ISO/IEC 27002:2013

Comienza Ya. Es Gratis
ó regístrate con tu dirección de correo electrónico
Rocket clouds
ISO/IEC 27002:2013 por Mind Map: ISO/IEC 27002:2013

1. A15 Supplier relationships

1.1. 15.1 Information security policy for supplier relationships

1.2. 15.2 Supplier service delivery management

2. A13 Communications security

2.1. 13.1 Network security management

2.1.1. 13.1.1 Network controls

2.1.2. 13.1.2 Security of network services

2.1.3. 13.1.3 Segregation in networks

2.2. 13.2 Information transfer

2.2.1. 13.2.1 Information transfer policies and procedures

2.2.2. 13.2.2 Agreement on information transfer

2.2.3. 13.2.3 Electronic messaging

3. A16 Information Security Incident Management

3.1. 16.1 Management of information security incidents and improvements

3.1.1. 16.1.1 Responsibilities and procedures

3.1.2. 16.1.2 Reporting information security events

3.1.3. 16.1.3 Reporting information security weaknesses

3.1.4. 16.1.4 Assessment of and decision on information security events

3.1.5. 16.1.5 Response to information security incidents

3.1.6. 16.1.6 Learning from information security incidents

3.1.7. 16.1.7 Collection of evidence

4. A17 Information security aspects of business continuity management

4.1. 17.1 Information security continuity

4.1.1. 17.1.1 Planning information security continuity

4.1.2. 17.1.2 Implementing information security continuity

4.1.3. 17.13 Verify, review and evaluate information security continuity

4.2. 17.2 Redundancies

4.2.1. 17.2.1 Availability of information processing facilities

5. A18 Compliance

5.1. 18.1 Compliance with legal and contractual requirements

5.1.1. 18.1.1 Identification of applicable legislation and contractual requirements

5.1.2. 18.1.2 Intellectual property rights (IPR)

5.1.3. 18.1.3 Protection of records

5.1.4. 18.1.4 Privacy and protection of personally identifiable information

5.1.5. 18.1.5 Regulation of cryptographic controls

5.2. 18.2 Information security reviews

5.2.1. 18.2.1 Independent review of information security

5.2.2. 18.2.2 Compliance with security policies and standards

5.2.3. 18.2.3 Technical compliance review

6. A.10 Cryptography

6.1. 10.1.1 Cryptographic controls

7. A5 Security Policy

7.1. 5.1 Management direction of information security

7.1.1. 5.1.1 Policies for information security

7.1.2. 5.1.2 Review of the information security policies

8. A6 Organization of Information Security

8.1. 6.1 Internal organization

8.1.1. 6.1.1 Information security roles and responsibilities

8.1.2. 6.1.2 Segregation of duties

8.1.3. 6.1.3 Contact with authorities

8.1.4. 6.1.4 Contact with special interest groups

8.1.5. 6.1.5 Information security in project management

8.2. 6.2 Mobile devices and networking

8.2.1. 6.2.1 Mobile device policy

8.2.2. 6.2.2 Teleworking

9. A8 Asset Management

9.1. 8.1 Responsibility for assets

9.1.1. 8.1.1 Inventory of assets

9.1.2. 8.1.2 Ownership of assets

9.1.3. 8.1.3 Acceptable use of assets

9.1.4. 8.1.4 Return of assets

9.2. 8.2 Information Classification

9.2.1. 8.2.1 Classification guidelines

9.2.2. 8.2.2 Labelling of information

9.2.3. 8.2.3 Handling of assets

9.3. 8.3 Media handling

9.3.1. 8.3.1 Management of removable media

9.3.2. 8.3.2 Disposal of media

9.3.3. A8.3.3 Physical media transfer

10. A7 Human Resources Security

10.1. 7.1 Prior to employment

10.1.1. 7.1.1 Screening

10.1.2. 7.1.2 Terms and conditions of employment

10.2. 7.2 During employment

10.2.1. 7.2.1 Management responsibilities

10.2.2. 7.2.2 Information security awareness, education, and training

10.2.3. 7.2.3 Disciplinary process

10.3. 7.3 Termination and change of employment

10.3.1. 7.3.1 Termination or change of employment responsibilities

11. A11 Physical and environmental security

11.1. 11.1 Secure areas

11.1.1. 11.1.1 Physical security perimeter

11.1.2. 11.1.2 Physical entry controls

11.1.3. 11.1.3 Securing offices, rooms, and facilities

11.1.4. 11.1.4 Protecting against external and environmental threats

11.1.5. 11.1.5 Working in secure areas

11.1.6. 11.1.6 Delivery and loading areas

11.2. 11.2 Equipment

11.2.1. 11.2.1 Equipment siting and protection

11.2.2. 11.2.2 Supporting utilities

11.2.3. 11.2.3 Cabling security

11.2.4. 11.2.4 Equipment maintenance

11.2.5. 11.2.5 Removal of assets

11.2.6. 11.2.6 Security of equipment and assets off-premises

11.2.7. 11.2.7 Secure disposal or reuse of equipment

11.2.8. 11.2.8 Unattended user equipment

11.2.9. 11.2.9 Clear desk and clear screen policy

12. A12 Operations security

12.1. 12.1 Operational procedures and responsibilities

12.1.1. 12.1.1 Documented operating procedures

12.1.2. 12.1.2 Change management

12.1.3. 12.1.3 Capacity management

12.1.4. 12.1.4 Separation of development, test, and operational facilities

12.2. 12.2 Protection from malware

12.2.1. 12.2.1 Controls against malware

12.3. 12.3 Backup

12.3.1. 12.3.1 Information backup

12.4. 12.4 Logging and monitoring

12.4.1. 12.4.1 Event logging

12.4.2. 12.4.2 Protection of log information

12.4.3. 12..4.3 Administrator and operator logs

12.4.4. 12.4.4 Clock synchronisation

12.5. 12.5 Control of operational software

12.5.1. 12.5.1 Installation of software on operational systems

12.6. 12.6 Technical vulnerability management

12.6.1. 12.6.1 Management of technical vulnerabilities

12.6.2. 12.6.2. Restrictions on software installation

13. A9 Access Control

13.1. 9.1 Business requirement for access control

13.1.1. 9.1.1 Access control policy

13.1.2. 9.1.2 Access to networks and network services

13.2. 9.2 User access management

13.2.1. 9.2.1 User registration and de-registration

13.2.2. 9.2.2 User access provisioning

13.2.3. 9.2.3 Management of privileged access rights

13.2.4. 9.2.4 Management of secret authentication information of users

13.2.5. 9.2.5 Review of user access rights

13.2.6. 9.2.6 Removal or adjustment of access rights

13.3. 9.3 User responsibilities

13.3.1. 9.3.1 Use of secret authentication information

13.4. 9.4 System and application access control

13.4.1. 9.4.1 Information access restriction

13.4.2. 9.4.2 Secure log-on procedures

13.4.3. 9.4.3 Password management system

13.4.4. 9.4.4 Use of privileged utility programs

13.4.5. 9.4.5 Access control to program source control

14. A14 System acquisition, development and maintenance

14.1. 14.1 Security requirements of information systems

14.1.1. 14.1.1 Information security requirements analysis and specification

14.1.2. 14.1.2 Securing application services on public networks

14.1.3. 14.1.3 Protecting application services transactions

14.2. 14.2 Security in development and support processes

14.2.1. 14.2.1 Secure development policy

14.2.2. 14.2.2 System change control procedures

14.2.3. 14.2.3 Technical review of applications after operating platform change

14.2.4. 14.2.4 Restrictions on changes to software packages

14.2.5. 14.2.5 Secure system engineering principles

14.2.6. 14.2.6 Securer development environment

14.2.7. 14.2.7 Outsourced development

14.2.8. 14.2.8 System security testing

14.2.9. 14.2.9 System acceptance testing

14.3. 14.3 Test data

14.3.1. 14.3.1 Protection of test data