses various aspects of policy development and management, including policy objectives, scope, review, and communication. By defining and adhering to well-defined information security policies, organizations can promote a culture of security, ensure compliance with legal and regulatory requirements, and effectively manage information security risks.

  • Policies for Information Security (5.1.1)

    In this section, we delve into the importance of information security policies and their role in setting clear expectations, responsibilities, and guidelines for information security within the organization. We explore how policies help in ensuring consistent and effective implementation of security measures across all areas of the organization.

  • Review of the Policies for Information Security (5.1.2)

    In this section, we delve into the purpose and benefits of policy reviews, which include identifying policy gaps, assessing policy performance, and driving continuous improvement within the ISMS.

The Organization of Information Security category (A.6) within the ISO 27001 framework focuses on establishing and maintaining an effective structure for managing information security within an organization. This category includes aspects such as defining information security roles and responsibilities, establishing a management framework, and implementing information security coordination and oversight mechanisms. By organizing information security effectively, organizations can ensure clear accountability, streamline decision-making processes, and foster a culture of security throughout the organization.

  • Information Security Roles and Responsibilities (6.1.1)

    In this section, we explore the significance of defining information security roles and responsibilities and how it helps establish accountability and promote a culture of security throughout the organization. We discuss the importance of aligning roles and responsibilities with the organization's context and the requirements of the ISO 27001 framework.

  • Segregation of Duties (6.1.2)

    The segregation of duties is a critical subcontrol within the ISO 27001 framework. It ensures that different tasks and responsibilities are appropriately divided among individuals within the organization. By implementing segregation of duties, organizations can reduce the risk of unauthorized activities and fraudulent behavior, thereby enhancing the overall security of their information assets.

  • Contact with Authorities (6.1.3)

    Contact with Authorities is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures and guidelines for communicating and cooperating with relevant authorities regarding information security incidents or legal requirements. This subcontrol ensures that there is a clear process in place to report incidents, seek guidance, and cooperate with authorities when necessary.

  • Contact with Special Interest Groups (6.1.4)

    Contact with Special Interest Groups is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to establish relationships and communication channels with relevant special interest groups or industry-specific organizations. This subcontrol enables organizations to stay informed about emerging threats, share best practices, and collaborate on information security initiatives.

  • Information Security in Project Management (6.1.5)

    Information Security in Project Management is a subcontrol within the ISO 27001 framework that emphasizes the integration of information security requirements and considerations into project management processes. This subcontrol ensures that information security is considered throughout the project lifecycle, from initiation to closure.

  • Mobile Device Policy (6.2.1)

    The Mobile Device Policy is a subcontrol within the ISO 27001 framework that focuses on establishing policies and guidelines for the secure use of mobile devices within the organization. This subcontrol ensures that the risks associated with mobile devices, such as data loss or unauthorized access, are effectively managed through defined policies and controls.

  • Teleworking (6.2.2)

    The Teleworking subcontrol recognizes the growing trend of remote work and the need to establish controls to mitigate the associated security risks. By implementing secure teleworking practices, organizations can enable employees to work remotely while maintaining the confidentiality, integrity, and availability of sensitive information.

The HR Security category (A.7) addresses the importance of managing information security in relation to human resources. It covers aspects such as security roles and responsibilities, employment agreements, training and awareness, and disciplinary process related to information security. By implementing appropriate HR security measures, organizations can ensure that employees are aware of their responsibilities, possess the necessary skills and knowledge, and adhere to security policies and procedures, thus minimizing the risk of insider threats and human error.

  • Screening (7.1.1)

    Screening is a subcontrol within the ISO 27001 framework that emphasizes the importance of conducting appropriate background checks and screening processes for individuals before granting them access to sensitive information or critical roles within the organization. This subcontrol helps mitigate the risk of insider threats and unauthorized access to information.

  • Terms and Conditions of Employment (7.1.2)

    Terms and Conditions of Employment is a subcontrol within the ISO 27001 framework that emphasizes the need to define and communicate clear information security expectations, responsibilities, and obligations to employees through employment contracts or agreements. This subcontrol helps ensure that employees understand their information security responsibilities and obligations as part of their employment.

  • Management Responsibilities (7.2.1)

    Management Responsibilities is a subcontrol within the ISO 27001 framework that highlights the importance of management's active involvement and commitment to information security. This subcontrol ensures that management takes responsibility for defining, implementing, and maintaining the information security management system (ISMS) within the organization.

  • Information Security Awareness, Education and Training (7.2.2)

    Information Security Awareness, Education, and Training is a subcontrol within the ISO 27001 framework that emphasizes the importance of promoting information security awareness, providing education, and conducting training programs for employees. This subcontrol ensures that employees have the necessary knowledge and skills to fulfill their information security responsibilities effectively.

  • Disciplinary Process (7.2.3)

    The subcontrol "Disciplinary Process (7.2.3)" in ISO 27001 involves establishing a disciplinary process to address non-compliance with information security policies and procedures.

  • Termination or Change of Employment Responsibilities (7.3.1)

    Termination or Change of Employment Responsibilities is a subcontrol within the ISO 27001 framework that addresses the need for organizations to have processes in place to manage the termination of employment or changes in responsibilities that may impact information security. This subcontrol ensures that the organization can appropriately revoke access rights, collect assets, and address security concerns when employees leave or change roles.

The Asset Management category (A.8) focuses on the identification, classification, and management of information assets within an organization. It involves understanding the value of information assets, assessing risks, and implementing appropriate controls for their protection. This category also covers aspects such as asset ownership, handling, and disposal. By effectively managing information assets, organizations can ensure the confidentiality, integrity, and availability of critical information and minimize the risk of unauthorized access or loss.

  • Inventory of Assets (8.1.1)

    Inventory of Assets is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to maintain an accurate inventory of information assets. This subcontrol ensures that organizations have visibility and control over their assets, facilitating effective asset management and security.

  • Ownership of Assets (8.1.2)

    Ownership of Assets is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to clearly assign ownership responsibilities for information assets. This subcontrol ensures that individuals or teams are accountable for the proper use, protection, and management of assets throughout their lifecycle.

  • Acceptable Use of Assets (8.1.3)

    Acceptable Use of Assets is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to define and communicate clear guidelines and policies for the appropriate use of information assets. This subcontrol ensures that employees understand their responsibilities and obligations when using organizational assets.

  • Return of Assets (8.1.4)

    Return of Assets is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the return of information assets when they are no longer required or when employees leave the organization. This subcontrol ensures that assets are properly collected, secured, and accounted for, minimizing the risk of unauthorized access or loss.

  • Classification of Information (8.2.1)

    Classification of Information is a subcontrol within the ISO 27001 framework that emphasizes the importance of classifying information assets based on their level of sensitivity, criticality, and confidentiality. This subcontrol ensures that organizations have a structured approach to identifying and labeling information assets, allowing for appropriate protection and access controls.

  • Labelling of Information (8.2.2)

    Labelling of Information is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to appropriately label information assets to indicate their classification, handling requirements, and access controls. This subcontrol ensures that employees can easily identify and handle information based on its sensitivity and confidentiality.

  • Handling of Assets (8.2.3)

    Handling of Assets is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to establish procedures for the secure handling, storage, transportation, and disposal of information assets. This subcontrol ensures that assets are protected throughout their lifecycle, minimizing the risk of unauthorized access, loss, or damage.

  • Management of Removable Media (8.3.1)

    Management of Removable Media is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish policies and procedures for the secure management and use of removable media, such as USB drives, external hard drives, DVDs, or CDs. This subcontrol ensures that the risks associated with removable media are identified, assessed, and mitigated effectively.

  • Disposal of Media (8.3.2)

    Disposal of Media is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure disposal or decommissioning of media that contains sensitive information. This subcontrol ensures that media is properly sanitized or destroyed to prevent unauthorized access to confidential data.

  • Physical Media Transfer (8.3.3)

    Physical Media Transfer is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure transfer of physical media containing sensitive information. This subcontrol ensures that media is protected during transit to prevent loss, theft, or unauthorized access.

The Access Control category (A.9) addresses the need to control access to information systems and resources within an organization. It involves implementing appropriate authentication, authorization, and accountability mechanisms to ensure that only authorized individuals have access to information and resources based on their roles and responsibilities. This category also covers aspects such as user management, access control policies, and secure user authentication. By implementing robust access controls, organizations can protect sensitive information, prevent unauthorized access, and enforce least privilege principles.

  • Access Control Policy (9.1.1)

    Access Control Policy is a subcontrol within the ISO 27001 framework that emphasizes the need for organizations to establish and enforce policies for controlling access to information assets. This subcontrol ensures that access to information is granted only to authorized individuals based on defined roles, responsibilities, and business needs.

  • Access to Networks and Network Services (9.1.2)

    Access to Networks and Network Services is a subcontrol within the ISO 27001 framework that addresses the need for organizations to control and manage access to their networks and network services. This subcontrol ensures that only authorized individuals can access and use network resources, reducing the risk of unauthorized access or malicious activities.

  • User Registration and De-registration (9.2.1)

    User Registration and De-registration is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the registration and de-registration of user accounts and access privileges. This subcontrol ensures that user accounts are created, managed, and revoked in a controlled and secure manner, minimizing the risk of unauthorized access or misuse.

  • User Access Provisioning (9.2.2)

    User Access Provisioning is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the provision of access privileges to authorized users. This subcontrol ensures that users are granted appropriate access privileges based on their roles, responsibilities, and business needs, while minimizing the risk of unauthorized access or privilege abuse.

  • Management of Privileged Access Rights (9.2.3)

    Management of Privileged Access Rights is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the management and control of privileged access rights within their information systems. This subcontrol ensures that privileged access rights are granted, monitored, and revoked in a controlled and secure manner to prevent unauthorized access or misuse.

  • Management of Secret Authentication Information of Users (9.2.4)

    Management of Secret Authentication Information of Users is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the management and protection of secret authentication information, such as passwords or encryption keys, used by users to access information systems. This subcontrol ensures that secret authentication information is managed securely to prevent unauthorized access or disclosure.

  • Review of User Access Rights (9.2.5)

    Review of User Access Rights is a subcontrol within the ISO 27001 framework that addresses the need for organizations to conduct periodic reviews of user access rights to information systems. This subcontrol ensures that access privileges are regularly reviewed and verified to align with changing business needs, personnel changes, and compliance requirements.

  • Removal or Adjustment of Access Rights (9.2.6)

    Removal or Adjustment of Access Rights is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the prompt removal or adjustment of access rights when no longer required or when changes in roles, responsibilities, or business needs occur. This subcontrol ensures that access privileges are revoked or modified in a timely manner, reducing the risk of unauthorized access or misuse.

  • Use of Secret Authentication Information (9.3.1)

    Use of Secret Authentication Information is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure and appropriate use of secret authentication information, such as passwords or encryption keys, by users to access information systems. This subcontrol ensures that secret authentication information is used responsibly and in accordance with defined policies and security measures.

  • Information Access Restriction (9.4.1)

    Information Access Restriction is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to restrict access to information based on the defined roles, responsibilities, and business needs of individuals. This subcontrol ensures that only authorized individuals can access and retrieve specific information, reducing the risk of unauthorized disclosure or misuse.

  • Secure Log-on Procedures (9.4.2)

    Secure Log-on Procedures is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish secure procedures for user log-on to information systems. This subcontrol ensures that user log-on processes are protected against unauthorized access, credential theft, or compromise.

  • Password Management System (9.4.3)

    Password Management System is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement a system or tool for the secure management of passwords used within their information systems. This subcontrol ensures that passwords are stored, transmitted, and utilized securely to protect against unauthorized access or compromise.

  • Use of Privileged Utility Programs (9.4.4)

    Use of Privileged Utility Programs is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure and controlled use of privileged utility programs within their information systems. This subcontrol ensures that the use of privileged utility programs is regulated and monitored to prevent unauthorized or malicious activities.

  • Access Control to Program Source Code (9.4.5)

    Access Control to Program Source Code is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls and procedures to protect the confidentiality and integrity of program source code. This subcontrol ensures that access to program source code is restricted to authorized individuals and that changes to the code are controlled and documented.

The Cryptography category (A.10) focuses on the use of cryptographic controls to protect the confidentiality, integrity, and authenticity of information within an organization. It covers aspects such as encryption, key management, digital signatures, and cryptographic algorithms. By employing strong cryptographic measures, organizations can safeguard sensitive information and ensure secure communication and data storage.

  • Policy on the Use of Cryptographic Controls (10.1.1)

    Policy on the Use of Cryptographic Controls is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish a policy governing the use of cryptographic controls to protect the confidentiality, integrity, and availability of information. This subcontrol ensures that cryptographic controls are used appropriately, consistently, and in accordance with organizational requirements and best practices.

  • Key Management (10.1.2)

    Key Management is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure generation, distribution, storage, and destruction of cryptographic keys. This subcontrol ensures that cryptographic keys are properly managed throughout their lifecycle to maintain the confidentiality and integrity of encrypted information.

The Physical and Environmental Security category (A.11) emphasizes the need to protect physical assets and ensure the security of the organization's facilities. It covers aspects such as physical access controls, equipment security, secure disposal of assets, and protection against environmental threats. By implementing physical security measures, organizations can mitigate the risk of unauthorized physical access, theft, damage, or loss of assets.

  • Physical Security Perimeter (11.1.1)

    Physical Security Perimeter is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish a physical security perimeter to protect their facilities, assets, and information systems from unauthorized access, tampering, or theft. This subcontrol ensures that physical security measures are in place to prevent physical breaches and mitigate the risks associated with unauthorized physical access.

  • Physical Entry Controls (11.1.2)

    Physical Entry Controls is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls and measures to regulate physical entry into their facilities. This subcontrol ensures that only authorized individuals can access designated areas within the facilities, reducing the risk of unauthorized access, theft, or tampering.

  • Securing Offices, Rooms and Facilities (11.1.3)

    Securing Offices, Rooms, and Facilities is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure their offices, rooms, and other facilities where information is processed, stored, or accessed. This subcontrol ensures that physical security measures are in place to protect the confidentiality, integrity, and availability of sensitive information and resources.

  • Protecting Against External And Environmental Threats (11.1.4)

    Protecting Against External and Environmental Threats is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to protect their facilities, assets, and information systems from external threats and environmental risks. This subcontrol ensures that appropriate safeguards are in place to mitigate the impact of potential incidents or disasters.

  • Working in Secure Areas (11.1.5)

    Working in Secure Areas is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to ensure the security and confidentiality of information when working in designated secure areas. This subcontrol ensures that individuals adhere to security protocols and guidelines while handling sensitive information within secure areas.

  • Delivery and Loading Areas (11.1.6)

    Delivery and Loading Areas is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure delivery and loading areas where goods, equipment, or assets are received or dispatched. This subcontrol ensures that appropriate security measures are in place to prevent unauthorized access, theft, or tampering during the transportation and handling of items.

  • Equipment Siting and Protection (11.2.1)

    Equipment Siting and Protection is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to ensure the appropriate siting and protection of equipment that processes, stores, or transmits information. This subcontrol ensures that equipment is located in secure and controlled environments to prevent unauthorized access, damage, or disruption.

  • Supporting Utilities (11.2.2)

    Supporting Utilities is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure and protect supporting utilities that are essential for the operation of information systems. This subcontrol ensures the availability, integrity, and reliability of utilities such as power, cooling, and environmental controls.

  • Cabling Security (11.2.3)

    Cabling Security is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to protect the integrity, confidentiality, and availability of cabling infrastructure used for data transmission. This subcontrol ensures that cabling is securely installed, managed, and protected against unauthorized access, tampering, or interference.

  • Equipment Maintenance (11.2.4)

    Equipment Maintenance is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the regular maintenance and inspection of information technology equipment. This subcontrol ensures that equipment remains in optimal condition, minimizing the risk of malfunctions, failures, or security vulnerabilities.

  • Removal of Assets (11.2.5)

    Removal of Assets is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure removal and disposal of assets that are no longer in use or have reached their end-of-life. This subcontrol ensures that assets are properly decommissioned and that sensitive information stored on them is securely erased or destroyed.

  • Security of Equipment and Assets Off-premises (11.2.6)

    Security of Equipment and Assets Off-Premises is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure equipment and assets that are located off-premises or outside of the organization's physical facilities. This subcontrol ensures that appropriate safeguards are in place to protect equipment and assets from loss, theft, or unauthorized access.

  • Security Disposal or Re-use of Equipment (11.2.7)

    Security Disposal or Re-use of Equipment is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for the secure disposal or re-use of equipment that has reached its end-of-life or is no longer in use. This subcontrol ensures that equipment is disposed of properly to prevent unauthorized access, data breaches, or the misuse of decommissioned assets.

  • Unattended User Equipment (11.2.8)

    Unattended User Equipment is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure user equipment when it is left unattended. This subcontrol ensures that user equipment, such as laptops or mobile devices, is protected from unauthorized access or misuse in situations where users are temporarily away from their devices.

  • Clear Desk and Clear Screen Policy (11.2.9)

    Clear Desk and Clear Screen Policy is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to ensure that sensitive information is properly secured and protected when not in use. This subcontrol aims to prevent unauthorized access or disclosure of information by enforcing policies that require employees to clear their desks and screens of sensitive information when they are unattended.

The Operations Security category (A.12) focuses on ensuring the secure and efficient operation of information systems and resources within an organization. It covers aspects such as operational procedures, change management, system planning and acceptance, and protection against malware. By implementing effective operations security measures, organizations can minimize the risk of disruptions, unauthorized modifications, or misuse of information systems.

  • Documented Operating Procedures (12.1.1)

    Documented Operating Procedures is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish and maintain documented procedures for the operation and maintenance of information systems. This subcontrol ensures that clear and comprehensive procedures are in place to guide personnel in the correct and consistent execution of operational tasks.

  • Change Management (12.1.2)

    Change Management is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish a formalized process for managing changes to information systems. This subcontrol ensures that changes to systems, networks, or applications are planned, reviewed, tested, and approved before implementation, reducing the risk of disruptions, vulnerabilities, or unauthorized modifications.

  • Capacity Management (12.1.3)

    Capacity Management is a subcontrol within the ISO 27001 framework that addresses the need for organizations to monitor and manage the capacity of information systems to ensure that they can meet the current and future demands of the business. This subcontrol ensures that resources are appropriately allocated, optimized, and scaled to support the organization's operational requirements and objectives.

  • Separation of Development, Testing and Operational Environments (12.1.4)

    Separation of Development, Testing, and Operational Environments is a subcontrol within the ISO 27001 framework that addresses the need for organizations to separate environments used for development, testing, and production purposes. This subcontrol ensures that activities performed in one environment do not impact or compromise the integrity, availability, or security of other environments.

  • Controls Against Malware (12.2.1)

    Controls Against Malware is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to protect information systems against malware, such as viruses, worms, trojans, or ransomware. This subcontrol ensures that effective controls are in place to detect, prevent, and respond to malware incidents, minimizing the risk of data loss, system disruptions, or unauthorized access.

  • Information Backup (12.3.1)

    Information Backup is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement backup processes and procedures to ensure the availability and recoverability of critical information. This subcontrol ensures that appropriate backups are performed, tested, and stored in a secure and reliable manner to protect against data loss, system failures, or disasters.

  • Event Logging (12.4.1)

    Event Logging is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement logging mechanisms to capture and retain relevant security events and information. This subcontrol ensures that event logs are generated, stored, and reviewed to facilitate the detection, analysis, and investigation of security incidents or breaches.

  • Protection of Log Information (12.4.2)

    Protection of Log Information is a subcontrol within the ISO 27001 framework that addresses the need for organizations to protect the confidentiality, integrity, and availability of log information. This subcontrol ensures that logs are protected against unauthorized access, tampering, or loss, maintaining their integrity and usefulness for security monitoring, incident response, or compliance purposes.

  • Administrator and Operator Logs (12.4.3)

    Administrator and Operator Logs is a subcontrol within the ISO 27001 framework that addresses the need for organizations to capture and retain logs of administrative and operational activities performed on information systems. This subcontrol ensures that logs of administrative actions, system configurations, and privileged activities are generated and reviewed to detect any unauthorized or suspicious activities.

  • Clock Synchronization (12.4.4)

    Clock Synchronization is a subcontrol within the ISO 27001 framework that addresses the need for organizations to synchronize the clocks of information systems to maintain accurate and consistent timestamps for events and log entries. This subcontrol ensures that accurate timestamp information is available for forensic analysis, incident investigation, and compliance purposes.

  • Installation of Software on Operational Systems (12.5.1)

    Installation of Software on Operational Systems is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish controls and procedures for the installation of software on operational systems. This subcontrol ensures that software installations are authorized, tested, and performed in a controlled manner to prevent unauthorized or malicious software from compromising the integrity or availability of operational systems.

  • Management of Technical Vulnerabilities (12.6.1)

    Management of Technical Vulnerabilities is a subcontrol within the ISO 27001 framework that addresses the need for organizations to manage technical vulnerabilities in their information systems. This subcontrol ensures that vulnerabilities are identified, assessed, and mitigated to reduce the risk of exploitation and unauthorized access to systems and data.

  • Restrictions on Software Installation (12.6.2)

    Restrictions on Software Installation is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to restrict unauthorized or unapproved software installations. This subcontrol ensures that only authorized software is installed on information systems, minimizing the risk of introducing vulnerabilities, malware, or unauthorized functionalities.

  • Information Systems Audit Controls (12.7.1)

    Information Systems Audit Controls is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to ensure the effectiveness and integrity of information systems audits. This subcontrol ensures that information systems audits are planned, conducted, and reviewed in a systematic and independent manner to assess the compliance, performance, and security of information systems.

The Communications Security category (A.13) addresses the secure exchange of information within an organization and with external parties. It covers aspects such as network security, information transfer, email security, and protection of data in transit. By implementing appropriate communications security controls, organizations can protect the confidentiality, integrity, and availability of information during transmission and minimize the risk of unauthorized interception or tampering.

  • Network Controls (13.1.1)

    Network Controls is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to secure their network infrastructure. This subcontrol ensures that networks are designed, configured, and protected to prevent unauthorized access, maintain confidentiality, integrity, and availability of network services, and protect against network-based threats.

  • Security of Network Services (13.1.2)

    Security of Network Services is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to secure their network services. This subcontrol ensures that network services, such as email, web servers, remote access, or file sharing, are configured, protected, and monitored to prevent unauthorized access, maintain confidentiality, integrity, and availability, and protect against network-based threats.

  • Segregation in Networks (13.1.3)

    Segregation in Networks is a subcontrol within the ISO 27001 framework that addresses the need for organizations to segregate their networks to prevent unauthorized access, minimize the impact of security incidents, and protect the confidentiality, integrity, and availability of sensitive information and critical systems.

  • Information Transfer Policies and Procedures (13.2.1)

    Information Transfer Policies and Procedures is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish policies and procedures for the secure transfer of information. This subcontrol ensures that information is transferred in a controlled, authorized, and secure manner, protecting its confidentiality, integrity, and availability during transit.

  • Agreements on Information Transfer (13.2.2)

    Agreements on Information Transfer is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish agreements or contracts with external parties regarding the secure transfer of information. This subcontrol ensures that appropriate agreements are in place to define the responsibilities, obligations, and security requirements for information transfers between organizations.

  • Electronic Messaging (13.2.3)

    Electronic Messaging is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to secure electronic messaging systems and communications. This subcontrol ensures that electronic messages, such as emails or instant messages, are protected against unauthorized access, interception, tampering, or misuse.

  • Confidentiality or Non-disclosure Agreements (13.2.4)

    Confidentiality or Non-disclosure Agreements is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish agreements or contracts with individuals or entities to protect the confidentiality of sensitive information. This subcontrol ensures that appropriate agreements are in place to define the obligations, restrictions, and safeguards for maintaining the confidentiality of sensitive information.

The System Acquisition, Development, and Maintenance category (A.14) focuses on managing the acquisition, development, and maintenance of information systems within an organization. It covers aspects such as security requirements, system development life cycle, supplier relationships, and system change control. By incorporating security into the system development and maintenance processes, organizations can ensure that information systems are secure, reliable, and meet business requirements.

  • Information Security Requirements Analysis and Specification (14.1.1)

    Information Security Requirements Analysis and Specification is a subcontrol within the ISO 27001 framework that addresses the need for organizations to analyze and specify information security requirements for their systems, applications, or services. This subcontrol ensures that information security requirements are identified, documented, and incorporated into the design and development processes.

  • Securing Applications Services on Public Networks (14.1.2)

    Securing Applications Services on Public Networks is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement measures to secure their application services when accessed or provided over public networks. This subcontrol ensures that appropriate security controls are in place to protect application services from unauthorized access, data breaches, or disruptions.

  • Protecting Application Services Transactions (14.1.3)

    Protecting Application Services Transactions is a subcontrol within the ISO 27001 framework that addresses the need for organizations to protect the integrity, confidentiality, and authenticity of transactions processed by application services. This subcontrol ensures that appropriate security measures are in place to prevent unauthorized access, tampering, or disclosure of transactional data.

  • Secure Development Policy (14.2.1)

    Secure Development Policy is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish a policy governing secure development practices. This subcontrol ensures that organizations have documented guidelines and procedures in place to promote the development of secure software and applications.

  • System Change Control Procedures (14.2.2)

    System Change Control Procedures is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish procedures for managing changes to systems. This subcontrol ensures that changes to systems, including hardware, software, configurations, or network infrastructure, are implemented in a controlled and secure manner.

  • Technical Review of Applications After Operating Platform Changes (14.2.3)

    Technical Review of Applications After Operating Platform Changes is a subcontrol within the ISO 27001 framework that addresses the need for organizations to conduct technical reviews of applications following changes to operating platforms. This subcontrol ensures that changes to the underlying operating platforms are evaluated for potential impacts on the security and functionality of applications.

  • Restrictions on Changes to Software Packages (14.2.4)

    Restrictions on Changes to Software Packages is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls to restrict unauthorized changes to software packages. This subcontrol ensures that changes to software packages are properly authorized, tested, and documented to maintain the security and integrity of software systems.

  • Secure System Engineering Principles (14.2.5)

    Secure System Engineering Principles is a subcontrol within the ISO 27001 framework that addresses the need for organizations to apply secure engineering principles during the development and implementation of systems. This subcontrol ensures that systems are designed, built, and operated with security considerations to mitigate potential risks and vulnerabilities.

  • Secure Development Environment (14.2.6)

    Secure Development Environment is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish secure development environments for the design, coding, and testing of software or applications. This subcontrol ensures that development activities are conducted in a controlled and secure environment to protect sensitive information and prevent unauthorized access.

  • Outsourced Development (14.2.7)

    Outsourced Development is a subcontrol within the ISO 27001 framework that addresses the need for organizations to implement controls when outsourcing software development activities to external parties. This subcontrol ensures that the outsourced development process adheres to security requirements and safeguards the organization's information assets.

  • System Security Testing (14.2.8)

    System Security Testing is a subcontrol within the ISO 27001 framework that addresses the need for organizations to conduct comprehensive security testing of systems to identify and address vulnerabilities and weaknesses. This subcontrol ensures that systems are evaluated for security risks and that appropriate measures are implemented to mitigate those risks.

  • System Acceptance Testing (14.2.9)

    System Acceptance Testing is a subcontrol within the ISO 27001 framework that addresses the need for organizations to conduct acceptance testing of systems before they are deployed into production. This subcontrol ensures that systems meet specified requirements, functionality, and security criteria, and are ready for operational use.

  • Protection of Test Data (14.3.1)

    Protection of Test Data is a subcontrol within the ISO 27001 framework that addresses the need for organizations to protect sensitive or confidential test data used during software development or system testing activities. This subcontrol ensures that test data is handled and secured appropriately to prevent unauthorized access or disclosure.

The Supplier Relationships category (A.15) addresses the need to manage information security risks associated with suppliers and external parties. It covers aspects such as supplier selection, contractual agreements, and ongoing monitoring of supplier performance. By establishing effective supplier relationships and implementing appropriate controls, organizations can ensure that information security requirements are met throughout the supply chain and minimize the risk of security breaches or disruptions caused by suppliers.

  • Information Security Policy for Supplier Relationships (15.1.1)

    Information Security Policy for Supplier Relationships is a subcontrol within the ISO 27001 framework that addresses the need for organizations to establish information security policies and requirements for their relationships with external suppliers. This subcontrol ensures that suppliers adhere to the organization's information security standards and practices.

  • Addressing Security Within Supplier Agreements (15.1.2)

    Addressing Security Within Supplier Agreements is a subcontrol within the ISO 27001 framework that focuses on incorporating security requirements and considerations into contractual agreements with external suppliers. This subcontrol ensures that the organization's security expectations are clearly communicated and agreed upon with suppliers.

  • Information and Communication Technology Supply Chain (15.1.3)

    Information and Communication Technology (ICT) Supply Chain is a subcontrol within the ISO 27001 framework that addresses the need for organizations to manage the security risks associated with the acquisition, development, and maintenance of ICT products and services. This subcontrol ensures that the organization's ICT supply chain is secure and resilient against potential security threats.

  • Monitoring and Review of Supplier Services (15.2.1)

    Monitoring and Review of Supplier Services is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to monitor and review the services provided by their suppliers to ensure compliance with established security requirements. This subcontrol ensures that supplier services are continually assessed and meet the organization's security standards.

  • Managing Changes to Supplier Services (15.2.2)

    Managing Changes to Supplier Services is a subcontrol within the ISO 27001 framework that addresses the need for organizations to effectively manage changes to supplier services to ensure they align with security requirements and minimize potential risks. This subcontrol ensures that changes introduced by suppliers are assessed, controlled, and properly implemented.

The Information Security Incident Management category (A.16) focuses on establishing an effective framework for responding to and managing information security incidents. It covers aspects such as incident identification, reporting, response, and recovery. By implementing an incident management process, organizations can minimize the impact of security incidents, mitigate risks, and ensure timely and effective response and recovery.

  • Responsibilities and Procedures (16.1.1)

    Responsibilities and Procedures is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to define and assign information security responsibilities and establish procedures for their effective implementation. This subcontrol ensures that roles, responsibilities, and procedures are clearly defined and understood to support the organization's information security efforts.

  • Reporting Information Security Events (16.1.2)

    Reporting Information Security Events is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish processes for reporting and documenting information security events, incidents, or breaches. This subcontrol ensures that incidents are promptly reported, investigated, and appropriate actions are taken to mitigate their impact.

  • Reporting Information Security Weaknesses (16.1.3)

    Reporting Information Security Weaknesses is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish processes for reporting and documenting identified information security weaknesses or vulnerabilities. This subcontrol ensures that weaknesses are promptly identified, reported, and addressed to mitigate potential risks.

  • Assessment of and Decision on Information Security Events (16.1.4)

    Assessment of and Decision on Information Security Events is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to assess and make informed decisions regarding information security events. This subcontrol ensures that information security events are promptly evaluated, classified, and appropriate actions are taken based on the severity and impact of the events.

  • Response to Information Security Incidents (16.1.5)

    Response to Information Security Incidents is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to have effective incident response processes to address and manage information security incidents. This subcontrol ensures that incidents are promptly detected, reported, and responded to in a coordinated and systematic manner.

  • Learning From Information Security Incidents (16.1.6)

    Learning From Information Security Incidents is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to extract lessons and insights from information security incidents. This subcontrol ensures that incidents are analyzed, and the knowledge gained is used to improve security measures, prevent similar incidents, and enhance overall resilience.

  • Collection of Evidence (16.1.7)

    Post-incident analysis procedures: Document procedures for conducting thorough post-incident analyses, including techniques for root cause identification and lessons learned capture.
    Root cause analysis templates: Develop templates or formats for performing root cause analyses on information security incidents, ensuring consistent identification of underlying causes.
    Corrective action plans: Develop plans or templates for documenting corrective actions or improvement initiatives based on the insights gained from incident analyses.
    Lessons learned reports: Document reports that capture the lessons learned from incidents, highlighting the identified root causes, vulnerabilities, and recommended improvements.
    Knowledge sharing platforms: Establish platforms or mechanisms for sharing incident analysis insights and lessons learned with relevant stakeholders, promoting knowledge exchange and continuous improvement.

  • Planning Information Security Continuity (17.1.1)

    Planning Information Security Continuity is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to develop and maintain plans for ensuring the continuity of information security during disruptive events. This subcontrol ensures that adequate measures are in place to protect information assets and maintain critical security functions in the face of incidents or disasters.

  • Implementing Information Security Continuity (17.1.2)

    Implementing Information Security Continuity is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to implement measures and controls to ensure the continuity of information security during disruptive events. This subcontrol ensures that the necessary technical and organizational measures are in place to protect critical information assets, maintain security functions, and enable timely recovery.

  • Verify, Review and Evaluate Information Security Continuity (17.1.3)

    Verify, Review, and Evaluate Information Security Continuity is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to regularly assess and evaluate the effectiveness of their information security continuity measures. This subcontrol ensures that ongoing reviews and evaluations are conducted to identify areas for improvement, validate the functionality of implemented measures, and enhance the overall resilience of information security.

  • Availability of Information Processing Facilities (17.2.1)

    Availability of Information Processing Facilities is a subcontrol within the ISO 27001 framework that focuses on ensuring the availability of information processing facilities to support business operations and protect critical information assets. This subcontrol ensures that appropriate measures are in place to prevent or minimize disruptions and ensure the continuous availability of information processing facilities.

The Compliance category (A.18) addresses the need to establish and maintain compliance with legal, regulatory, and contractual requirements related to information security. It covers aspects such as legal and regulatory obligations, intellectual property rights, privacy requirements, and third-party agreements. By ensuring compliance with applicable laws and regulations, organizations can avoid legal consequences, protect their reputation, and maintain the trust of customers and stakeholders.

  • Identification of Applicable Legislation and Contractual Requirements (18.1.1)

    Identification of Applicable Legislation and Contractual Requirements is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to identify and assess the legal and contractual obligations related to information security. This subcontrol ensures that organizations are aware of and comply with relevant laws, regulations, and contractual requirements that pertain to the protection of information assets.

  • Intellectual Property Rights (18.1.2)

    Intellectual Property Rights is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to identify, protect, and respect intellectual property rights. This subcontrol ensures that organizations have appropriate measures in place to safeguard intellectual property assets and prevent unauthorized use, disclosure, or infringement.

  • Protection of Records (18.1.3)

    Protection of Records is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish controls to protect and manage records containing sensitive or valuable information. This subcontrol ensures that records are appropriately stored, accessed, protected, and retained in accordance with legal, regulatory, and business requirements.

  • Privacy and Protection of Personally Identifiable Information (18.1.4)

    Privacy and Protection of Personally Identifiable Information (PII) is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish measures to protect the privacy and security of personally identifiable information. This subcontrol ensures that appropriate controls are in place to protect the confidentiality, integrity, and availability of PII and to comply with privacy laws and regulations.

  • Regulation of Cryptographic Controls (18.1.5)

    Regulation of Cryptographic Controls is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish controls and procedures to regulate the use of cryptographic techniques. This subcontrol ensures that cryptographic controls are implemented appropriately, securely, and in compliance with applicable laws, regulations, and industry standards.

  • Independent Review of Information Security (18.2.1)

    Independent Review of Information Security is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to conduct independent reviews or assessments of their information security controls, processes, and practices. This subcontrol ensures that objective evaluations are performed to validate the effectiveness and compliance of information security measures.

  • Compliance with Security Policies and Standards (18.2.2)

    Compliance with Security Policies and Standards is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to establish processes and controls to ensure compliance with security policies, standards, and procedures. This subcontrol ensures that employees and stakeholders understand their responsibilities, adhere to established security requirements, and contribute to the overall effectiveness of information security.

  • Technical Compliance Review (18.2.3)

    Technical Compliance Review is a subcontrol within the ISO 27001 framework that focuses on the need for organizations to conduct technical reviews and assessments to ensure compliance with technical security controls. This subcontrol ensures that technical measures are effectively implemented, monitored, and reviewed to maintain compliance with security requirements and standards.