Information security controls related to the organization's policies; roles; processes; and relationships.

• Policies for information security - A.5.1

  Information security policies and topic-specific policies should be defined and approved by management; published; communicated to relevant parties and reviewed at planned intervals and if significant changes occur.

• Information security roles and responsibilities - A.5.2

  Information security roles and responsibilities should be defined and allocated according to the information security management system (ISMS).

• Segregation of duties - A.5.3

  Conflicting duties and areas of responsibility should be segregated to reduce the opportunities for unauthorized or unintentional modification or misuse of organizational assets.

• Management responsibilities - A.5.4

  Management should require all persons performing information security roles to apply information security in accordance with the ISMS.

• Control of access rights - A.5.5

  Rules for access rights should be established and implemented based on classification of information and other associated assets; and business requirements.

• Contact with authorities - A.5.5

  The organization should establish and maintain contact with relevant authorities.

• Contact with special interest groups - A.5.6

  The organization should establish and maintain contact with special interest groups or other specialist information security forums and professional associations.

• Information security in project management - A.5.8

  Information security should be integrated into the project management of the organization.

• Inventory of information and other associated assets - A.5.9

  An inventory of information and other associated assets; including owners; should be developed and maintained.

• Acceptable use of information and other associated assets - A.5.10

  Rules for the acceptable use of information and other associated assets should be identified and implemented.

• Return of assets - A.5.11

  Personnel and other interested parties should return all of the organization's assets in their possession upon termination of their employment; contract or agreement.

• Classification of information - A.5.12

  Information should be classified in accordance with its information security needs based on confidentiality; integrity and availability requirements.

• Labelling of information - A.5.13

  An appropriate set of procedures for labelling information should be developed and implemented in accordance with the organization’s information security policies.

• Information transfer - A.5.14

  Information transfer rules; procedures and agreements should be in place for all types of transfer facilities.

• Access control - A.5.15

  Rules for controlling physical and logical access to information and other associated assets should be established and implemented.

• Identity management - A.5.16

  The unique identification of users should be established and managed throughout the entire information lifecycle.

• Authentication information - A.5.17

  The allocation and management of authentication information should be controlled by a management process.

• Access rights - A.5.18

  The access rights to information and other associated assets should be managed in accordance with the organization's topic-specific policy on access control.

• Information security in supplier relationships - A.5.19

  Relevant information security requirements should be established and implemented to manage the information security risks associated with supplier relationships.

• Addressing information security within supplier agreements - A.5.20

  Relevant information security requirements should be established and agreed with each supplier that accesses; processes; stores; transmits or provides ICT components for the organization’s information.

• Managing information security in the ICT supply chain - A.5.21

  Processes and procedures should be implemented to manage information security risks associated with the use of the organization’s ICT supply chain.

• Monitoring; review and change management of supplier services - A.5.22

  Organizations should regularly monitor; review; evaluate and manage changes to supplier information security practices and service delivery.

• Information security for use of cloud services - A.5.23

  The acquisition; use; management and exit from cloud services should be governed by the organization's policies; procedures; and agreements.

• Information security incident management planning and preparation - A.5.24

  The organization should plan and prepare for managing information security incidents.

• Assessment and decision on information security incidents - A.5.25

  Information security events should be assessed; and decisions should be made on whether they are to be classified as information security incidents.

• Response to information security incidents - A.5.26

  Information security incidents should be responded to in accordance with the documented information security incident management procedures.

• Learning from information security incidents - A.5.27

  Knowledge gained from information security incidents should be used to strengthen the ISMS.

• Collection of evidence - A.5.28

  Where a legal; statutory; regulatory or contractual requirement exists for evidence to be collected; the organization should establish and implement procedures for the identification; collection; acquisition and preservation of evidence relating to information security events.

• Information security during disruption - A.5.29

  The organization should plan and prepare for information security during disruption.

• ICT readiness for business continuity - A.5.30

  ICT continuity should be planned; implemented; maintained and tested in accordance with the organization's business continuity objectives and ICT continuity requirements.

• Legal; statutory; regulatory and contractual requirements - A.5.31

  Relevant legal; statutory; regulatory and contractual requirements should be identified; documented and kept up to date for each information system and service and the organization as a whole.

• Intellectual property rights - A.5.32

  The organization should implement appropriate procedures to protect intellectual property rights.

• Protection of records - A.5.33

  Records should be protected from loss; destruction; falsification; unauthorized access and unauthorized release.

• Privacy and protection of PII - A.5.34

  The organization should establish and implement policies and procedures for the protection of privacy and personally identifiable information (PII) in accordance with relevant laws and regulations.

• Independent review of information security - A.5.35

  The organization's approach to managing information security and its implementation (including the ISMS) should be subject to independent review at planned intervals or when significant changes occur.

• Compliance with policies and standards for information security - A.5.36

  Compliance of information processing and procedures with the organization's information security policies and standards should be regularly reviewed.

• Documentation of operational procedures - A.5.37

  Operational procedures should be documented and made available to all relevant personnel.

• Threat intelligence - A.5.7

  Information about information security threats should be collected and analysed to produce threat intelligence.

Information security controls related to people within the organization.

• Screening - A.6.1

  Background verification checks on all candidates for employment and relevant third parties should be carried out in accordance with applicable laws; regulations and ethics and should be proportionate to the business requirements; the classification of the information to be accessed and the perceived risks.

• Terms and conditions of employment - A.6.2

  The terms and conditions of employment should state the organization's and the individual’s responsibilities for information security.

• Information security awareness; education and training - A.6.3

  All personnel of the organization and relevant interested parties should receive appropriate information security awareness; education and training and regular updates on organizational policies and procedures; as relevant for their job function.

• Disciplinary process - A.6.4

  A formal disciplinary process should be in place for personnel who have committed an information security breach.

• Responsibilities after termination or change of employment - A.6.5

  Information security responsibilities and duties that remain valid after termination or change of employment should be defined; communicated to the relevant personnel or interested parties; and enforced.

• Confidentiality or non-disclosure agreements - A.6.6

  Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified; regularly reviewed and signed by personnel and other relevant interested parties.

• Remote working - A.6.7

  Information security measures should be implemented to protect information when personnel are working remotely.

• Information security event reporting - A.6.8

  Personnel should be required to report information security events and observations of weaknesses in information security procedures or controls.

Information security controls related to physical and environmental security.

• Physical security perimeters - A.7.1

  Physical security perimeters should be defined and used to protect areas that contain sensitive information and other associated assets.

• Physical entry controls - A.7.2

  Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

• Securing offices; rooms and facilities - A.7.3

  Physical security for offices; rooms and facilities should be designed and applied.

• Physical security monitoring - A.7.4

  Premises should be continuously monitored for unauthorized physical access.

• Protecting against physical and environmental threats - A.7.5

  Protection against physical and environmental threats should be designed and applied.

• Working in secure areas - A.7.6

  A secure working environment should be designed and applied for secure areas.

• Clear desk and clear screen - A.7.7

  Rules on clear desk and clear screen should be defined and implemented.

• Equipment siting and protection - A.7.8

  Equipment should be sited and protected to avoid unauthorized access; damage and interference to information and other associated assets.

• Security of assets off-premises - A.7.9

  Information and other associated assets kept off-premises should be protected from loss; damage; theft or compromise.

• Storage media - A.7.10

  Storage media should be managed to protect information from unauthorized access; disclosure; modification or destruction.

• Utilities support - A.7.11

  Utilities supporting information processing facilities should be available; protected and monitored.

• Cabling security - A.7.12

  Power and telecommunications cabling carrying information should be protected from interception or damage.

• Maintenance of equipment - A.7.13

  Equipment should be maintained correctly to ensure its continued availability and integrity.

• Secure disposal or reuse of equipment - A.7.14

  Equipment containing information should be securely disposed of or reused.

Information security controls related to technology; including networks; systems; applications; and data.

• User endpoint devices - A.8.1

  Information on user endpoint devices should be protected from loss; unauthorized access or misuse.

• Privileged access rights - A.8.2

  The allocation and management of privileged access rights should be restricted and controlled.

• Information access restriction - A.8.3

  Access to information and other associated assets should be restricted in accordance with the topic-specific policy on access control.

• Access to source code - A.8.4

  Access to source code should be restricted and controlled.

• Secure authentication - A.8.5

  Authentication to information and other associated assets should be secure.

• Capacity management - A.8.6

  The use of information processing facilities should be monitored; and projections of future capacity requirements should be made to ensure the required processing capacity is available.

• Protection against malware - A.8.7

  Protection against malware should be implemented and regularly updated.

• Management of technical vulnerabilities - A.8.8

  Information about technical vulnerabilities of information systems should be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the identified risk.

• Configuration management - A.8.9

  Configurations; including security configurations; of information; software; applications; services and devices should be established; documented; implemented; monitored and reviewed.

• Information deletion - A.8.10

  Information stored in information systems; devices or other types of storage media should be deleted when no longer required.

• Data masking - A.8.11

  Data masking should be used in accordance with the organization's topic-specific policy on access control and other relevant policies; e.g. topic-specific policy on privacy and protection of PII.

• Data leakage prevention - A.8.12

  Data leakage prevention measures should be applied to systems; networks and any other devices that process; store or transmit sensitive information.

• Backup of information - A.8.13

  Backup copies of information; software and systems should be maintained and regularly tested in accordance with the organization's topic-specific policy on information backup.

• Redundancy of information facilities - A.8.14

  Information processing facilities should be available with sufficient redundancy to meet availability requirements.

• Logging - A.8.15

  Logs that record events should be produced; stored; protected and analysed.

• Monitoring activities - A.8.16

  Networks; systems and applications should be monitored for anomalous behaviour and appropriate action taken.

• Clock synchronization - A.8.17

  Clocks of all relevant information processing systems within the organization should be synchronized to a single; agreed source time.

• Use of privileged utility programs - A.8.18

  The use of privileged utility programs should be restricted and controlled.

• Installation of software on operational systems - A.8.19

  The installation of software on operational systems should be restricted to authorized persons and managed.

• Network controls - A.8.20

  Networks should be secured to protect information in systems and applications.

• Security of network services - A.8.21

  Security mechanisms; service levels and requirements of network services should be identified; implemented and monitored.

• Web filtering - A.8.23

  Access to external websites should be restricted in accordance with the organization’s topic-specific policies on acceptable use of information and other associated assets.

• Secure coding - A.8.23

  Secure coding principles should be applied to software and system development.

• Security testing in development and acceptance - A.8.29

  Security testing should be performed during development and acceptance of information systems.

• Secure development environment - A.8.25

  Secure development environments should be established and managed to ensure information security within the entire system development lifecycle.

• Secure development outsourcing - A.8.30

  The organization should identify and implement appropriate security requirements and controls for outsourced system development.

• Secure System Architecture and Engineering Principles - A.8.27

  Secure architecture and design principles should be applied across the entire lifecycle of systems and services, including acquisition, development, deployment, and maintenance.

• Security requirements of information systems - A.8.28

  Information security requirements should be identified and specified during the acquisition or development of information systems.

• Security architecture and engineering principles - A.8.29

  Information security architecture and engineering principles should be established; applied and periodically reviewed.

• Secure engineering - A.8.30

  Information security should be designed into and implemented throughout the entire engineering process.

• Separation of development; test and production environments - A.8.31

  Development; test and production environments should be separated.

• Change management - A.8.32

  Changes to information systems; services; applications and information processing facilities should be controlled.

• Test information - A.8.33

  Protection of test information should be designed and applied.

• Protection of information systems during audit testing - A.8.34

  Information systems should be protected during audit testing.

• Segregation in networks - A.8.22

  Define and implement network zones to isolate systems based on sensitivity, trust level, and functional requirements.

• Use of Cryptography - A.8.24

  Organizations should develop and enforce a policy that defines the objectives, usage, and management of cryptographic controls (e.g., encryption, key management).

• Application security requirements - 8.26

  The organization must ensure that security requirements are considered in all stages of application development and acquisition, including requirements definition, design, implementation, and maintenance.