Back to Public Maps
ISO/IEC 27002:2013
by Lisa Abshire 12/01/2015
ISO/IEC 27002:2013
by Lisa Abshire
1. A15 Supplier relationships
1.1. 15.1 Information security policy for supplier relationships
1.2. 15.2 Supplier service delivery management
2. A13 Communications security
2.1. 13.1 Network security management
2.1.1. 13.1.1 Network controls
2.1.2. 13.1.2 Security of network services
2.1.3. 13.1.3 Segregation in networks
2.2. 13.2 Information transfer
2.2.1. 13.2.1 Information transfer policies and procedures
2.2.2. 13.2.2 Agreement on information transfer
2.2.3. 13.2.3 Electronic messaging
3. A9 Access Control
3.1. 9.1 Business requirement for access control
3.1.1. 9.1.1 Access control policy
3.1.2. 9.1.2 Access to networks and network services
3.2. 9.2 User access management
3.2.1. 9.2.1 User registration and de-registration
3.2.2. 9.2.2 User access provisioning
3.2.3. 9.2.3 Management of privileged access rights
3.2.4. 9.2.4 Management of secret authentication information of users
3.2.5. 9.2.5 Review of user access rights
3.2.6. 9.2.6 Removal or adjustment of access rights
3.3. 9.3 User responsibilities
3.3.1. 9.3.1 Use of secret authentication information
3.4. 9.4 System and application access control
3.4.1. 9.4.1 Information access restriction
3.4.2. 9.4.2 Secure log-on procedures
3.4.3. 9.4.3 Password management system
3.4.4. 9.4.4 Use of privileged utility programs
3.4.5. 9.4.5 Access control to program source control
4. A14 System acquisition, development and maintenance
4.1. 14.1 Security requirements of information systems
4.1.1. 14.1.1 Information security requirements analysis and specification
4.1.2. 14.1.2 Securing application services on public networks
4.1.3. 14.1.3 Protecting application services transactions
4.2. 14.2 Security in development and support processes
4.2.1. 14.2.1 Secure development policy
4.2.2. 14.2.2 System change control procedures
4.2.3. 14.2.3 Technical review of applications after operating platform change
4.2.4. 14.2.4 Restrictions on changes to software packages
4.2.5. 14.2.5 Secure system engineering principles
4.2.6. 14.2.6 Securer development environment
4.2.7. 14.2.7 Outsourced development
4.2.8. 14.2.8 System security testing
4.2.9. 14.2.9 System acceptance testing
4.3. 14.3 Test data
4.3.1. 14.3.1 Protection of test data
5. A16 Information Security Incident Management
5.1. 16.1 Management of information security incidents and improvements
5.1.1. 16.1.1 Responsibilities and procedures
5.1.2. 16.1.2 Reporting information security events
5.1.3. 16.1.3 Reporting information security weaknesses
5.1.4. 16.1.4 Assessment of and decision on information security events
5.1.5. 16.1.5 Response to information security incidents
5.1.6. 16.1.6 Learning from information security incidents
5.1.7. 16.1.7 Collection of evidence
6. A17 Information security aspects of business continuity management
6.1. 17.1 Information security continuity
6.1.1. 17.1.1 Planning information security continuity
6.1.2. 17.1.2 Implementing information security continuity
6.1.3. 17.13 Verify, review and evaluate information security continuity
6.2. 17.2 Redundancies
6.2.1. 17.2.1 Availability of information processing facilities
7. A18 Compliance
7.1. 18.1 Compliance with legal and contractual requirements
7.1.1. 18.1.1 Identification of applicable legislation and contractual requirements
7.1.2. 18.1.2 Intellectual property rights (IPR)
7.1.3. 18.1.3 Protection of records
7.1.4. 18.1.4 Privacy and protection of personally identifiable information
7.1.5. 18.1.5 Regulation of cryptographic controls
7.2. 18.2 Information security reviews
7.2.1. 18.2.1 Independent review of information security
7.2.2. 18.2.2 Compliance with security policies and standards
7.2.3. 18.2.3 Technical compliance review
8. A.10 Cryptography
8.1. 10.1.1 Cryptographic controls
9. A5 Security Policy
9.1. 5.1 Management direction of information security
9.1.1. 5.1.1 Policies for information security
9.1.2. 5.1.2 Review of the information security policies
10. A6 Organization of Information Security
10.1. 6.1 Internal organization
10.1.1. 6.1.1 Information security roles and responsibilities
10.1.2. 6.1.2 Segregation of duties
10.1.3. 6.1.3 Contact with authorities
10.1.4. 6.1.4 Contact with special interest groups
10.1.5. 6.1.5 Information security in project management
10.2. 6.2 Mobile devices and networking
10.2.1. 6.2.1 Mobile device policy
10.2.2. 6.2.2 Teleworking
11. A8 Asset Management
11.1. 8.1 Responsibility for assets
11.1.1. 8.1.1 Inventory of assets
11.1.2. 8.1.2 Ownership of assets
11.1.3. 8.1.3 Acceptable use of assets
11.1.4. 8.1.4 Return of assets
11.2. 8.2 Information Classification
11.2.1. 8.2.1 Classification guidelines
11.2.2. 8.2.2 Labelling of information
11.2.3. 8.2.3 Handling of assets
11.3. 8.3 Media handling
11.3.1. 8.3.1 Management of removable media
11.3.2. 8.3.2 Disposal of media
11.3.3. A8.3.3 Physical media transfer
12. A7 Human Resources Security
12.1. 7.1 Prior to employment
12.1.1. 7.1.1 Screening
12.1.2. 7.1.2 Terms and conditions of employment
12.2. 7.2 During employment
12.2.1. 7.2.1 Management responsibilities
12.2.2. 7.2.2 Information security awareness, education, and training
12.2.3. 7.2.3 Disciplinary process
12.3. 7.3 Termination and change of employment
12.3.1. 7.3.1 Termination or change of employment responsibilities
13. A11 Physical and environmental security
13.1. 11.1 Secure areas
13.1.1. 11.1.1 Physical security perimeter
13.1.2. 11.1.2 Physical entry controls
13.1.3. 11.1.3 Securing offices, rooms, and facilities
13.1.4. 11.1.4 Protecting against external and environmental threats
13.1.5. 11.1.5 Working in secure areas
13.1.6. 11.1.6 Delivery and loading areas
13.2. 11.2 Equipment
13.2.1. 11.2.1 Equipment siting and protection
13.2.2. 11.2.2 Supporting utilities
13.2.3. 11.2.3 Cabling security
13.2.4. 11.2.4 Equipment maintenance
13.2.5. 11.2.5 Removal of assets
13.2.6. 11.2.6 Security of equipment and assets off-premises
13.2.7. 11.2.7 Secure disposal or reuse of equipment
13.2.8. 11.2.8 Unattended user equipment
13.2.9. 11.2.9 Clear desk and clear screen policy
14. A12 Operations security
14.1. 12.1 Operational procedures and responsibilities
14.1.1. 12.1.1 Documented operating procedures
14.1.2. 12.1.2 Change management
14.1.3. 12.1.3 Capacity management
14.1.4. 12.1.4 Separation of development, test, and operational facilities
14.2. 12.2 Protection from malware
14.2.1. 12.2.1 Controls against malware
14.3. 12.3 Backup
14.3.1. 12.3.1 Information backup
14.4. 12.4 Logging and monitoring
14.4.1. 12.4.1 Event logging
14.4.2. 12.4.2 Protection of log information
14.4.3. 12..4.3 Administrator and operator logs
14.4.4. 12.4.4 Clock synchronisation
14.5. 12.5 Control of operational software
14.5.1. 12.5.1 Installation of software on operational systems
14.6. 12.6 Technical vulnerability management
14.6.1. 12.6.1 Management of technical vulnerabilities
14.6.2. 12.6.2. Restrictions on software installation
