A.5
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.5 SECURITY POLICIES A.5.1 Management direction for information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 5.1.1 Policies for information security 5.1.1 Information security policy document
5.1.2 Review of the policies for information security 5.1.2 Review of the information security policy
A.6
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.6 ORGANISATION OF INFORMATION SECURITY A.6.1 Internal organisation Objective: To establish a management framework to initiate and control the implementation of information security within the organisation. 6.1.1 Information security roles and responsibilities 8.1.1 Roles and responsibilities
6.1.2 Segregation of duties 10.1.3 Segregation of duties
6.1.3 Contact with authorities 6.1.6 Contact with authorities
6.1.4 Contact with special interest groups 6.1.7 Contact with special interest groups
6.1.5 Information security in project management New Control
A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. 6.2.1 Mobile device policy 11.7.1 Mobile computing and communications
6.2.2 Teleworking 11.7.2 Teleworking
A.7
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.7 HUMAN RESOURCE SECURITY A.7.1 Prior to employment Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for. 7.1.1 Screening 8.1.2 Screening
7.1.2 Terms and conditions of employment 8.1.3 Terms and conditions of employment
A.7.2 During employment Objective: To ensure that employees and external party users are aware of and fulfill their information security responsibilities. 7.2.1 Management responsibilities 8.2.1 Management responsibilities
7.2.2 Information security awareness, education and training 8.2.2 Information security awareness, education and training
7.2.3 Disciplinary process 8.2.3 Disciplinary process
A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. 7.3.1 Termination or change of employment responsibilities 8.3.1 Termination responsibilities
A.8
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.8 ASSET MANAGEMENT A.8.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets. 8.1.1 Inventory of assets 7.1.1 Inventory of assets
8.1.2 Ownership of assets 7.1.2 Ownership of assets
8.1.3 Acceptable use of assets 7.1.3 Acceptable use of assets
8.1.4 Return of assets 8.3.2 Return of assets
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. 8.2.1 Classification of information 7.2.1 Classification guidelines
8.2.2 Labeling of information 10.7.3 Information handling procedures
8.2.3 Handling of assets 7.2.2 Information labeling and handling
A.8.3 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. 8.3.1 Management of removable media 10.7.1 Management of removable media
8.3.2 Disposal of media 10.7.2 Disposal of media
8.3.3 Physical media transfer 10.8.3 Physical media in transit
A.9
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.9 ACCESS CONTROL A.9.1 Business requirements of access control Objective: To limit access to information and information processing facilities. 9.1.1 Access control policy 11.1.1 Access control policy
9.1.2 Access to networks and network services 11.4 See ISO 27002: 2005 11.4 Network Access Control
A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. 9.2.1 User registration and de-registration 11.2.1 User registration
9.2.2 User access provisioning 11.2.1 See ISO 27002: 2005 11.2.1 (11.2.1 control is broken down into ISO 27002: 2013 9.2.1 and 9.2.1
9.2.3 Management of privileged access rights 11.2.2 Privilege management
9.2.4 Management of secret authentication information of users 11.2.3 User password management
9.2.5 Review of user access rights 11.2.4 Review of user access rights
9.2.6 Removal or adjustment of access rights 8.3.3 Removal of access rights
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. 9.3.1 Use of secret authentication information 11.3.1 Password use
A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. 9.4.1 Information access restriction 11.6.1 Information access restriction
9.4.2 Secure log-on procedures 11.5.1 Secure log-on procedures
9.4.3 Password management system 11.5.3 Password management system
9.4.4 Use of privileged utility programs 11.5.4 Use of system utilities
9.4.5 Access control to program source code 12.4.3 Access control to program source code
A.10
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.10 CRYPTOGRAPHY A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. 10.1.1 Policy on the use of cryptographic controls 12.3.1 Policy on the use of cryptographic controls
10.1.2 Key management 12.3.2 Key management
A.11
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID

A.11

PHYSICAL AND ENVIRONMENTAL SECURITY

A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. 11.1.1 Physical security perimeter 9.1.1 Physical security perimeter
11.1.2 Physical entry controls 9.1.2 Physical entry controls
11.1.3 Securing office, room and facilities 9.1.3 Securing offices, rooms and facilities
11.1.4 Protecting against external end environmental threats 9.1.4 Protecting against external and environmental threats
11.1.5 Working in secure areas 9.1.5 Working in secure areas
11.1.6 Delivery and loading areas 9.1.6 Public access, delivery and loading areas
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. 11.2.1 Equipment siting and protection 9.2.1 Equipment siting and protection
11.2.2 Supporting utilities 9.2.2 Supporting utilities
11.2.3 Cabling security 9.2.3 Cabling security
11.2.4 Equipment maintenance 9.2.4 Equipment maintenance
11.2.5 Removal of assets 9.2.7 Removal of property
11.2.6 Security of equipment and assets off-premises 9.2.5 Security of equipment off-premises
11.2.7 Secure disposal or re-use of equipment 9.2.6 Secure disposal or re-use of equipment
11.2.8 Unattended user equipment 11.3.2 Unattended user equipment
11.2.9 Clear desk and clear screen policy 11.3.3 Clear desk and clear screen policy
A.12
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.12 OPERATIONS SECURITY A.12.1 Operational procedures and responsibilities Objective: To ensure correct and secure operations of information processing facilities. 12.1.1 Documented operating procedures 10.1.1 Documented operating procedures
12.1.2 Change management 10.1.2 Change management
12.1.3 Capacity management 10.3.1 Capacity management
12.1.4 Separation of development, testing and operational environments 10.1.4 Separation of development, test and operational facilities
A.12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against malware. 12.2.1 Controls against malware 10.4.1 Controls against malicious code
A.12.3 Backup Objective: To protect against loss of data. 12.3.1 Information backup 10.5.1 Information back-up
A.12.4 Logging and monitoring Objective: To record events and generate evidence. 12.4.1 Event logging 10.10.1 Audit logging
12.4.2 Protection of log information 10.10.3 Protection of log information
12.4.3 Administrator and operator logs 10.10.4 Administrator and operator logs
12.4.4 Clock synchronisaton 10.10.5 Fault logging
A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. 12.5.1 Installation of software on operational systems 12.4.1 Control of operational software
A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. 12.6.1 Management of technical vulnerabilities 12.6.1 Control of technical vulnerabilities
12.6.2 Restrictions on software installation See ISO 27002: 2005 12.4 and 12.5
A.12.7 Information systems audit considerations Objective: To minimize the impact of audit activities on operational systems. 12.7.1 Information systems audit controls 15.3.1 Information systems audit controls
A.13
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.13 COMMUNICATIONS SECURITY A.13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. 13.1.1 Network controls 10.6.1 Network controls
13.1.2 Security of network services 10.6.2 Security of network services
13.1.3 Segregation in networks 11.4.5 Segregation in networks
A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. 13.2.1 Information transfer policies and procedures 10.8.1 Information exchange policies and procedures
13.2.2 Agreements on information transfer 10.8.2 Exchange agreements
13.2.3 Electronic messaging 10.8.4 Electronic messaging
13.2.4 Confidentiality or non-disclosure agreements 6.1.5 Confidentiality agreements
A.14
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID

A.14

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks. 14.1.1 Security requirements analysis and specification 12.1.1 Security requirements analysis and specification
14.1.2 Securing applications services on public networks New Control (related to Online Transactions and E-Commerce)
14.1.3 Protecting application services transactions New Control (related to Online Transactions and E-Commerce)
A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. 14.2.1 Secure development policy See ISO 27002: 2005 12.1 – New Requirements
14.2.2 System Change control procedures 12.5.1 Change control procedures
14.2.3 Technical review of applications after operating platform changes 12.5.2 Technical review of applications after operating system changes
14.2.4 Restrictions on changes to software packages 12.5.3 Restrictions on changes to software packages
14.2.5 Secure system engineering principles New Control
14.2.6 Secure development environment New Control
14.2.7 Outsourced development 12.5.5 Outsourced software development
14.2.8 System security testing See ISO 27002: 2005 12.1.1 and 12.2
14.2.9 System acceptance testing 10.3.2 System acceptance
A.14.3 Test data Objective: To ensure the protection of data used for testing. 14.3.1 Protection of test data 12.4.2 Protection of system test data
A.15
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.15 SUPPLIER RELATIONSHIPS A.15.1 Security in supplier relationship Objective: To ensure protection of the organization’s information that is accessible by suppliers. 15.1.1 Information security policy for supplier relationships 6.2.1 and 6.2.2 with new requirements
15.1.2 Addressing security within supplier agreements 6.2.3 Addressing security in third party agreements
15.1.3 Information and communication technology supply chain New Control
A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 15.2.1 Monitoring and review of supplier services 10.2.2 Monitoring and review of third party services
15.2.2 Managing changes to supplier services 10.2.3 Managing changes to third party services
A.16
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. 16.1.1 Responsibilities and procedures 13.2.1 Responsibilities and procedures
16.1.2 Reporting information security events 13.1.1 Reporting information security events
16.1.3 Reporting information security weaknesses 13.1.2 Reporting security weaknesses
16.1.4 Assessment and decision of information security events See ISO 27002: 2005 13.1 and 13.2 Section
16.1.5 Response to information security incidents See ISO 27002: 2005 13.1 and 13.2 Section
16.1.6 Learning from information security incidents 13.2.2 Learning from information security incidents
16.1.7 Collection of evidence 13.2.3 Collection of evidence
A.17
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT A.17.1 Information security continuity Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences. 17.1.1 Planning information security continuity See ISO 27002: 2005 14.1
17.1.2 Implementing information security continuity See ISO 27002: 2005 14.1
17.1.3 Verify, review and evaluate information security continuity 14.1.5 Testing, maintaining and reassessing business continuity plans
A.17.2 Redundancies Objective: To ensure availability of information processing facilities. 17.2.1 Availability of information processing facilities See ISO 27002: 2005 14.1
A.18
ISO 27002: 2013 Domain ISO 27002:2013 Sub Domain ISO 27002:2013 Sub Domain Objectives ISO 27002: 2013 Control ISO 27002: 2005 Control ID ISO ISO 27002: 2005 Control ID
A.18 COMPLIANCE A.18.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. 18.1.1 Identification of applicable legislation and contractual requirements 15.1.1 Identification of applicable legislation
18.1.2 Intellectual property rights (IPR) 15.1.2 Intellectual property rights (IPR)
18.1.3 Protection of records 15.1.3 Protection of Organizational records
18.1.4 Privacy and protection of personally identifiable information 15.1.4 Data protection and privacy of personal information
18.1.5 Regulation of cryptographic controls 15.1.6 Regulation of cryptographic controls
A.18.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures. 18.2.1 Independent review of information security 6.1.8 Independent review of information security
18.2.2 Compliance with security policies and standards 15.2.1 Compliance with security policies and standards
18.2.3 Technical compliance review 15.2.2 Technical compliance checking
Hello There!

If you have any question, send us an email and we'll get back to you, soon.

Not readable? Change text. captcha txt
0