This group is the largest of the four and the controls in here have a largely policy and procedure-driven focus ranging from threat intelligence to classification of information to access control and much more.

• Policies for information security - OC.1

  Establish and maintain information security policies.

• Information security roles and responsibilities - OC.2

  Define and assign information security roles and responsibilities.

• Segregation of duties - OC.3

  Segregate conflicting duties and areas of responsibility.

• Management responsibilities - OC.4

  Assign information security responsibilities to management.

• Contact with authorities - OC.5

  Establish and maintain contact with relevant authorities.

• Contact with special interest groups - OC.6

  Establish and maintain contact with special interest groups.

• Threat intelligence - OC.7

  Collect and analyze information about information security threats.

• Information security in project management - OC.8

  Integrate information security into project management.

• Inventory of information and other associated assets - OC.9

  Identify and manage an inventory of information and other associated assets.

• Acceptable use of information and other associated assets - OC.10

  Define and implement rules for the acceptable use of information and other associated assets.

• Return of assets - OC.11

  Implement a process for the return of assets upon termination of employment or contract.

• Classification of information - OC.12

  Classify information according to its security requirements.

• Labelling of information - OC.13

  Label information according to its classification.

• Information transfer - OC.14

  Implement procedures for the secure transfer of information.

• Access control - OC.15

  Implement access control policies and procedures.

• Identity management - OC.16

  Manage the lifecycle of user identities.

• Authentication information - OC.17

  Protect authentication information.

• Access rights - OC.18

  Define and manage access rights.

• Information security in supplier relationships - OC.19

  Address information security when dealing with suppliers.

• Addressing information security within supplier agreements - OC.20

  Include information security requirements in supplier agreements.

• Managing information security in the ICT supply chain - OC.21

  Manage information security risks associated with the ICT supply chain.

• Monitoring review and change management of supplier services - OC.22

  Monitor review and manage changes to supplier services.

• Information security for use of cloud services - OC.23

  Address information security when using cloud services.

• Information security incident management planning and preparation - OC.24

  Plan and prepare for managing information security incidents.

• Assessment and decision on information security events - OC.25

  Assess and decide whether information security events should be treated as incidents.

• Response to information security incidents - OC.26

  Implement procedures to respond to information security incidents.

• Learning from information security incidents - OC.27

  Learn from information security incidents.

• Collection of evidence - OC.28

  Establish and implement procedures for the collection and preservation of evidence related to information security events and incidents.

• Information security during disruption - OC.29

  Plan for information security during disruption.

• ICT readiness for business continuity - OC.30

  Plan for ICT readiness for business continuity.

• Legal statutory regulatory and contractual requirements - OC.31

  Identify and document legal statutory regulatory and contractual requirements related to information security.

• Intellectual property rights - OC.32

  Protect intellectual property rights.

• Protection of records - OC.33

  Protect records from unauthorized access disclosure modification or destruction.

• Privacy and protection of personally identifiable information - OC.34

  Protect privacy and personally identifiable information (PII) according to applicable laws and regulations.

• Independent review of information security - OC.35

  Conduct independent reviews of the organization's approach to information security.

• Information security awareness education and training - OC.36

  Provide information security awareness education and training.

• Information security aspects of business continuity management - OC.37

  Plan for information security aspects of business continuity.

This section focuses on the human element of information security ensuring that individuals within the organization are aware of their responsibilities and act in a secure manner.

• Screening - PC.1

  Conduct background checks on prospective employees.

• Terms and conditions of employment - PC.2

  Include information security responsibilities in employment contracts.

• Information security awareness education and training - PC.3

  Provide ongoing information security awareness education and training.

• Disciplinary process - PC.4

  Establish and communicate a disciplinary process for information security breaches.

• Responsibilities after termination or change of employment - PC.5

  Define and communicate responsibilities after termination or change of employment.

• Confidentiality or non-disclosure agreements - PC.6

  Implement confidentiality or non-disclosure agreements.

• Remote working - PC.7

  Implement security measures for remote working.

• Information security event reporting - PC.8

  Establish and communicate a process for reporting information security events.

These controls address the physical environment and aim to prevent unauthorized physical access damage and interference to the organization's facilities and information.

• Physical security perimeters - PhC.1

  Define and implement physical security perimeters.

• Physical entry - PhC.2

  Control physical entry to facilities.

• Securing offices rooms and facilities - PhC.3

  Secure offices rooms and facilities.

• Physical security monitoring - PhC.4

  Monitor physical security.

• Protecting against physical and environmental threats - PhC.5

  Protect against physical and environmental threats.

• Working in secure areas - PhC.6

  Establish and implement procedures for working in secure areas.

• Clear desk and clear screen - PhC.7

  Implement a clear desk and clear screen policy.

• Equipment siting and protection - PhC.8

  Securely site and protect equipment.

• Security of assets off-premises - PhC.9

  Secure assets when they are off-premises.

• Storage media - PhC.10

  Securely manage storage media.

• Supporting utilities - PhC.11

  Ensure the security of supporting utilities.

• Cabling security - PhC.12

  Secure cabling.

• Equipment maintenance - PhC.13

  Ensure proper maintenance of equipment.

• Secure disposal or re-use of equipment - PhC.14

  Ensure the secure disposal or re-use of equipment.

This category focuses on the technical measures implemented to protect information systems and data from unauthorized access use disclosure disruption modification or destruction.

• User endpoint devices - TC.1

  Secure user endpoint devices.

• Privileged access rights - TC.2

  Manage and restrict privileged access rights.

• Information access restriction - TC.3

  Restrict access to information based on business requirements.

• Access to source code - TC.4

  Control access to source code.

• Secure authentication - TC.5

  Implement secure authentication mechanisms.

• Capacity management - TC.6

  Plan and manage IT capacity.

• Protection against malware - TC.7

  Implement measures to protect against malware.

• Management of technical vulnerabilities - TC.8

  Manage technical vulnerabilities.

• Configuration management - TC.9

  Manage the configuration of IT systems and services.

• Information deletion - TC.10

  Securely delete information when it is no longer needed.

• Data masking - TC.11

  Use data masking techniques where appropriate.

• Data leakage prevention - TC.12

  Implement data leakage prevention (DLP) measures.

• Information backup - TC.13

  Perform regular backups of information.

• Redundancy of information processing facilities - TC.14

  Implement redundancy for critical information processing facilities.

• Logging - TC.15

  Implement logging of relevant events.

• Monitoring activities - TC.16

  Monitor security-related activities.

• Clock synchronization - TC.17

  Synchronize clocks across IT systems.

• Use of privileged utility programs - TC.18

  Restrict and monitor the use of privileged utility programs.

• Installation of software on operational systems - TC.19

  Control the installation of software on operational systems.

• Networks security - TC.20

  Secure network infrastructure.

• Security of network services - TC.21

  Ensure the security of network services.

• Segregation of networks - TC.22

  Implement segregation of networks.

• Web filtering - TC.23

  Implement web filtering.

• Use of cryptography - TC.24

  Use cryptography to protect data.

• Secure development life cycle - TC.25

  Implement a secure development life cycle (SDLC).

• Application security requirements - TC.26

  Define and implement application security requirements.

• Secure system architecture and engineering principles - TC.27

  Design systems based on secure architecture and engineering principles.

• Secure coding - TC.28

  Implement secure coding practices.

• Security testing in development and acceptance - TC.29

  Conduct security testing during development and acceptance phases.

• Outsourced development - TC.30

  Manage security aspects of outsourced development.

• Separation of development test and production environments - TC.31

  Maintain separation of development test and production environments.

• Change management - TC.32

  Implement a change management process.

• Test information - TC.33

  Protect test information.

• Protection of information systems during audit testing - TC.34

  Protect information systems during audit testing.