
1. A15 Supplier relationships
1.1. 15.1 Information security policy for supplier relationships
1.2. 15.2 Supplier service delivery management
2. A13 Communications security
2.1. 13.1 Network security management
2.1.1. 13.1.1 Network controls
2.1.2. 13.1.2 Security of network services
2.1.3. 13.1.3 Segregation in networks
2.2. 13.2 Information transfer
2.2.1. 13.2.1 Information transfer policies and procedures
2.2.2. 13.2.2 Agreement on information transfer
2.2.3. 13.2.3 Electronic messaging
3. A16 Information Security Incident Management
3.1. 16.1 Management of information security incidents and improvements
3.1.1. 16.1.1 Responsibilities and procedures
3.1.2. 16.1.2 Reporting information security events
3.1.3. 16.1.3 Reporting information security weaknesses
3.1.4. 16.1.4 Assessment of and decision on information security events
3.1.5. 16.1.5 Response to information security incidents
3.1.6. 16.1.6 Learning from information security incidents
3.1.7. 16.1.7 Collection of evidence
4. A17 Information security aspects of business continuity management
4.1. 17.1 Information security continuity
4.1.1. 17.1.1 Planning information security continuity
4.1.2. 17.1.2 Implementing information security continuity
4.1.3. 17.13 Verify, review and evaluate information security continuity
4.2. 17.2 Redundancies
4.2.1. 17.2.1 Availability of information processing facilities
5. A18 Compliance
5.1. 18.1 Compliance with legal and contractual requirements
5.1.1. 18.1.1 Identification of applicable legislation and contractual requirements
5.1.2. 18.1.2 Intellectual property rights (IPR)
5.1.3. 18.1.3 Protection of records
5.1.4. 18.1.4 Privacy and protection of personally identifiable information
5.1.5. 18.1.5 Regulation of cryptographic controls
5.2. 18.2 Information security reviews
5.2.1. 18.2.1 Independent review of information security
5.2.2. 18.2.2 Compliance with security policies and standards
5.2.3. 18.2.3 Technical compliance review
6. A.10 Cryptography
6.1. 10.1.1 Cryptographic controls
7. A5 Security Policy
7.1. 5.1 Management direction of information security
7.1.1. 5.1.1 Policies for information security
7.1.2. 5.1.2 Review of the information security policies
8. A6 Organization of Information Security
8.1. 6.1 Internal organization
8.1.1. 6.1.1 Information security roles and responsibilities
8.1.2. 6.1.2 Segregation of duties
8.1.3. 6.1.3 Contact with authorities
8.1.4. 6.1.4 Contact with special interest groups
8.1.5. 6.1.5 Information security in project management
8.2. 6.2 Mobile devices and networking
8.2.1. 6.2.1 Mobile device policy
8.2.2. 6.2.2 Teleworking
9. A8 Asset Management
9.1. 8.1 Responsibility for assets
9.1.1. 8.1.1 Inventory of assets
9.1.2. 8.1.2 Ownership of assets
9.1.3. 8.1.3 Acceptable use of assets
9.1.4. 8.1.4 Return of assets
9.2. 8.2 Information Classification
9.2.1. 8.2.1 Classification guidelines
9.2.2. 8.2.2 Labelling of information
9.2.3. 8.2.3 Handling of assets
9.3. 8.3 Media handling
9.3.1. 8.3.1 Management of removable media
9.3.2. 8.3.2 Disposal of media
9.3.3. A8.3.3 Physical media transfer
10. A7 Human Resources Security
10.1. 7.1 Prior to employment
10.1.1. 7.1.1 Screening
10.1.2. 7.1.2 Terms and conditions of employment
10.2. 7.2 During employment
10.2.1. 7.2.1 Management responsibilities
10.2.2. 7.2.2 Information security awareness, education, and training
10.2.3. 7.2.3 Disciplinary process
10.3. 7.3 Termination and change of employment
10.3.1. 7.3.1 Termination or change of employment responsibilities
11. A11 Physical and environmental security
11.1. 11.1 Secure areas
11.1.1. 11.1.1 Physical security perimeter
11.1.2. 11.1.2 Physical entry controls
11.1.3. 11.1.3 Securing offices, rooms, and facilities
11.1.4. 11.1.4 Protecting against external and environmental threats
11.1.5. 11.1.5 Working in secure areas
11.1.6. 11.1.6 Delivery and loading areas
11.2. 11.2 Equipment
11.2.1. 11.2.1 Equipment siting and protection
11.2.2. 11.2.2 Supporting utilities
11.2.3. 11.2.3 Cabling security
11.2.4. 11.2.4 Equipment maintenance
11.2.5. 11.2.5 Removal of assets
11.2.6. 11.2.6 Security of equipment and assets off-premises
11.2.7. 11.2.7 Secure disposal or reuse of equipment
11.2.8. 11.2.8 Unattended user equipment
11.2.9. 11.2.9 Clear desk and clear screen policy
12. A12 Operations security
12.1. 12.1 Operational procedures and responsibilities
12.1.1. 12.1.1 Documented operating procedures
12.1.2. 12.1.2 Change management
12.1.3. 12.1.3 Capacity management
12.1.4. 12.1.4 Separation of development, test, and operational facilities
12.2. 12.2 Protection from malware
12.2.1. 12.2.1 Controls against malware
12.3. 12.3 Backup
12.3.1. 12.3.1 Information backup
12.4. 12.4 Logging and monitoring
12.4.1. 12.4.1 Event logging
12.4.2. 12.4.2 Protection of log information
12.4.3. 12..4.3 Administrator and operator logs
12.4.4. 12.4.4 Clock synchronisation
12.5. 12.5 Control of operational software
12.5.1. 12.5.1 Installation of software on operational systems
12.6. 12.6 Technical vulnerability management
12.6.1. 12.6.1 Management of technical vulnerabilities
12.6.2. 12.6.2. Restrictions on software installation
13. A9 Access Control
13.1. 9.1 Business requirement for access control
13.1.1. 9.1.1 Access control policy
13.1.2. 9.1.2 Access to networks and network services
13.2. 9.2 User access management
13.2.1. 9.2.1 User registration and de-registration
13.2.2. 9.2.2 User access provisioning
13.2.3. 9.2.3 Management of privileged access rights
13.2.4. 9.2.4 Management of secret authentication information of users
13.2.5. 9.2.5 Review of user access rights
13.2.6. 9.2.6 Removal or adjustment of access rights
13.3. 9.3 User responsibilities
13.3.1. 9.3.1 Use of secret authentication information
13.4. 9.4 System and application access control
13.4.1. 9.4.1 Information access restriction
13.4.2. 9.4.2 Secure log-on procedures
13.4.3. 9.4.3 Password management system
13.4.4. 9.4.4 Use of privileged utility programs
13.4.5. 9.4.5 Access control to program source control
14. A14 System acquisition, development and maintenance
14.1. 14.1 Security requirements of information systems
14.1.1. 14.1.1 Information security requirements analysis and specification
14.1.2. 14.1.2 Securing application services on public networks
14.1.3. 14.1.3 Protecting application services transactions
14.2. 14.2 Security in development and support processes
14.2.1. 14.2.1 Secure development policy
14.2.2. 14.2.2 System change control procedures
14.2.3. 14.2.3 Technical review of applications after operating platform change
14.2.4. 14.2.4 Restrictions on changes to software packages
14.2.5. 14.2.5 Secure system engineering principles
14.2.6. 14.2.6 Securer development environment
14.2.7. 14.2.7 Outsourced development
14.2.8. 14.2.8 System security testing
14.2.9. 14.2.9 System acceptance testing
14.3. 14.3 Test data
14.3.1. 14.3.1 Protection of test data