Skip to contentCYBERINFO

Controls

Organizational controls· 37
Organizational5.1
Information Security Policies
This control requires the definition, approval, and communication of a high-level information security policy and t
Organizational5.2
Information Security Roles and Responsibilities
This control requires the definition and allocation of information security roles and responsibilities within the o
Organizational5.3
Segregation of Duties
This control ensures that conflicting duties and areas of responsibility are separated to reduce the risk of unauth
Organizational5.4
Management Responsibilities
This control requires management to ensure that all personnel apply information security in accordance with the est
Organizational5.5
Contact with Authorities
The organization must maintain appropriate contacts with relevant authorities to ensure that information can be exc
Organizational5.6
Contact with Special Interest Groups
This control encourages participation in professional security forums, industry groups, and specialist associations
Organizational5.7
Threat Intelligence
This control requires the organization to collect and analyze information regarding information security threats. B
Organizational5.8
Information Security in Project Management
Information security must be integrated into project management practices regardless of the nature of the project.
Organizational5.9
Inventory of Information and Other Associated Assets
The organization must identify its information and other associated assets and maintain an inventory of these asset
Organizational5.10
Acceptable Use of Information and Other Associated Assets
Rules for the acceptable use of information and other associated assets must be identified, documented, and impleme
Organizational5.11
Return of Assets
Personnel and other interested parties must return all the organization's assets in their possession upon terminati
Organizational5.12
Classification of Information
The organization must classify information according to its security requirements based on confidentiality, integri
Organizational5.13
Labelling of Information
An appropriate set of procedures for information labelling should be developed and implemented in accordance with t
Organizational5.14
Information Transfer
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities withi
Organizational5.15
Access Control
Rules to control physical and logical access to information and other associated assets should be established and i
Organizational5.16
Identity Management
The full life cycle of identities should be managed, including the identification, authentication, and authorizatio
Organizational5.17
Authentication Information
The allocation and management of authentication information should be controlled by a formal management process. Th
Organizational5.18
Access Rights
Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in
Organizational5.19
Information Security in Supplier Relationships
Processes and agreed requirements should be defined and implemented to mitigate the risks associated with the suppl
Organizational5.20
Addressing Information Security Within Supplier Agreements
The organization should establish and agree on relevant information security requirements with each supplier that m
Organizational5.21
Managing Information Security in the ICT Supply Chain
The organization should define and implement processes to manage the risks associated with the Information and Comm
Organizational5.22
Monitoring, Review and Change Management of Supplier Services
The organization should regularly monitor, review, and audit supplier service delivery. This ensures that the infor
Organizational5.23
Information Security for Use of Cloud Services
Processes for acquisition, use, management, and exit from cloud services should be established in accordance with t
Organizational5.24
Information Security Incident Management Planning and Preparation
The organization should plan and prepare for information security incident management by defining, establishing, an
Organizational5.25
Assessment and Decision on Information Security Events
The organization should assess information security events and decide whether they should be categorized as informa
Organizational5.26
Response to Information Security Incidents
Information security incidents should be responded to in accordance with the established procedures. This phase foc
Organizational5.27
Learning from Information Security Incidents
Knowledge gained from information security incidents should be used to strengthen and improve the information secur
Organizational5.28
Collection of Evidence
The organization should establish and implement procedures for the identification, collection, acquisition, and pre
Organizational5.29
Information Security During Disruption
The organization should plan how to maintain information security at an appropriate level during a disruption. Secu
Organizational5.30
ICT Readiness for Business Continuity
Information and Communication Technology (ICT) readiness should be planned, implemented, maintained, and tested bas
Organizational5.31
Legal, Statutory, Regulatory and Contractual Requirements
The organization should identify and document all relevant legal, statutory, regulatory, and contractual requiremen
Organizational5.32
Intellectual Property Rights
The organization should implement appropriate procedures to protect intellectual property rights. This ensures that
Organizational5.33
Protection of Records
Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, i
Organizational5.34
Privacy and Protection of PII
The organization should identify and meet the requirements regarding the preservation of privacy and protection of
Organizational5.35
Independent Review of Information Security
The organization's approach to managing information security and its implementation (e.g., control objectives, cont
Organizational5.36
Compliance with Policies, Rules and Standards for Information Security
Managers should regularly review the compliance of information processing and procedures within their area of respo
Organizational5.37
Documented Operating Procedures
Operating procedures for information processing facilities should be documented and made available to personnel who
Physical controls· 14
Physical7.1
Physical Security Perimeters
Physical security perimeters should be defined and used to protect areas that contain information and other associa
Physical7.2
Physical Entry Controls
Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed
Physical7.3
Securing Offices, Rooms and Facilities
Physical security for offices, rooms, and facilities should be designed and implemented to prevent unauthorized acc
Physical7.4
Physical Security Monitoring
The organization should continuously monitor physical areas for unauthorized access or suspicious activity. This in
Physical7.5
Protecting Against Physical and Environmental Threats
Protection against natural disasters, malicious attacks, or accidents should be designed and implemented. This cove
Physical7.6
Working in Secure Areas
Procedures for working in secure areas should be designed and implemented. This ensures that personnel follow speci
Physical7.7
Clear Desk and Clear Screen
A clear desk policy for papers and removable storage media and a clear screen policy for information processing fac
Physical7.8
Equipment Siting and Protection
Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportuniti
Physical7.9
Security of Assets Off-Premises
Off-premises assets should be protected, considering the different risks of working outside the organization's prem
Physical7.10
Storage Media
Storage media should be managed throughout their lifecycle of acquisition, use, transportation, and disposal in acc
Physical7.11
Supporting Utilities
Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
Physical7.12
Cabling Security
Power and telecommunications cabling carrying data or supporting information services should be protected from inte
Physical7.13
Equipment Maintenance
Equipment should be correctly maintained to ensure its continued availability and integrity. Regular servicing and
Physical7.14
Secure Disposal or Re-Use of Equipment
Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed softw
Technological controls· 34
Technological8.1
User Endpoint Devices
Information stored on, processed by, or accessible via user endpoint devices should be protected. This ensures that
Technological8.2
Privileged Access Rights
The allocation and use of privileged access rights should be restricted and managed. This ensures that administrati
Technological8.3
Information Access Restriction
Access to information and other associated assets should be restricted in accordance with the established topic-spe
Technological8.4
Access to Source Code
Read and write access to source code, development tools, and software libraries should be appropriately managed. Th
Technological8.5
Secure Authentication
Secure authentication technologies and procedures should be implemented based on information access restrictions an
Technological8.6
Capacity Management
The use of resources should be monitored and adjusted in line with current and expected capacity requirements. This
Technological8.7
Protection Against Malware
Protection against malware should be implemented and supported by appropriate user awareness. This involves a multi
Technological8.8
Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems in use should be obtained, the organization's ex
Technological8.9
Configuration Management
Configurations, including security configurations, of hardware, software, services, and networks should be establis
Technological8.10
Information Deletion
Information stored in information systems, devices, or any other storage media should be deleted when no longer req
Technological8.11
Data Masking
Data masking should be used in accordance with the organization's topic-specific policy on access control and other
Technological8.12
Data Leakage Prevention
Data leakage prevention (DLP) measures should be applied to systems, networks and any other devices that process, s
Technological8.13
Information Backup
Backup copies of information, software and system images should be maintained and regularly tested in accordance wi
Technological8.14
Redundancy of Information Processing Facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirement
Technological8.15
Logging
Logs that record activities, exceptions, faults and other relevant events should be produced, kept and periodically
Technological8.16
Monitoring Activities
Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to eval
Technological8.17
Clock Synchronization
The clocks of all relevant information processing systems within an organization or security domain should be synch
Technological8.18
Use of Privileged Utility Programs
The use of utility programs that can be capable of overriding system and application controls should be restricted
Technological8.19
Installation of Software on Operational Systems
Procedures and measures should be implemented to securely manage the installation of software on operational system
Technological8.20
Network Security
Networks and network devices should be secured, managed and controlled to protect information in systems and applic
Technological8.21
Security of Network Services
Security mechanisms, service levels and management requirements of all network services should be identified, imple
Technological8.22
Segregation of Networks
Groups of information services, users and information systems should be segregated on networks. This limits the bla
Technological8.23
Web Filtering
Access to external websites should be managed to reduce exposure to malicious content and ensure that the use of th
Technological8.24
Use of Cryptography
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemen
Technological8.25
Secure Development Life Cycle
Rules for the secure development of software and systems should be established and applied. This ensures that secur
Technological8.26
Application Security Requirements
Information security requirements should be identified, specified and approved when developing or acquiring applica
Technological8.27
Secure System Architecture and Engineering Principles
Principles for engineering secure systems should be established, documented, maintained and applied to any informat
Technological8.28
Secure Coding
Secure coding principles should be applied to software development. This reduces the number of security vulnerabili
Technological8.29
Security Testing in Development and Acceptance
Security testing activities should be defined and implemented in the development life cycle. This involves verifyin
Technological8.30
Outsourced Development
The organization should direct, monitor and review the activities related to outsourced system development. This en
Technological8.31
Separation of Development, Test and Production Environments
Development, testing and production environments should be separated and secured to reduce the risks of unauthorize
Technological8.32
Change Management
Changes to information processing facilities and systems should be subject to change management procedures. This en
Technological8.33
Test Data
Test data should be selected, protected and managed appropriately. This ensures that the testing process does not i
Technological8.34
Protection of Information Systems During Audit Testing
Audit requirements and activities involving checks on operational systems should be planned and agreed between the