1. Operational Security
1.1. Operational procedures and responsibilities
1.1.1. Documented operating procedures
1.1.2. Change management
1.1.3. Capacity management
1.1.4. Separation of development, testing and operational environments
1.2. Protection from malware
1.2.1. Controls against malware
1.3. Backup
1.3.1. Information backup
1.4. Logging and monitoring
1.4.1. Event Logging
1.4.2. Protection of log informaiton
1.4.3. Administrator and operator logs
1.4.4. Clock synchronisation
1.5. Control of operational software
1.5.1. Installation of software on operational systems
1.6. Technical Vulnerability Management
1.6.1. Control of technical vulnerabilities
1.6.2. Restriction on software installation
1.7. Information systems audit controls
1.7.1. Audit controls
2. Communications security
2.1. Network security management
2.1.1. Network controls
2.1.2. Security of network services
2.1.3. Segregation of networks
2.2. Information transfer
2.2.1. Information transfer policies and procedures
2.2.2. Agreements on information transfer
2.2.3. Electronic messaging
2.2.4. Confidentiality or non-disclosure agreements
3. System Acquisition development and maintenance
3.1. Security requirements of information systems
3.1.1. Info Sec requirements analysis and specification
3.1.2. Securing application services on public networks
3.1.3. Protecting application services transactions
3.2. Security in development and support processes
3.2.1. Secure development policy
3.2.2. System change control procedures
3.2.3. Technical review of applications after operating platform changes
3.2.4. Restrictions on changes to software packages
3.2.5. Secure system engineering principles
3.2.6. Secure development environment
3.2.7. Outsourced software development
3.2.8. System security testing
3.2.9. System acceptance testing
3.3. Test data
3.3.1. Protection of system test data
3.4. Test data
4. Supplier relationships
4.1. Information security in supplier relationships
4.1.1. Information security in supplier relationships
4.1.2. Addressing security within supplier agreements
4.1.3. information and communication technology supply chain
4.2. Supplier service delivery management
4.2.1. Monitoring and review of supplier services
4.2.2. managing changes to supplier services
5. Information security aspects of business continuity management
5.1. Information security continuity
5.1.1. Planning of Info Sec Continuity
5.1.2. Implementing Info Sec Continuity
5.1.3. Verify, Review and evaluate information security continuity
5.2. Redundancies
5.2.1. Availability of information processing facilities
6. Compliance
6.1. Compliance with legal and contractual requirements
6.1.1. Identification of applicable legislation and contractual requirements
6.1.2. Intellectual property rights
6.1.3. Protection of records
6.1.4. Privacy and protection of personally identifiable information
6.1.5. Regulation of cryptographic controls
6.2. Information security reviews
6.2.1. Independent review of information security
6.2.2. Compliance with security policies and standards
6.2.3. Technical compliance review
6.3. Information security reviews
7. Information Security Policies
7.1. Policies of Information security
7.2. Review of Policies
8. Organisation of Information Security
8.1. Internal Organization
8.1.1. Information Security Roles and Responsibilities
8.1.2. Segregation of Duties
8.1.3. Contact with Authorities
8.1.4. Contact with Special interest groups
8.1.5. Information security in Project management
8.2. Mobile devices and teleworking
8.2.1. Mobile device policy
8.2.2. teleworking
9. Human Resource Security
9.1. Prior to employment
9.1.1. Screening
9.1.2. Terms and Conditions of Employement
9.2. During employment
9.2.1. Management responsibilities
9.2.2. Information security awareness, education and training
9.3. Termination and change of employment
9.3.1. Responsibilities of change/termination
10. Asset Management
10.1. Responsibility for assets
10.1.1. Inventory of assets
10.1.2. Ownership of assets
10.1.3. Acceptable use of assets
10.1.4. return of assets
10.2. Information classification
10.2.1. Classification of information
10.2.2. Labeling of information
10.2.3. Handling of assets
10.3. Media handling
10.3.1. management of removable media
10.3.2. disposal of media
10.3.3. physical media transfer
11. Access Control
11.1. Business requirements of access control
11.1.1. Access control policy
11.1.2. Access to networks and network services
11.2. User access management
11.2.1. User registration and de-registration
11.2.2. user access provisioning
11.2.3. Management of privileged access rights
11.2.4. Management of secret authentication of information of users
11.2.5. Review of user access rights
11.2.6. removal or adjustment of access rights
11.3. User responsibilities
11.3.1. Use of secret authentication information
11.4. System and application access control
11.4.1. Information access restriction
11.4.2. Secure logon procedures
11.4.3. password management system
11.4.4. Use of privileged utility programs
11.4.5. Access control to program source code
12. Cryptography
12.1. Cryptographic controls
12.1.1. Policy on the use of Cryptographic controls
12.1.2. Key management
13. Physical and Environmental Security
13.1. Secure Areas
13.1.1. Physical security perimeter
13.1.2. Physical entry controls
13.1.3. Securing offices, rooms and facilities
13.1.4. Protecting against external and environmental attacks
13.1.5. Working in secure areas
13.1.6. Delivery and loading areas
13.2. Equipment
13.2.1. Equipment siting and protection
13.2.2. Supporting utilities
13.2.3. Cabling security
13.2.4. Equipment maintenance
13.2.5. removal of assets
13.2.6. Security of equipment and assets off-premises
13.2.7. Secure disposal or re-use of equipment
13.2.8. Unattended user equipment
13.2.9. Clear desk and Clear screen policy
14. Information Security incident management
14.1. Management of information security incidents and improvements
14.1.1. Responsibilities and procedures
14.1.2. Reporting
14.1.2.1. Events
14.1.2.2. Weaknesses
14.1.3. Assessment of and decision on information security events
14.1.4. Response to information security incidents
14.1.5. Learning from information security Incidents
14.1.6. Collection of evidence