Control Cross Check (EN)

ISO/IEC 27002 Type Primary objective

section Control Deter Avoid Prevent Detect React Recover Confidentiality Integrity Availability

5 Information security policies

5.1 Management direction for information security
5.1.1 Policies for information security P P P P P P P P
5.1.2 Review of the policies for information security P P P P P P P P
6 Organization of information security
6.1 Internal Organization
6.1.1 Information security roles and responsibilities P P P P P
6.1.2 Segregation of duties P P P P P P
6.1.3 Contact with authorities P P P P P
6.1.4 Contact with special interest groups P P P P P P
6.1.5 Information security in project management P P P
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy P P P P
6.2.2 Teleworking P P P
7 Human Resources Security
7.1 Prior to employment
7.1.1 Screening P P P P P
7.1.2 Terms and conditions of employment P P P P P
7.2 During employment
7.2.1 Management responsibilities P P P P P P P
7.2.2 Information security awareness, education and training P P P P P P P P
7.2.3 Disciplinary process P P P P P P P P P
7.3 Termination and change of employment
7.3.1 Termination or change of employment responsibilities P P P P P P
8 Asset Management
8.1 Responsibility for assets
8.1.1 Inventory of assets P P P P P P
8.1.2 Ownership of assets P P P P P P P P
8.1.3 Acceptable use of assets P P P P P
8.1.4 Return of assets P P P P P
8.2 Information classification
8.2.1 Classification of information P P P
8.2.2 Labelling of information P P P P P P
8.2.3 Handling of assets P P P P P P
8.3 Media handling
8.3.1 Management of removeable media P P P P P P
8.3.2 Disposal of media P P P P P
8.3.3 Physical media transfer P P P
9 Access Control
9.1 Business requirements of access control
9.1.1 Access control policy P P P P
9.1.2 Access to networks and network services P P P P
9.2 User access management
9.2.1 User registration and de-registration P P P P
9.2.2 User access provisioning P P P P
9.2.3 Management of privileged access rights P P P P
9.2.4 Management of secret authentication information of users P P P
9.2.5 Review of user access rights P P P P P
9.2.6 Removal or adjustment of access rights P P P P P
9.3 User responsibilities
9.3.1 Use of secret authentication information P P P P
9.4 System and application access control
9.4.1 Information access restriction P P P P
9.4.2 Secure log-on procedures P P P P P
9.4.3 Password management system P P P P
9.4.4 Use of privileged utility programs P P P P
9.4.5 Access control to program source code P P P
10 Cryptography
10.1 Cryptographic controls
10.1.1 Policy on the use of cryptographic controls P P P
10.1.2 Key management P P P
11 Physical and Environmental Security
11.1 Secure Areas
11.1.1 Physical security perimeter P P P P P P
11.1.2 Physical entry controls P P P P P P P
11.1.3 Securing offices, rooms and facilities P P P P P P P
11.1.4 Protecting against external and environmental attacks P P P
11.1.5 Working in secure areas P P P P P
11.1.6 Delivery and loading areas P P P P P P
11.2 Equipment
11.2.1 Equipment siting and protection P P P P P P
11.2.2 Supporting utilities P P P P P
11.2.3 Cabling security P P P
11.2.4 Equipment maintenance P P P P P
11.2.5 Removal of assets P P P P P P P
11.2.6 Security of equipment and assets off-premises P P P P
11.2.7 Secure disposal or re-use of equipment P P P P

ISO27k Controls cross check 2013.xlsx 13

 Control Cross Check (EN)

ISO/IEC 27002 Type Primary objective

section Control Deter Avoid Prevent Detect React Recover Confidentiality Integrity Availability

11.2.8 Unattended user equipment P P P P

11.2.9 Clear desk and clear screen policy P P
12 Operations security
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures P P P P P P P
12.1.2 Change management P P P P P P
12.1.3 Capacity management P P
12.1.4 Separation of development, testing and operational environments P P P P P P
12.2 Protection from malware
12.2.1 Controls against malware P P P P P P P
12.3 Backup
12.3.1 Information backup P P P P P
12.4 Logging and monitoring
12.4.1 Event logging P P P P P P
12.4.2 Protection of log information P P P P P P
12.4.3 Administrator and operator logs P P P P P
12.4.4 Clock synchronisation P P P
12.5 Control of operational software
12.5.1 Installation of software on operational systems P P P P
12.6 Technical Vulnerability Management
12.6.1 Control of technical vulnerabilities P P
12.6.2 Restrictions on software installation P P P
12.7 Information systems audit controls
12.7.1 Information systems audit controls P P P
13 Communications security
13.1 Network security management
13.1.1 Network controls P P P P
13.1.2 Security of network services P P P P P P
13.1.3 Segregation in networks P P P P
13.2 Information transfer
13.2.1 Information transfer policies and procedures P P P P P
13.2.2 Agreements on information transfer P P P P
13.2.3 Electronic messaging P P P P P
13.2.4 Confidentiality or non-disclosure agreements P P P
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification P P P P
14.1.2 Securing application services on public networks P P P P P
14.1.3 Protecting application services transactions P P P P P
14.2 Security in development and support processes
14.2.1 Secure development policy P P P P
14.2.2 System change control procedures P P P
14.2.3 Technical review of applications after operating platform changes P P
14.2.4 Restrictions on changes to software packages P P P
14.2.5 Secure system engineering principles P P P P
14.2.6 Secure development environment P P P P
14.2.7 Outsourced software development P P P P P
14.2.8 System security testing P P P
14.2.9 System acceptance testing P P P
14.3 Test data
14.3.1 Protection of system test data P P
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security in supplier relationships P P P P P P
15.1.2 Addressing security within supplier agreements P P P P P P P P P
15.1.3 Information and communication technology supply chain P P P P P P
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services P P P P
15.2.2 Managing changes to supplier services P P P P P
16 Information security incident management
16.1 Management of information security incidents and improvements
16.1.1 Responsibilities and procedures P P P P P
16.1.2 Reporting information security events P P P P P
16.1.3 Reporting information security weaknesses P P P P P
16.1.4 Assessment of and decision on information security events P P P P P
16.1.5 Response to information security incidents P P P P P
16.1.6 Learning from information security incidents P P P P P
16.1.7 Collection of evidence P P P P P P
17 Information security aspects of business continuity management
17.1 Information security continuity
17.1.1 Planning information security continuity P P P
17.1.2 Implementing information security continuity P P
17.1.3 Verify, review and evaluate information security continuity P P P
17.2 Redundancies
17.2.1 Availability of information processing facilities P P P P P
18 Compliance
18.1 Compliance with legal and contractual requirements

ISO27k Controls cross check 2013.xlsx 23

 Control Cross Check (EN)

ISO/IEC 27002 Type Primary objective

section Control Deter Avoid Prevent Detect React Recover Confidentiality Integrity Availability

18.1.1 Identification of applicable legislation and contractual requirements P P P P

18.1.2 Intellectual property rights P P
18.1.3 Protection of records P P P P P P
18.1.4 Privacy and protection of personally identifiable information P P
18.1.5 Regulation of cryptographic controls P P
18.2 Information security reviews
18.2.1 Independent review of information security P P P P P P P
18.2.2 Compliance with security policies and standards P P P P P
18.2.3 Technical compliance review P P P

ISO27k Controls cross check 2013.xlsx 33