Security objective |
Description |
ISO 27001 Annex A reference controls |
1: Information security policy |
Establish and maintain an information security policy. |
A.5 Information security policies |
2: Risk management |
Establish and maintain an appropriate governance and risk management framework to identify and address risks. |
All |
3: Security roles |
Assign security roles and responsibilities to designated staff. |
A.6.1 Internal organization |
4: Third-party management |
Establish and maintain a policy that sets out the security requirements for customer and supplier contracts. |
A.15.1 Information security in supplier relationships |
5: Background checks |
Perform background checks before hiring new personnel |
A.7.1 Prior to employment |
6: Security knowledge and training |
Ensure relevant staff have the knowledge to perform security-related tasks adequately, and provide regular training. |
A.6.1.1 Information security roles and responsibilities
A.7.2.2 Information security awareness, education and training |
7: Personnel changes |
Establish and maintain a process for managing staff changes. |
A.7.3.1 Termination or change of employment responsibilities |
8: Physical and environmental security |
Implement controls, and establish and maintain policies for the physical and environmental security of data centres. |
A.11 Physical and environmental security |
9: Security of supporting utilities |
Implement security measures for supporting utilities. |
A.11.2.2 Supporting utilities |
10: Access control to network and information systems |
Implement measures, and establish and maintain policies for access to business resources. |
A.6.1.2 Segregation of duties
A.6.2.2 Teleworking
A.9.2.1 User registration and de-registration
A.9.2.2 User access provisioning
A.9.2.4 Management of secret authentication information of users
A.9.3.1 Use of secret authentication information
A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures
A.9.4.3 Password management system
A.9.4.4 Use of privileged utility programs
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
A.11.1.4 Protecting against external and environmental threats
A.11.1.6 Delivery and loading areas
A.11.2.3 Cabling security
A.13.1.1 Network controls
A.13.1.3 Segregation in networks
A.13.2.1 Information transfer policies and procedures |
11: Integrity of network components and information systems |
Take steps to prevent security incidents, thus maintaining the integrity of networks, platforms and services. |
A.13.1 Network security management |
12: Operating procedures |
Establish and maintain procedures for operating key network and information systems. |
A.12.1.1 Documented operating procedures
A.12.5.1 Installation of software on operational systems
A.13.2.1 Information transfer policies and procedures
A.14.2.2 System change control procedures |
13: Change management |
Establish and maintain change management procedures for key network and information systems. |
A.12.1.2 Change management
A.12.5.1 Installation of software on operational systems
A.12.6.2 Restrictions on software installation
A.14.2.2 System change control procedures
A.14.2.3 Technical review of applications after operating platform changes
A.14.2.4 Restrictions on changes to software packages |
14: Asset management |
Implement configuration controls, and establish and maintain asset management procedures for key network and information systems. |
A.6.1.1 Information security roles and responsibilities
A.8.1.1 Inventory of assets
A.8.1.2 Ownership of assets
A.8.2.1 Classification of information
A.13.2.1 Information transfer policies and procedures |
15: Security incident detection and response |
Establish and maintain procedures for detecting and responding to security incidents effectively. Incorporate a process for learning from past experiences. |
A.16.1.5 Response to information security incidents |
16: Security incident reporting |
Establish and maintain incident reporting and communication procedures. |
A.16.1.5 Response to information security incidents |
17: Business continuity |
Prepare contingency plans and a continuity strategy to ensure service availability. |
A.17.1 Information security continuity |
18: Disaster recovery capabilities |
Prepare a disaster recovery capability in the case of natural and/or major disasters. |
A.16.1.1 Responsibilities and procedures
A.17.1.1 Planning information security continuity
A.17.1.2 Implementing information security continuity |
19: Monitoring and logging |
Establish and maintain procedures and/or systems for monitoring and logging activity. |
A.12.4 Logging and monitoring |
20: System tests |
Establish and maintain procedures for regularly testing key network and information systems. |
A.14.2 Security in development and support processes |
21: Security assessments |
Establish and maintain procedures for performing security assessments of critical assets. |
A.12.6.1 Management of technical vulnerabilities
A.18.2.2 Compliance with security policies and standards |
22: Compliance |
Establish and maintain a policy to check internal policies against relevant legal requirements, and against industry best practice and standards. |
A.18 Compliance |
23: Security of data at rest |
Implement mechanisms to adequately protect data at rest. |
A.6.1.2 Segregation of duties
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
A.7.3.1 Termination or change of employment responsibilities
A.8.2.2 Labelling of information
A.8.2.3 Handling of assets
A.9.1.1 Access control policy
A.9.1.2 Access to networks and network services
A.9.2.3 Management of privileged access rights
A.9.4.1 Information access restriction
A.9.4.4 Use of privileged utility programs
A.9.4.5 Access control to program source code
A.12.1.4 Separation of development, testing and operational environments
A.12.2.1 Controls against malware
A.12.5.1 Installation of software on operational systems
A.13.1.1 Network controls
A.13.1.3 Segregation in networks
A.13.2.1 Information transfer policies and procedures
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or nondisclosure agreements
A.14.1.2 Securing application services on public networks
A.14.1.3 Protecting application services transactions |
24: Interface security |
Establish and maintain a policy for securing the interfaces of services that process personal data. |
None |
25: Software security |
Establish and maintain a policy for ensuring that developed software respects security. |
None |
26: Interoperability and portability |
Ensure customers can interface with other digital services and/or migrate to another provider offering a similar service. (Cloud computing services and online marketplaces only.) |
None |
27: Customer monitoring and log access |
Grant customers access to relevant transaction and performance logs. (Cloud computing services only.) |
A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
A.12.4.4 Clock synchronisation |
