1. A15 Supplier relationships
1.1. 15.1 Information security policy for supplier relationships
1.2. 15.2 Supplier service delivery management
2. A5 Security Policy
2.1. 5.1 Management direction of information security
2.1.1. 5.1.1 Policies for information security
2.1.2. 5.1.2 Review of the information security policies
3. A7 Human Resources Security
3.1. 7.1 Prior to employment
3.1.1. 7.1.1 Screening
3.1.2. 7.1.2 Terms and conditions of employment
3.2. 7.2 During employment
3.2.1. 7.2.1 Management responsibilities
3.2.2. 7.2.2 Information security awareness, education, and training
3.2.3. 7.2.3 Disciplinary process
3.3. 7.3 Termination and change of employment
3.3.1. 7.3.1 Termination or change of employment responsibilities
4. A9 Access Control
4.1. 9.1 Business requirement for access control
4.1.1. 9.1.1 Access control policy
4.1.2. 9.1.2 Access to networks and network services
4.2. 9.2 User access management
4.2.1. 9.2.1 User registration and de-registration
4.2.2. 9.2.2 User access provisioning
4.2.3. 9.2.3 Management of privileged access rights
4.2.4. 9.2.4 Management of secret authentication information of users
4.2.5. 9.2.5 Review of user access rights
4.2.6. 9.2.6 Removal or adjustment of access rights
4.3. 9.3 User responsibilities
4.3.1. 9.3.1 Use of secret authentication information
4.4. 9.4 System and application access control
4.4.1. 9.4.1 Information access restriction
4.4.2. 9.4.2 Secure log-on procedures
4.4.3. 9.4.3 Password management system
4.4.4. 9.4.4 Use of privileged utility programs
4.4.5. 9.4.5 Access control to program source control
5. A14 System acquisition, development and maintenance
5.1. 14.1 Security requirements of information systems
5.1.1. 14.1.1 Information security requirements analysis and specification
5.1.2. 14.1.2 Securing application services on public networks
5.1.3. 14.1.3 Protecting application services transactions
5.2. 14.2 Security in development and support processes
5.2.1. 14.2.1 Secure development policy
5.2.2. 14.2.2 System change control procedures
5.2.3. 14.2.3 Technical review of applications after operating platform change
5.2.4. 14.2.4 Restrictions on changes to software packages
5.2.5. 14.2.5 Secure system engineering principles
5.2.6. 14.2.6 Securer development environment
5.2.7. 14.2.7 Outsourced development
5.2.8. 14.2.8 System security testing
5.2.9. 14.2.9 System acceptance testing
5.3. 14.3 Test data
5.3.1. 14.3.1 Protection of test data
6. A12 Operations security
6.1. 12.1 Operational procedures and responsibilities
6.1.1. 12.1.1 Documented operating procedures
6.1.2. 12.1.2 Change management
6.1.3. 12.1.3 Capacity management
6.1.4. 12.1.4 Separation of development, test, and operational facilities
6.2. 12.2 Protection from malware
6.2.1. 12.2.1 Controls against malware
6.3. 12.3 Backup
6.3.1. 12.3.1 Information backup
6.4. 12.4 Logging and monitoring
6.4.1. 12.4.1 Event logging
6.4.2. 12.4.2 Protection of log information
6.4.3. 12..4.3 Administrator and operator logs
6.4.4. 12.4.4 Clock synchronisation
6.5. 12.5 Control of operational software
6.5.1. 12.5.1 Installation of software on operational systems
6.6. 12.6 Technical vulnerability management
6.6.1. 12.6.1 Management of technical vulnerabilities
6.6.2. 12.6.2. Restrictions on software installation
7. A13 Communications security
7.1. 13.1 Network security management
7.1.1. 13.1.1 Network controls
7.1.2. 13.1.2 Security of network services
7.1.3. 13.1.3 Segregation in networks
7.2. 13.2 Information transfer
7.2.1. 13.2.1 Information transfer policies and procedures
7.2.2. 13.2.2 Agreement on information transfer
7.2.3. 13.2.3 Electronic messaging
8. A6 Organization of Information Security
8.1. 6.1 Internal organization
8.1.1. 6.1.1 Information security roles and responsibilities
8.1.2. 6.1.2 Segregation of duties
8.1.3. 6.1.3 Contact with authorities
8.1.4. 6.1.4 Contact with special interest groups
8.1.5. 6.1.5 Information security in project management
8.2. 6.2 Mobile devices and networking
8.2.1. 6.2.1 Mobile device policy
8.2.2. 6.2.2 Teleworking
9. A8 Asset Management
9.1. 8.1 Responsibility for assets
9.1.1. 8.1.1 Inventory of assets
9.1.2. 8.1.2 Ownership of assets
9.1.3. 8.1.3 Acceptable use of assets
9.1.4. 8.1.4 Return of assets
9.2. 8.2 Information Classification
9.2.1. 8.2.1 Classification guidelines
9.2.2. 8.2.2 Labelling of information
9.2.3. 8.2.3 Handling of assets
9.3. 8.3 Media handling
9.3.1. 8.3.1 Management of removable media
9.3.2. 8.3.2 Disposal of media
9.3.3. A8.3.3 Physical media transfer
10. A.10 Cryptography
10.1. 10.1.1 Cryptographic controls
11. A11 Physical and environmental security
11.1. 11.1 Secure areas
11.1.1. 11.1.1 Physical security perimeter
11.1.2. 11.1.2 Physical entry controls
11.1.3. 11.1.3 Securing offices, rooms, and facilities
11.1.4. 11.1.4 Protecting against external and environmental threats
11.1.5. 11.1.5 Working in secure areas
11.1.6. 11.1.6 Delivery and loading areas
11.2. 11.2 Equipment
11.2.1. 11.2.1 Equipment siting and protection
11.2.2. 11.2.2 Supporting utilities
11.2.3. 11.2.3 Cabling security
11.2.4. 11.2.4 Equipment maintenance
11.2.5. 11.2.5 Removal of assets
11.2.6. 11.2.6 Security of equipment and assets off-premises
11.2.7. 11.2.7 Secure disposal or reuse of equipment
11.2.8. 11.2.8 Unattended user equipment
11.2.9. 11.2.9 Clear desk and clear screen policy
12. A16 Information Security Incident Management
12.1. 16.1 Management of information security incidents and improvements
12.1.1. 16.1.1 Responsibilities and procedures
12.1.2. 16.1.2 Reporting information security events
12.1.3. 16.1.3 Reporting information security weaknesses
12.1.4. 16.1.4 Assessment of and decision on information security events
12.1.5. 16.1.5 Response to information security incidents
12.1.6. 16.1.6 Learning from information security incidents
12.1.7. 16.1.7 Collection of evidence
13. A17 Information security aspects of business continuity management
13.1. 17.1 Information security continuity
13.1.1. 17.1.1 Planning information security continuity
13.1.2. 17.1.2 Implementing information security continuity
13.1.3. 17.13 Verify, review and evaluate information security continuity
13.2. 17.2 Redundancies
13.2.1. 17.2.1 Availability of information processing facilities
14. A18 Compliance
14.1. 18.1 Compliance with legal and contractual requirements
14.1.1. 18.1.1 Identification of applicable legislation and contractual requirements
14.1.2. 18.1.2 Intellectual property rights (IPR)
14.1.3. 18.1.3 Protection of records
14.1.4. 18.1.4 Privacy and protection of personally identifiable information
14.1.5. 18.1.5 Regulation of cryptographic controls
14.2. 18.2 Information security reviews
14.2.1. 18.2.1 Independent review of information security
14.2.2. 18.2.2 Compliance with security policies and standards
14.2.3. 18.2.3 Technical compliance review