iso27k controls cross check 2013
DESCRIPTION
Iso 27001 2013 check listTRANSCRIPT
ISO/IEC 27002 control types
Intro
ISO/IEC 27002:2013Control cross checkOriginal version generously contributed to the ISO27k Toolkit by Marty Carterand updated for the 2013 release of the standard by Jill Treu,with trivial formatting mods and this page added by Gary Hinson
The spreadsheet classifies the information security controls recommended by ISO/IEC 27002:2013 according to their types and objectives.
In this classification, controls are intended to:- Deter: the control reduces the threat, deterring hackers from attacking a given system for example.- Avoid: the control involves avoiding risky situations, perhaps ensuring that a known vulnerability is not exposed to threat.- Prevent: the control usually reduces the vulnerability (most common security controls act in this way).- Detect: the control helps identify an event or incident as soon as possible, generally triggering reactive measures.- React: the control helps minimise the impact of incidents by promptly and effectively reacting or responding to them.- Recover: the control helps minimise the impact of incidents by aiding the restoration of normality, or at least a fallback service.... while the objectives of the controls are primarily to maintain the confidentiality, integrity and/or availability of information assets.
Other classifications are possible. Furthermore, you may disagree with the particular way we have classified each control. However, we feel this is a pragmatic starting point for discussion. Feel free to modify this spreadsheet as you wish for your own purposes.
One way to use the spreadsheet is to identify and mark any controls that are excluded from your Statement of Applicability, in other words those you have decided are not appropriate to your circumstances. Then look down the columns to check that you still have a reasonable mix of the types of control in the remaining control set.You may also use this spreadsheet when deciding how to treat identified risks, choosing a balanced set of controls giving defence-in-depth.
CopyrightThis work is copyright 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c)if they are published or shared, derivative works are shared under the same terms as this.
Control Cross CheckISO/IEC 27002 sectionControlType Primary
objectiveDeter
mcarter: Deter: reduce deliberate threats by deterring potential
attackersAvoid
mcarter: Avoid: Eliminate known vulnerabilities and prevent
creation of new ones.Prevent
mcarter: Protect: Safeguard the information assets against exposure
to security events.Detect
mcarter: Detect: Identify the occurrence of a security event and
initiate protective, corrective or recovery controls.React
mcarter: React: Respond to or counter a security event to minimize
its impact and ensure business continuity.Recover
mcarter: Recover: Restore the confidentiality, integrity and
availability of information assets to their expected
states.ConfidentialityIntegrityAvailability5Information security
policies5.1Management direction for information
security5.1.1Policies for information securityPPPPPPPP5.1.2Review
of the policies for information securityPPPPPPPP6Organization of
information security6.1Internal Organization6.1.1Information
security roles and responsibilitiesPPPPP6.1.2Segregation of
dutiesPPPPPP6.1.3Contact with authoritiesPPPPP6.1.4Contact with
special interest groupsPPPPPP6.1.5Information security in project
managementPPP6.2Mobile devices and teleworking6.2.1Mobile device
policyPPPP6.2.2TeleworkingPPP7Human Resources Security7.1Prior to
employment7.1.1ScreeningPPPPP7.1.2Terms and conditions of
employmentPPPPP7.2During employment7.2.1Management
responsibilitiesPPPPPPP7.2.2Information security awareness,
education and trainingPPPPPPPP7.2.3Disciplinary
processPPPPPPPPP7.3Termination and change of
employment7.3.1Termination or change of employment
responsibilitiesPPPPPP8Asset Management8.1Responsibility for
Assets8.1.1Inventory of AssetsPPPPPP8.1.2Ownership of
assetsPPPPPPPP8.1.3Acceptable use of assetsPPPPP8.1.4Return of
assetsPPPPP8.2Information classification8.2.1Classification of
informationPPP8.2.2Labelling of informationPPPPPP8.2.3Handling of
assetsPPPPPP8.3Media handling8.3.1Management of removeable
mediaPPPPPP8.3.2Disposal of mediaPPPPP8.3.3Physical media
transferPPP9Access Control9.1Business requirements of access
control9.1.1Access control policyPPPP9.1.2Access to networks and
network servicesPPPP9.2User access management9.2.1User registration
and de-registrationPPPP9.2.2User access
provisioningPPPP9.2.3Management of privileged access
rightsPPPP9.2.4Management of secret authentication information of
usersPPP9.2.5Review of user access rightsPPPPP9.2.6Removal or
adjustment of access rightsPPPPP9.3User responsibilities9.3.1Use of
secret authentication informationPPPP9.4System and application
access control9.4.1Information access restrictionPPPP9.4.2Secure
log-on proceduresPPPPP9.4.3Password management systemPPPP9.4.4Use
of privileged utility programsPPPP9.4.5Access control to program
source codePPP10Cryptography10.1Cryptographic controls10.1.1Policy
on the use of cryptographic controlsPPP10.1.2Key
managementPPP11Physical and Environmental Security11.1Secure
Areas11.1.1Physical security perimeterPPPPPP11.1.2Physical entry
controlsPPPPPPP11.1.3Securing offices, rooms and
facilitiesPPPPPPP11.1.4Protecting against external and
environmental attacksPPP11.1.5Working in secure
areasPPPPP11.1.6Delivery and loading
areasPPPPPP11.2Equipment11.2.1Equipment siting and
protectionPPPPPP11.2.2Supporting utilitiesPPPPP11.2.3Cabling
SecurityPPP11.2.4Equipment maintenancePPPPP11.2.5Removal of
assetsPPPPPPP11.2.6Security of equipment and assets
off-premisesPPPP11.2.7Secure disposal or re-use of
equipmentPPPP11.2.8Unattended user equipmentPPPP11.2.9Clear desk
and clear screen policyPP12Operations security12.1Operational
procedures and responsibilities12.1.1Documented operating
proceduresPPPPPPP12.1.2Change managementPPPPPP12.1.3Capacity
managementPP12.1.4Separation of development, testing and
operational environmentsPPPPPP12.2Protection from
malware12.2.1Controls against
malwarePPPPPPP12.3Backup12.3.1Information backupPPPPP12.4Logging
and monitoring12.4.1Event loggingPPPPPP12.4.2Protection of log
informationPPPPPP12.4.3Administrator and operator
logsPPPPP12.4.4Clock synchronisationPPP12.5Control of operational
software12.5.1Installation of software on operational
systemsPPPP12.6Technical Vulnerability Management12.6.1Control of
technical vulnerabilitiesPP12.6.2Restrictions on software
installationPPP12.7Information systems audit
controls12.7.1Information systems audit controlsPPP13Communications
security13.1Network security management13.1.1Network
controlsPPPP13.1.2Security of network
servicesPPPPPP13.1.3Segregation in networksPPPP13.2Information
transfer13.2.1Information transfer policies and
proceduresPPPPP13.2.2Agreements on information
transferPPPP13.2.3Electronic messagingPPPPP13.2.4Confidentiality or
non-disclosure agreementsPPP14System acquisition, development and
maintenance14.1Security requirements of information
systems14.1.1Information security requirements analysis and
specificationPPPP14.1.2Securing application services on public
networksPPPPP14.1.3Protecting application services
transactionsPPPPP14.2Security in development and support
processes14.2.1Secure development policyPPPP14.2.2System change
control proceduresPPP14.2.3Technical review of applications after
operating platform changes PP14.2.4Restrictions on changes to
software packagesPPP14.2.5Secure system engineering
principlesPPPP14.2.6Secure development
environmentPPPP14.2.7Outsourced software
developmentPPPPP14.2.8System security testingPPP14.2.9System
acceptance testingPPP14.3Test data14.3.1Protection of system test
dataPP15Supplier relationships15.1Information security in supplier
relationships15.1.1Information security in supplier
relationshipsPPPPPP15.1.2Addressing security within supplier
agreementsPPPPPPPPP15.1.3Information and communication technology
supply chainPPPPPP15.2Supplier service delivery
management15.2.1Monitoring and review of supplier
servicesPPPP15.2.2Managing changes to supplier
servicesPPPPP16Information security incident
management16.1Management of information security incidents and
improvements16.1.1Responsibilities and
proceduresPPPPP16.1.2Reporting information security
eventsPPPPP16.1.3Reporting information security
weaknessesPPPPP16.1.4Assessment of and decision on information
security eventsPPPPP16.1.5Response to information security
incidentsPPPPP16.1.6Learning from information security
incidentsPPPPP16.1.7Collection of evidencePPPPPP17Information
security aspects of business continuity management17.1Information
security continuity17.1.1Planning information security
continuityPPP17.1.2Implementing information security
continuityPP17.1.3Verify, review and evaluate information security
continuityPPP17.2Redundancies17.2.1Availability of information
processing facilitiesPPPPP18Compliance18.1Compliance with legal and
contractual requirements18.1.1Identification of applicable
legislation and contractual requirementsPPPP18.1.2Intellectual
property rightsPP18.1.3Protection of recordsPPPPPP18.1.4Privacy and
protection of personally identifiable informationPP18.1.5Regulation
of cryptographic controlsPP18.2Information security
reviews18.2.1Independent review of information
securityPPPPPPP18.2.2Compliance with security policies and
standardsPPPPP18.2.3Technical compliance reviewPPP
&A
&F&P&N