Information Security Policies

• Information Security Policies - A5.1

  Defines the organizations overall approach, objectives, and principles for managing information security. Policies guide consistent application of controls and ensure management commitment to information protection.

• Information Security Roles and Responsibilities - A5.2

  Assigns specific information security tasks and accountability to roles within the organization to ensure clear governance and execution of the ISMS.

• Segregation of Duties - A5.3

  Prevents conflict of interest or fraud by dividing responsibilities so that no single person has control over all aspects of a critical process.

• Management Responsibilities - A5.4

  Ensures leadership demonstrates commitment to information security by promoting policy compliance, supporting resources, and fostering a culture of security awareness.

• Contact With Government Authorities - A5.5

  Maintains communication channels with regulatory, legal, and law enforcement bodies for incident coordination, reporting, and compliance purposes.

• Contact With Special Interest Groups - A5.6

  Establishes collaboration with industry associations, forums, and professional bodies to stay informed about emerging threats, vulnerabilities, and best practices.

• Threat Intelligence - A5.7

  Gathers, analyzes, and applies relevant threat information to anticipate, detect, and mitigate potential security incidents.

• Information Security in Project Management - A5.8

  Integrates information security controls and risk assessments throughout all project life cycles to ensure security is considered from inception to completion.

• Inventory of Information and Other Associated Assets - A5.9

  Maintains an accurate inventory of information, systems, and related assets to enable effective risk management, ownership, and protection.

• Acceptable Use of Information and Other Associated Assets - A5.10

  Defines acceptable behavior for the use of information and assets to prevent misuse, damage, or unauthorized disclosure.

• Return of Assets - A5.11

  Requires employees, contractors, and third parties to return all organization-owned assets upon termination or completion of engagement.

• Classification of Information - A5.12

  Categorizes information based on its value, sensitivity, and criticality to determine appropriate levels of protection.

• Labelling of Information - A5.13

  Implements consistent labeling of classified information to ensure proper handling, storage, and distribution according to its sensitivity.

• Information Transfer - A5.14

  Secures information in transit using appropriate encryption and transfer methods to protect confidentiality and integrity.

• Access Control - A5.15

  Ensures that access to information and systems is granted based on business and security requirements, following the principle of least privilege.

• Identity Management - A5.16

  Manages digital identities and ensures that users are uniquely identifiable and appropriately authorized before granting access.

• Authentication Information - A5.17

  Protects authentication mechanisms such as passwords, tokens, and biometrics to prevent unauthorized system and data access.

• Access Rights - A5.18

  Regularly reviews and adjusts user access rights based on role changes, job responsibilities, and termination.

• Information Security in Supplier Relationships - A5.19

  Ensures suppliers and third parties apply information security measures consistent with organizational requirements.

• Addressing Information Security Within Supplier Agreements - A5.20

  Includes information security clauses and controls in supplier contracts to safeguard shared or accessible information.

• Managing Information Security in the ICT Supply Chain - A5.21

  Ensures that information security is maintained throughout the entire ICT supply chain, including hardware, software, and services.

• Monitoring and Review and Change Management of Supplier Services - A5.22

  Regularly monitors supplier performance and manages changes to ensure continued compliance with security requirements.

• Information Security for Use of Cloud Services - A5.23

  Ensures cloud service usage aligns with organizational security requirements through risk assessment, contractual controls, and monitoring.

• Information Security Incident Management Planning and Preparation - A5.24

  Develops incident response plans and resources to effectively detect, report, and respond to security incidents.

• Assessment and Decision on Information Security Events - A5.25

  Assesses and categorizes events to determine whether they constitute security incidents requiring further action.

• Response to Information Security Incidents - A5.26

  Implements documented procedures to respond, contain, and recover from incidents effectively and minimize impact.

• Learning From Information Security Incidents - A5.27

  Analyzes incidents post-resolution to identify root causes, lessons learned, and opportunities for control improvement.

• Collection of Evidence - A5.28

  Ensures that evidence related to security incidents is collected, handled, and preserved according to legal and forensic standards.

• Information Security During Disruption - A5.29

  Maintains security controls during business disruptions to ensure confidentiality, integrity, and availability of critical information.

• ICT Readiness for Business Continuity - A5.30

  Ensures IT infrastructure and systems are prepared to support business continuity objectives during disruptions or crises.

• Legal; Statutory; Regulatory and Contractual Requirements - A5.31

  Identifies and complies with all applicable laws, regulations, and contractual security obligations.

• Intellectual Property Rights - A5.32

  Protects intellectual property owned by or entrusted to the organization, ensuring legal compliance and ethical use.

• Protection of Records - A5.33

  Safeguards records against loss, unauthorized access, or alteration to ensure integrity and compliance with retention requirements.

• Privacy and Protection of PII - A5.34

  Implements measures to protect personally identifiable information (PII) in compliance with privacy laws and organizational policies.

• Independent Review of Information Security - A5.35

  Conducts independent audits and reviews of the ISMS to ensure effectiveness and identify improvement opportunities.

• Compliance With Policies; Rules and Standards for Information Security - A5.36

  Monitors and enforces adherence to established security policies and standards across the organization.

• Documented Operating Procedures - A5.37

  Documents and maintains standard operating procedures to ensure consistent, secure, and auditable information system operations.

Screening

• Screening - A6.1

  Conducts background checks for personnel and contractors to verify trustworthiness and suitability for information access.

• Terms and Conditions of Employment - A6.2

  Includes clear information security responsibilities within employment terms to reinforce accountability.

• Information Security Awareness; Education; and Training - A6.3

  Provides ongoing awareness and training programs to ensure all personnel understand and support information security.

• Disciplinary Process - A6.4

  Defines disciplinary actions for violations of information security policies to promote accountability and compliance.

• Responsibilities After Termination or Change of Employment - A6.5

  Ensures that former employees access rights are revoked and confidentiality obligations continue post-employment.

• Confidentiality or Non-Disclosure Agreements - A6.6

  Implements NDAs to protect sensitive and proprietary information shared internally or externally.

• Remote Working - A6.7

  Applies specific controls to secure information assets when employees work remotely or offsite.

• Information Security Event Reporting - A6.8

  Establishes procedures for employees and contractors to promptly report observed or suspected security events.

Physical Security Perimeters

• Physical Security Perimeters - A7.1

  Defines physical boundaries to protect sensitive areas and assets from unauthorized access.

• Physical Entry - A7.2

  Controls and monitors access to facilities using authentication, logging, and visitor management systems.

• Securing Offices; Rooms and Facilities - A7.3

  Implements measures such as locks, alarms, and surveillance to protect office and facility environments.

• Physical Security Monitoring - A7.4

  Uses monitoring systems such as CCTV and alarms to detect and respond to unauthorized physical access.

• Protecting Against Physical and Environmental Threats - A7.5

  Protects facilities and equipment against fire, flooding, temperature, and other environmental risks.

• Working In Secure Areas - A7.6

  Restricts and monitors activities in secure zones to minimize the risk of data exposure or tampering.

• Clear Desk and Clear Screen - A7.7

  Ensures desks and screens are free of sensitive information when unattended to prevent unauthorized viewing.

• Equipment Siting and Protection - A7.8

  Positions and protects equipment to reduce risks from environmental hazards and unauthorized access.

• Security of Assets Off-Premises - A7.9

  Applies equivalent security measures to assets used or stored outside of organizational premises.

• Storage Media - A7.10

  Manages and protects removable and fixed storage media to prevent unauthorized disclosure or loss of information.

• Supporting Utilities - A7.11

  Ensures reliable and secure supply of utilities such as power, water, and HVAC supporting critical information systems.

• Cabling Security - A7.12

  Protects power and network cables from interception, damage, or unauthorized access.

• Equipment Maintenance - A7.13

  Performs secure maintenance on equipment to prevent compromise of information or systems.

• Secure Disposal or Re-Use of Equipment - A7.14

  Ensures all data is securely erased before disposal or reuse of hardware to prevent data leakage.

User Endpoint Devices

• User Endpoint Devices - A8.1

  Applies controls to secure endpoints such as laptops and mobile devices against loss, theft, or compromise.

• Privileged Access Rights - A8.2

  Restricts and monitors privileged access to systems and applications to prevent abuse or misuse.

• Information Access Restriction - A8.3

  Implements restrictions on access to data and systems based on roles and need-to-know principles.

• Access to Source Code - A8.4

  Controls access to source code to prevent unauthorized modification, disclosure, or misuse.

• Secure Authentication - A8.5

  Applies multi-factor and strong authentication mechanisms to verify user identities securely.

• Capacity Management - A8.6

  Monitors and manages system capacity to maintain performance and prevent disruptions.

• Protection Against Malware - A8.7

  Implements anti-malware controls to detect, prevent, and respond to malicious software threats.

• Management of Technical Vulnerabilities - A8.8

  Regularly identifies, evaluates, and remediates technical vulnerabilities in systems and applications.

• Configuration Management - A8.9

  Maintains secure baseline configurations and manages changes to system components in a controlled manner.

• Information Deletion - A8.10

  Ensures secure and irreversible deletion of data when no longer required or when requested.

• Data Masking - A8.11

  Applies techniques to obscure sensitive data for use in testing or analytics while preserving confidentiality.

• Data Leakage Prevention - A8.12

  Implements technologies and policies to prevent unauthorized transmission or disclosure of sensitive data.

• Information Backup - A8.13

  Ensures regular, secure, and tested backups of critical information to support recovery after incidents.

• Redundancy of Information Processing Facilities - A8.14

  Implements redundant systems and components to ensure continued operation during failures.

• Logging - A8.15

  Records system and user activities to support accountability, monitoring, and forensic investigations.

• Monitoring Activities - A8.16

  Continuously monitors systems and networks to detect anomalous behavior and potential security breaches.

• Clock Synchronization - A8.17

  Synchronizes system clocks to ensure accurate logging, monitoring, and correlation of events.

• Use of Privileged Utility Programs - A8.18

  Restricts use of administrative tools that can override controls, ensuring they are monitored and authorized.

• Installation of Software on Operational Systems - A8.19

  Controls and approves all software installations to prevent unauthorized or malicious software from entering systems.

• Network Security - A8.20

  Implements controls to protect networks against unauthorized access, misuse, or disruption.

• Security of Network Services - A8.21

  Ensures that security features of network services such as firewalls and VPNs are correctly configured and managed.

• Segregation of Networks - A8.22

  Separates networks based on sensitivity or function to limit the impact of breaches and maintain performance.

• Web Filtering - A8.23

  Implements filtering mechanisms to restrict access to harmful or inappropriate web content.

• Use of Cryptography - A8.24

  Applies encryption and cryptographic controls to protect the confidentiality, integrity, and authenticity of data.

• Secure Development Life Cycle - A8.25

  Integrates security into all stages of software development to reduce vulnerabilities and enhance reliability.

• Application Security Requirements - A8.26

  Defines and applies specific security requirements for all applications during design and development.

• Secure System Architecture and Engineering Principles - A8.27

  Designs systems following secure architecture principles to minimize attack surfaces and vulnerabilities.

• Secure Coding - A8.28

  Follows secure coding standards and practices to prevent common software vulnerabilities.

• Security Testing in Development and Acceptance - A8.29

  Conducts security testing throughout development and before release to verify effectiveness of controls.

• Outsourced Development - A8.30

  Ensures that outsourced software development adheres to organizational security policies and requirements.

• Separation of Development; Test and Production Environments - A8.31

  Isolates development, test, and production environments to reduce the risk of unauthorized access or changes.

• Change Management - A8.32

  Controls changes to systems and applications to ensure they are reviewed, tested, and approved before implementation.

• Test Information - A8.33

  Protects test data to prevent exposure of production or sensitive information during testing.

• Protection of Information Systems During Audit Testing - A8.34

  Ensures that audit testing does not compromise the confidentiality, integrity, or availability of operational systems.