ISO/IEC 27002 control types

Intro

ISO/IEC 27002:2013Control cross checkOriginal version generously contributed to the ISO27k Toolkit by Marty Carterand updated for the 2013 release of the standard by Jill Treu,with trivial formatting mods and this page added by Gary Hinson

The spreadsheet classifies the information security controls recommended by ISO/IEC 27002:2013 according to their types and objectives.

In this classification, controls are intended to:- Deter: the control reduces the threat, deterring hackers from attacking a given system for example.- Avoid: the control involves avoiding risky situations, perhaps ensuring that a known vulnerability is not exposed to threat.- Prevent: the control usually reduces the vulnerability (most common security controls act in this way).- Detect: the control helps identify an event or incident as soon as possible, generally triggering reactive measures.- React: the control helps minimise the impact of incidents by promptly and effectively reacting or responding to them.- Recover: the control helps minimise the impact of incidents by aiding the restoration of normality, or at least a fallback service.... while the objectives of the controls are primarily to maintain the confidentiality, integrity and/or availability of information assets.

Other classifications are possible. Furthermore, you may disagree with the particular way we have classified each control. However, we feel this is a pragmatic starting point for discussion. Feel free to modify this spreadsheet as you wish for your own purposes.

One way to use the spreadsheet is to identify and mark any controls that are excluded from your Statement of Applicability, in other words those you have decided are not appropriate to your circumstances. Then look down the columns to check that you still have a reasonable mix of the types of control in the remaining control set.You may also use this spreadsheet when deciding how to treat identified risks, choosing a balanced set of controls giving defence-in-depth.

CopyrightThis work is copyright 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c)if they are published or shared, derivative works are shared under the same terms as this.

Control Cross CheckISO/IEC 27002 sectionControlType Primary objectiveDeter
mcarter: Deter: reduce deliberate threats by deterring potential attackersAvoid
mcarter: Avoid: Eliminate known vulnerabilities and prevent creation of new ones.Prevent
mcarter: Protect: Safeguard the information assets against exposure to security events.Detect
mcarter: Detect: Identify the occurrence of a security event and initiate protective, corrective or recovery controls.React
mcarter: React: Respond to or counter a security event to minimize its impact and ensure business continuity.Recover
mcarter: Recover: Restore the confidentiality, integrity and availability of information assets to their expected states.ConfidentialityIntegrityAvailability5Information security policies5.1Management direction for information security5.1.1Policies for information securityPPPPPPPP5.1.2Review of the policies for information securityPPPPPPPP6Organization of information security6.1Internal Organization6.1.1Information security roles and responsibilitiesPPPPP6.1.2Segregation of dutiesPPPPPP6.1.3Contact with authoritiesPPPPP6.1.4Contact with special interest groupsPPPPPP6.1.5Information security in project managementPPP6.2Mobile devices and teleworking6.2.1Mobile device policyPPPP6.2.2TeleworkingPPP7Human Resources Security7.1Prior to employment7.1.1ScreeningPPPPP7.1.2Terms and conditions of employmentPPPPP7.2During employment7.2.1Management responsibilitiesPPPPPPP7.2.2Information security awareness, education and trainingPPPPPPPP7.2.3Disciplinary processPPPPPPPPP7.3Termination and change of employment7.3.1Termination or change of employment responsibilitiesPPPPPP8Asset Management8.1Responsibility for Assets8.1.1Inventory of AssetsPPPPPP8.1.2Ownership of assetsPPPPPPPP8.1.3Acceptable use of assetsPPPPP8.1.4Return of assetsPPPPP8.2Information classification8.2.1Classification of informationPPP8.2.2Labelling of informationPPPPPP8.2.3Handling of assetsPPPPPP8.3Media handling8.3.1Management of removeable mediaPPPPPP8.3.2Disposal of mediaPPPPP8.3.3Physical media transferPPP9Access Control9.1Business requirements of access control9.1.1Access control policyPPPP9.1.2Access to networks and network servicesPPPP9.2User access management9.2.1User registration and de-registrationPPPP9.2.2User access provisioningPPPP9.2.3Management of privileged access rightsPPPP9.2.4Management of secret authentication information of usersPPP9.2.5Review of user access rightsPPPPP9.2.6Removal or adjustment of access rightsPPPPP9.3User responsibilities9.3.1Use of secret authentication informationPPPP9.4System and application access control9.4.1Information access restrictionPPPP9.4.2Secure log-on proceduresPPPPP9.4.3Password management systemPPPP9.4.4Use of privileged utility programsPPPP9.4.5Access control to program source codePPP10Cryptography10.1Cryptographic controls10.1.1Policy on the use of cryptographic controlsPPP10.1.2Key managementPPP11Physical and Environmental Security11.1Secure Areas11.1.1Physical security perimeterPPPPPP11.1.2Physical entry controlsPPPPPPP11.1.3Securing offices, rooms and facilitiesPPPPPPP11.1.4Protecting against external and environmental attacksPPP11.1.5Working in secure areasPPPPP11.1.6Delivery and loading areasPPPPPP11.2Equipment11.2.1Equipment siting and protectionPPPPPP11.2.2Supporting utilitiesPPPPP11.2.3Cabling SecurityPPP11.2.4Equipment maintenancePPPPP11.2.5Removal of assetsPPPPPPP11.2.6Security of equipment and assets off-premisesPPPP11.2.7Secure disposal or re-use of equipmentPPPP11.2.8Unattended user equipmentPPPP11.2.9Clear desk and clear screen policyPP12Operations security12.1Operational procedures and responsibilities12.1.1Documented operating proceduresPPPPPPP12.1.2Change managementPPPPPP12.1.3Capacity managementPP12.1.4Separation of development, testing and operational environmentsPPPPPP12.2Protection from malware12.2.1Controls against malwarePPPPPPP12.3Backup12.3.1Information backupPPPPP12.4Logging and monitoring12.4.1Event loggingPPPPPP12.4.2Protection of log informationPPPPPP12.4.3Administrator and operator logsPPPPP12.4.4Clock synchronisationPPP12.5Control of operational software12.5.1Installation of software on operational systemsPPPP12.6Technical Vulnerability Management12.6.1Control of technical vulnerabilitiesPP12.6.2Restrictions on software installationPPP12.7Information systems audit controls12.7.1Information systems audit controlsPPP13Communications security13.1Network security management13.1.1Network controlsPPPP13.1.2Security of network servicesPPPPPP13.1.3Segregation in networksPPPP13.2Information transfer13.2.1Information transfer policies and proceduresPPPPP13.2.2Agreements on information transferPPPP13.2.3Electronic messagingPPPPP13.2.4Confidentiality or non-disclosure agreementsPPP14System acquisition, development and maintenance14.1Security requirements of information systems14.1.1Information security requirements analysis and specificationPPPP14.1.2Securing application services on public networksPPPPP14.1.3Protecting application services transactionsPPPPP14.2Security in development and support processes14.2.1Secure development policyPPPP14.2.2System change control proceduresPPP14.2.3Technical review of applications after operating platform changes PP14.2.4Restrictions on changes to software packagesPPP14.2.5Secure system engineering principlesPPPP14.2.6Secure development environmentPPPP14.2.7Outsourced software developmentPPPPP14.2.8System security testingPPP14.2.9System acceptance testingPPP14.3Test data14.3.1Protection of system test dataPP15Supplier relationships15.1Information security in supplier relationships15.1.1Information security in supplier relationshipsPPPPPP15.1.2Addressing security within supplier agreementsPPPPPPPPP15.1.3Information and communication technology supply chainPPPPPP15.2Supplier service delivery management15.2.1Monitoring and review of supplier servicesPPPP15.2.2Managing changes to supplier servicesPPPPP16Information security incident management16.1Management of information security incidents and improvements16.1.1Responsibilities and proceduresPPPPP16.1.2Reporting information security eventsPPPPP16.1.3Reporting information security weaknessesPPPPP16.1.4Assessment of and decision on information security eventsPPPPP16.1.5Response to information security incidentsPPPPP16.1.6Learning from information security incidentsPPPPP16.1.7Collection of evidencePPPPPP17Information security aspects of business continuity management17.1Information security continuity17.1.1Planning information security continuityPPP17.1.2Implementing information security continuityPP17.1.3Verify, review and evaluate information security continuityPPP17.2Redundancies17.2.1Availability of information processing facilitiesPPPPP18Compliance18.1Compliance with legal and contractual requirements18.1.1Identification of applicable legislation and contractual requirementsPPPP18.1.2Intellectual property rightsPP18.1.3Protection of recordsPPPPPP18.1.4Privacy and protection of personally identifiable informationPP18.1.5Regulation of cryptographic controlsPP18.2Information security reviews18.2.1Independent review of information securityPPPPPPP18.2.2Compliance with security policies and standardsPPPPP18.2.3Technical compliance reviewPPP

&A

&F&P&N