Skip to contentCYBERINFO
|

Controls

Organizational controls

5.1
Information Security Policies
This control requires the definition, approval, and communication of a high-level information security policy and topic-
5.2
Information Security Roles and Responsibilities
This control requires the definition and allocation of information security roles and responsibilities within the organi
5.3
Segregation of Duties
This control ensures that conflicting duties and areas of responsibility are separated to reduce the risk of unauthorize
5.4
Management Responsibilities
This control requires management to ensure that all personnel apply information security in accordance with the establis
5.5
Contact with Authorities
The organization must maintain appropriate contacts with relevant authorities to ensure that information can be exchange
5.6
Contact with Special Interest Groups
This control encourages participation in professional security forums, industry groups, and specialist associations. Sta
5.7
Threat Intelligence
This control requires the organization to collect and analyze information regarding information security threats. By mai
5.8
Information Security in Project Management
Information security must be integrated into project management practices regardless of the nature of the project. This
5.9
Inventory of Information and Other Associated Assets
The organization must identify its information and other associated assets and maintain an inventory of these assets. Yo
5.10
Acceptable Use of Information and Other Associated Assets
Rules for the acceptable use of information and other associated assets must be identified, documented, and implemented.
5.11
Return of Assets
Personnel and other interested parties must return all the organization's assets in their possession upon termination of
5.12
Classification of Information
The organization must classify information according to its security requirements based on confidentiality, integrity, a
5.13
Labelling of Information
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the in
5.14
Information Transfer
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the
5.15
Access Control
Rules to control physical and logical access to information and other associated assets should be established and implem
5.16
Identity Management
The full life cycle of identities should be managed, including the identification, authentication, and authorization of
5.17
Authentication Information
The allocation and management of authentication information should be controlled by a formal management process. This en
5.18
Access Rights
Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accor
5.19
Information Security in Supplier Relationships
Processes and agreed requirements should be defined and implemented to mitigate the risks associated with the supplier's
5.20
Addressing Information Security Within Supplier Agreements
The organization should establish and agree on relevant information security requirements with each supplier that may ac
5.21
Managing Information Security in the ICT Supply Chain
The organization should define and implement processes to manage the risks associated with the Information and Communica
5.22
Monitoring, Review and Change Management of Supplier Services
The organization should regularly monitor, review, and audit supplier service delivery. This ensures that the informatio
5.23
Information Security for Use of Cloud Services
Processes for acquisition, use, management, and exit from cloud services should be established in accordance with the or
5.24
Information Security Incident Management Planning and Preparation
The organization should plan and prepare for information security incident management by defining, establishing, and com
5.25
Assessment and Decision on Information Security Events
The organization should assess information security events and decide whether they should be categorized as information
5.26
Response to Information Security Incidents
Information security incidents should be responded to in accordance with the established procedures. This phase focuses
5.27
Learning from Information Security Incidents
Knowledge gained from information security incidents should be used to strengthen and improve the information security c
5.28
Collection of Evidence
The organization should establish and implement procedures for the identification, collection, acquisition, and preserva
5.29
Information Security During Disruption
The organization should plan how to maintain information security at an appropriate level during a disruption. Security
5.30
ICT Readiness for Business Continuity
Information and Communication Technology (ICT) readiness should be planned, implemented, maintained, and tested based on
5.31
Legal, Statutory, Regulatory and Contractual Requirements
The organization should identify and document all relevant legal, statutory, regulatory, and contractual requirements re
5.32
Intellectual Property Rights
The organization should implement appropriate procedures to protect intellectual property rights. This ensures that both
5.33
Protection of Records
Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, in acc
5.34
Privacy and Protection of PII
The organization should identify and meet the requirements regarding the preservation of privacy and protection of perso
5.35
Independent Review of Information Security
The organization's approach to managing information security and its implementation (e.g., control objectives, controls,
5.36
Compliance with Policies, Rules and Standards for Information Security
Managers should regularly review the compliance of information processing and procedures within their area of responsibi
5.37
Documented Operating Procedures
Operating procedures for information processing facilities should be documented and made available to personnel who need

People controls

6.1
Screening
Background verification checks on all candidates for employment should be carried out prior to joining the organization.
6.2
Terms and Conditions of Employment
Contractual agreements with employees and contractors should state their responsibilities for information security. This
6.3
Information Security Awareness, Education and Training
Personnel and relevant interested parties should receive appropriate information security awareness, education, and trai
6.4
Disciplinary Process
A formal and communicated disciplinary process should be in place to take action against personnel who have committed an
6.5
Responsibilities After Termination or Change of Employment
Information security responsibilities and duties that remain valid after termination or change of employment should be d
6.6
Confidentiality or Non-Disclosure Agreements
Confidentiality or non-disclosure agreements (NDAs) reflecting the organization's needs for the protection of informatio
6.7
Remote Working
Security measures should be implemented when personnel are working remotely to protect information accessed, processed,
6.8
Information Security Event Reporting
Personnel and contractors should be required to report any observed or suspected information security events through app

Physical controls

7.1
Physical Security Perimeters
Physical security perimeters should be defined and used to protect areas that contain information and other associated a
7.2
Physical Entry Controls
Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed acce
7.3
Securing Offices, Rooms and Facilities
Physical security for offices, rooms, and facilities should be designed and implemented to prevent unauthorized access,
7.4
Physical Security Monitoring
The organization should continuously monitor physical areas for unauthorized access or suspicious activity. This involve
7.5
Protecting Against Physical and Environmental Threats
Protection against natural disasters, malicious attacks, or accidents should be designed and implemented. This covers fi
7.6
Working in Secure Areas
Procedures for working in secure areas should be designed and implemented. This ensures that personnel follow specific s
7.7
Clear Desk and Clear Screen
A clear desk policy for papers and removable storage media and a clear screen policy for information processing faciliti
7.8
Equipment Siting and Protection
Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities fo
7.9
Security of Assets Off-Premises
Off-premises assets should be protected, considering the different risks of working outside the organization's premises.
7.10
Storage Media
Storage media should be managed throughout their lifecycle of acquisition, use, transportation, and disposal in accordan
7.11
Supporting Utilities
Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. This
7.12
Cabling Security
Power and telecommunications cabling carrying data or supporting information services should be protected from intercept
7.13
Equipment Maintenance
Equipment should be correctly maintained to ensure its continued availability and integrity. Regular servicing and proac
7.14
Secure Disposal or Re-Use of Equipment
Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software h

Technological controls

8.1
User Endpoint Devices
Information stored on, processed by, or accessible via user endpoint devices should be protected. This ensures that lapt
8.2
Privileged Access Rights
The allocation and use of privileged access rights should be restricted and managed. This ensures that administrative po
8.3
Information Access Restriction
Access to information and other associated assets should be restricted in accordance with the established topic-specific
8.4
Access to Source Code
Read and write access to source code, development tools, and software libraries should be appropriately managed. This pr
8.5
Secure Authentication
Secure authentication technologies and procedures should be implemented based on information access restrictions and the
8.6
Capacity Management
The use of resources should be monitored and adjusted in line with current and expected capacity requirements. This ensu
8.7
Protection Against Malware
Protection against malware should be implemented and supported by appropriate user awareness. This involves a multi-laye
8.8
Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposur
8.9
Configuration Management
Configurations, including security configurations, of hardware, software, services, and networks should be established,
8.10
Information Deletion
Information stored in information systems, devices, or any other storage media should be deleted when no longer required
8.11
Data Masking
Data masking should be used in accordance with the organization's topic-specific policy on access control and other rela
8.12
Data Leakage Prevention
Data leakage prevention (DLP) measures should be applied to systems, networks and any other devices that process, store
8.13
Information Backup
Backup copies of information, software and system images should be maintained and regularly tested in accordance with th
8.14
Redundancy of Information Processing Facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. Th
8.15
Logging
Logs that record activities, exceptions, faults and other relevant events should be produced, kept and periodically revi
8.16
Monitoring Activities
Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate
8.17
Clock Synchronization
The clocks of all relevant information processing systems within an organization or security domain should be synchroniz
8.18
Use of Privileged Utility Programs
The use of utility programs that can be capable of overriding system and application controls should be restricted and t
8.19
Installation of Software on Operational Systems
Procedures and measures should be implemented to securely manage the installation of software on operational systems. Th
8.20
Network Security
Networks and network devices should be secured, managed and controlled to protect information in systems and application
8.21
Security of Network Services
Security mechanisms, service levels and management requirements of all network services should be identified, implemente
8.22
Segregation of Networks
Groups of information services, users and information systems should be segregated on networks. This limits the blast ra
8.23
Web Filtering
Access to external websites should be managed to reduce exposure to malicious content and ensure that the use of the int
8.24
Use of Cryptography
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
8.25
Secure Development Life Cycle
Rules for the secure development of software and systems should be established and applied. This ensures that security i
8.26
Application Security Requirements
Information security requirements should be identified, specified and approved when developing or acquiring applications
8.27
Secure System Architecture and Engineering Principles
Principles for engineering secure systems should be established, documented, maintained and applied to any information s
8.28
Secure Coding
Secure coding principles should be applied to software development. This reduces the number of security vulnerabilities
8.29
Security Testing in Development and Acceptance
Security testing activities should be defined and implemented in the development life cycle. This involves verifying tha
8.30
Outsourced Development
The organization should direct, monitor and review the activities related to outsourced system development. This ensures
8.31
Separation of Development, Test and Production Environments
Development, testing and production environments should be separated and secured to reduce the risks of unauthorized acc
8.32
Change Management
Changes to information processing facilities and systems should be subject to change management procedures. This ensures
8.33
Test Data
Test data should be selected, protected and managed appropriately. This ensures that the testing process does not inadve
8.34
Protection of Information Systems During Audit Testing
Audit requirements and activities involving checks on operational systems should be planned and agreed between the teste