ISO/IEC 27002:2013

by Lisa Abshire

1. A15 Supplier relationships

1.1. 15.1 Information security policy for supplier relationships

1.2. 15.2 Supplier service delivery management

2. A13 Communications security

2.1. 13.1 Network security management

2.1.1. 13.1.1 Network controls

2.1.2. 13.1.2 Security of network services

2.1.3. 13.1.3 Segregation in networks

2.2. 13.2 Information transfer

2.2.1. 13.2.1 Information transfer policies and procedures

2.2.2. 13.2.2 Agreement on information transfer

2.2.3. 13.2.3 Electronic messaging

3. A9 Access Control

3.1. 9.1 Business requirement for access control

3.1.1. 9.1.1 Access control policy

3.1.2. 9.1.2 Access to networks and network services

3.2. 9.2 User access management

3.2.1. 9.2.1 User registration and de-registration

3.2.2. 9.2.2 User access provisioning

3.2.3. 9.2.3 Management of privileged access rights

3.2.4. 9.2.4 Management of secret authentication information of users

3.2.5. 9.2.5 Review of user access rights

3.2.6. 9.2.6 Removal or adjustment of access rights

3.3. 9.3 User responsibilities

3.3.1. 9.3.1 Use of secret authentication information

3.4. 9.4 System and application access control

3.4.1. 9.4.1 Information access restriction

3.4.2. 9.4.2 Secure log-on procedures

3.4.3. 9.4.3 Password management system

3.4.4. 9.4.4 Use of privileged utility programs

3.4.5. 9.4.5 Access control to program source control

4. A14 System acquisition, development and maintenance

4.1. 14.1 Security requirements of information systems

4.1.1. 14.1.1 Information security requirements analysis and specification

4.1.2. 14.1.2 Securing application services on public networks

4.1.3. 14.1.3 Protecting application services transactions

4.2. 14.2 Security in development and support processes

4.2.1. 14.2.1 Secure development policy

4.2.2. 14.2.2 System change control procedures

4.2.3. 14.2.3 Technical review of applications after operating platform change

4.2.4. 14.2.4 Restrictions on changes to software packages

4.2.5. 14.2.5 Secure system engineering principles

4.2.6. 14.2.6 Securer development environment

4.2.7. 14.2.7 Outsourced development

4.2.8. 14.2.8 System security testing

4.2.9. 14.2.9 System acceptance testing

4.3. 14.3 Test data

4.3.1. 14.3.1 Protection of test data

5. A16 Information Security Incident Management

5.1. 16.1 Management of information security incidents and improvements

5.1.1. 16.1.1 Responsibilities and procedures

5.1.2. 16.1.2 Reporting information security events

5.1.3. 16.1.3 Reporting information security weaknesses

5.1.4. 16.1.4 Assessment of and decision on information security events

5.1.5. 16.1.5 Response to information security incidents

5.1.6. 16.1.6 Learning from information security incidents

5.1.7. 16.1.7 Collection of evidence

6. A17 Information security aspects of business continuity management

6.1. 17.1 Information security continuity

6.1.1. 17.1.1 Planning information security continuity

6.1.2. 17.1.2 Implementing information security continuity

6.1.3. 17.13 Verify, review and evaluate information security continuity

6.2. 17.2 Redundancies

6.2.1. 17.2.1 Availability of information processing facilities

7. A18 Compliance

7.1. 18.1 Compliance with legal and contractual requirements

7.1.1. 18.1.1 Identification of applicable legislation and contractual requirements

7.1.2. 18.1.2 Intellectual property rights (IPR)

7.1.3. 18.1.3 Protection of records

7.1.4. 18.1.4 Privacy and protection of personally identifiable information

7.1.5. 18.1.5 Regulation of cryptographic controls

7.2. 18.2 Information security reviews

7.2.1. 18.2.1 Independent review of information security

7.2.2. 18.2.2 Compliance with security policies and standards

7.2.3. 18.2.3 Technical compliance review

8. A.10 Cryptography

8.1. 10.1.1 Cryptographic controls

9. A5 Security Policy

9.1. 5.1 Management direction of information security

9.1.1. 5.1.1 Policies for information security

9.1.2. 5.1.2 Review of the information security policies

10. A6 Organization of Information Security

10.1. 6.1 Internal organization

10.1.1. 6.1.1 Information security roles and responsibilities

10.1.2. 6.1.2 Segregation of duties

10.1.3. 6.1.3 Contact with authorities

10.1.4. 6.1.4 Contact with special interest groups

10.1.5. 6.1.5 Information security in project management

10.2. 6.2 Mobile devices and networking

10.2.1. 6.2.1 Mobile device policy

10.2.2. 6.2.2 Teleworking

11. A8 Asset Management

11.1. 8.1 Responsibility for assets

11.1.1. 8.1.1 Inventory of assets

11.1.2. 8.1.2 Ownership of assets

11.1.3. 8.1.3 Acceptable use of assets

11.1.4. 8.1.4 Return of assets

11.2. 8.2 Information Classification

11.2.1. 8.2.1 Classification guidelines

11.2.2. 8.2.2 Labelling of information

11.2.3. 8.2.3 Handling of assets

11.3. 8.3 Media handling

11.3.1. 8.3.1 Management of removable media

11.3.2. 8.3.2 Disposal of media

11.3.3. A8.3.3 Physical media transfer

12. A7 Human Resources Security

12.1. 7.1 Prior to employment

12.1.1. 7.1.1 Screening

12.1.2. 7.1.2 Terms and conditions of employment

12.2. 7.2 During employment

12.2.1. 7.2.1 Management responsibilities

12.2.2. 7.2.2 Information security awareness, education, and training

12.2.3. 7.2.3 Disciplinary process

12.3. 7.3 Termination and change of employment

12.3.1. 7.3.1 Termination or change of employment responsibilities

13. A11 Physical and environmental security

13.1. 11.1 Secure areas

13.1.1. 11.1.1 Physical security perimeter

13.1.2. 11.1.2 Physical entry controls

13.1.3. 11.1.3 Securing offices, rooms, and facilities

13.1.4. 11.1.4 Protecting against external and environmental threats

13.1.5. 11.1.5 Working in secure areas

13.1.6. 11.1.6 Delivery and loading areas

13.2. 11.2 Equipment

13.2.1. 11.2.1 Equipment siting and protection

13.2.2. 11.2.2 Supporting utilities

13.2.3. 11.2.3 Cabling security

13.2.4. 11.2.4 Equipment maintenance

13.2.5. 11.2.5 Removal of assets

13.2.6. 11.2.6 Security of equipment and assets off-premises

13.2.7. 11.2.7 Secure disposal or reuse of equipment

13.2.8. 11.2.8 Unattended user equipment

13.2.9. 11.2.9 Clear desk and clear screen policy

14. A12 Operations security

14.1. 12.1 Operational procedures and responsibilities

14.1.1. 12.1.1 Documented operating procedures

14.1.2. 12.1.2 Change management

14.1.3. 12.1.3 Capacity management

14.1.4. 12.1.4 Separation of development, test, and operational facilities

14.2. 12.2 Protection from malware

14.2.1. 12.2.1 Controls against malware

14.3. 12.3 Backup

14.3.1. 12.3.1 Information backup

14.4. 12.4 Logging and monitoring

14.4.1. 12.4.1 Event logging

14.4.2. 12.4.2 Protection of log information

14.4.3. 12..4.3 Administrator and operator logs

14.4.4. 12.4.4 Clock synchronisation

14.5. 12.5 Control of operational software

14.5.1. 12.5.1 Installation of software on operational systems

14.6. 12.6 Technical vulnerability management

14.6.1. 12.6.1 Management of technical vulnerabilities

14.6.2. 12.6.2. Restrictions on software installation