ISO/IEC 27001 is an international standard for managing information security. It provides a systematic approach to managing sensitive company information, ensuring it remains secure. This framework includes a range of controls and best practices for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
| Clause | Control Category | Control | Description | Implementation Details |
|---|---|---|---|---|
| A.5 | Information Security Policies | A.5.1.1 Policies for information security | Set policies that provide management direction and support for information security. | Develop and disseminate a comprehensive information security policy, including the scope, objectives, and enforcement mechanisms. Ensure the policy is regularly reviewed and updated to reflect changes in the threat landscape and business objectives. |
| A.6 | Organization of Information Security | A.6.1.1 Information security roles and responsibilities | Define and allocate information security responsibilities within the organization. | Create a roles and responsibilities matrix to clearly define information security duties across all levels of the organization. Ensure that these roles are communicated and understood by all employees. |
| A.6.1.2 Segregation of duties | Implement segregation of duties to reduce the risk of unauthorized or unintentional modifications. | Establish and enforce policies that separate critical duties to minimize the risk of error or fraud. Regularly review and update the segregation of duties to address changes in processes or personnel. | ||
| A.6.2.1 Mobile device policy | Establish policies for the secure use of mobile devices and teleworking. | Develop and enforce a mobile device and teleworking policy that includes security requirements and acceptable use guidelines. Ensure employees are trained on these policies and monitor compliance. | ||
| A.6.2.2 Teleworking | Implement controls to secure remote work environments. | Ensure remote work environments comply with organizational security policies and implement secure remote access technologies. Regularly review and update teleworking policies to address new risks. | ||
| A.7 | Human Resource Security | A.7.1.1 Screening | Perform background checks and screening for new employees. | Conduct thorough background checks and verify qualifications and references for all new hires. Ensure the screening process complies with legal and regulatory requirements. |
| A.7.1.2 Terms and conditions of employment | Ensure employment agreements include information security responsibilities. | Include information security responsibilities and confidentiality clauses in employment contracts. Clearly communicate these responsibilities to employees during onboarding. | ||
| A.7.2.1 Management responsibilities | Define and communicate information security responsibilities during employment. | Provide clear guidance on information security responsibilities and expectations for all employees. Regularly review and update these responsibilities as roles and technologies evolve. | ||
| A.7.2.2 Information security awareness, education, and training | Provide regular training and awareness programs for all employees. | Implement ongoing information security training and awareness programs tailored to different roles and responsibilities. Use metrics to measure the effectiveness of training programs and adjust as needed. | ||
| A.7.3.1 Termination or change of employment responsibilities | Ensure proper handling of information security during termination or change of employment. | Establish procedures for revoking access and recovering assets upon employee termination or role change. Conduct exit interviews to ensure all security obligations are understood and met. | ||
| A.8 | Asset Management | A.8.1.1 Inventory of assets | Maintain an inventory of information assets. | Develop and maintain an up-to-date inventory of all information assets, including hardware, software, and data. Regularly review and audit the inventory to ensure accuracy. |
| A.8.1.2 Ownership of assets | Assign ownership of information assets to responsible individuals. | Designate asset owners responsible for the security and proper management of information assets. Provide training to asset owners on their responsibilities. | ||
| A.8.2.1 Classification of information | Classify information assets based on sensitivity and criticality. | Implement a classification scheme to categorize information assets and apply appropriate security controls. Regularly review and update the classification scheme to reflect changes in the threat environment. | ||
| A.8.2.2 Labeling of information | Label information according to its classification. | Ensure all information assets are labeled appropriately to reflect their classification level. Use standardized labels and train employees on the labeling process. | ||
| A.8.3.1 Management of removable media | Implement controls for the secure use and management of removable media. | Develop policies and procedures for the secure use, storage, and disposal of removable media. Encrypt sensitive data stored on removable media and limit access to authorized personnel. | ||
| A.8.3.2 Disposal of media | Ensure the secure disposal of media containing sensitive information. | Use secure disposal methods, such as shredding or degaussing, to destroy media containing sensitive information. Maintain records of disposal activities and conduct regular audits. | ||
| A.9 | Access Control | A.9.1.1 Access control policy | Establish an access control policy. | Develop and enforce an access control policy that defines access permissions and procedures for granting and revoking access. Regularly review and update the policy to address new security risks. |
| A.9.1.2 Access to networks and network services | Implement controls to manage access to networks and network services. | Use network access control solutions to manage and monitor access to network services and resources. Implement network segmentation to limit access to sensitive data. | ||
| A.9.2.1 User registration and de-registration | Ensure proper registration and de-registration of users. | Implement a formal process for user registration and de-registration to ensure accurate and timely updates to access rights. Maintain records of user access and regularly audit these records. | ||
| A.9.2.2 User access provisioning | Implement controls for granting and revoking access to systems and applications. | Use automated provisioning tools to manage user access requests and approvals efficiently. Regularly review and update user access permissions to reflect changes in roles and responsibilities. | ||
| A.9.3.1 Use of secret authentication information | Protect and manage authentication information (e.g., passwords) securely. | Implement strong authentication mechanisms and enforce password policies to protect authentication information. Regularly review and update authentication protocols to address new security threats. | ||
| A.9.4.1 Information access restriction | Restrict access to information and information processing facilities to authorized users. | Use role-based access control (RBAC) to restrict access to information and systems based on user roles and responsibilities. Regularly review and update access controls to ensure they remain effective. | ||
| A.9.4.2 Secure log-on procedures | Implement secure log-on procedures for accessing systems. | Use multi-factor authentication (MFA) and other secure log-on methods to protect access to systems and applications. Regularly review and update log-on procedures to address new security threats. | ||
| A.10 | Cryptography | A.10.1.1 Policy on the use of cryptographic controls | Establish policies on the use of cryptographic controls to protect information. | Develop and enforce a cryptographic policy that defines the use of encryption, key management, and other cryptographic controls. Regularly review and update the policy to address new cryptographic technologies and threats. |
| A.10.1.2 Key management | Implement a key management system to manage cryptographic keys. | Use a centralized key management system to securely generate, store, and manage cryptographic keys. Regularly review and update key management practices to ensure they remain effective. | ||
| A.11 | Physical and Environmental Security | A.11.1.1 Physical security perimeter | Define and secure physical security perimeters. | Establish physical security perimeters with barriers, guards, and surveillance to protect critical facilities. Regularly review and update physical security measures to address new threats. |
| A.11.1.2 Physical entry controls | Implement controls to manage physical access to information processing facilities. | Use access control systems, such as key cards and biometric scanners, to manage physical entry to secure areas. Regularly review and update entry controls to ensure they remain effective. | ||
| A.11.2.1 Equipment siting and protection | Ensure the secure siting and protection of equipment. | Ensure critical equipment is placed in secure, environmentally controlled locations to prevent unauthorized access and damage. Regularly review and update equipment protection measures to address new threats. | ||
| A.11.2.2 Supporting utilities | Ensure supporting utilities (e.g., power, air conditioning) are secure and properly maintained. | Implement measures to protect supporting utilities from disruption, tampering, and environmental hazards. Regularly review and update utility protection measures to ensure they remain effective. | ||
| A.12 | Operations Security | A.12.1.1 Documented operating procedures | Establish and maintain documented operating procedures for information systems. | Develop detailed operating procedures for the secure and efficient operation of information systems. Regularly review and update operating procedures to reflect changes in systems and processes. |
| A.12.1.2 Change management | Implement a formal change management process for information systems. | Use change management processes to control and document changes to information systems and infrastructure. Regularly review and update change management practices to ensure they remain effective. | ||
| A.12.2.1 Controls against malware | Implement controls to protect against malware. | Deploy anti-malware solutions and implement procedures to detect, prevent, and respond to malware threats. Regularly review and update malware protection measures to address new threats. | ||
| A.12.3.1 Information backup | Ensure regular backups of critical information. | Implement backup procedures to regularly create and store secure copies of critical information. Regularly test backup and recovery processes to ensure they work as expected. | ||
| A.12.4.1 Event logging | Implement event logging to record user activities, exceptions, and security events. | Use logging solutions to capture and store logs of user activities and security events for analysis and auditing. Regularly review and analyze log data to detect and respond to anomalies. | ||
| A.12.4.2 Protection of log information | Protect log information against tampering and unauthorized access. | Implement access controls and encryption to protect the integrity and confidentiality of log information. Regularly review and update log protection measures to ensure they remain effective. | ||
| A.12.5.1 Installation of software on operational systems | Implement controls for the secure installation of software on operational systems. | Use approved procedures and tools to manage the installation and maintenance of software on operational systems. Regularly review and update software installation controls to address new security threats. | ||
| A.13 | Communications Security | A.13.1.1 Network controls | Implement controls to secure network infrastructure and services. | Deploy network security solutions, such as firewalls and intrusion detection systems, to protect network infrastructure. Regularly review and update network security measures to address new threats. |
| A.13.1.2 Security of network services | Ensure the security of network services provided by third parties. | Establish and enforce security requirements for network services provided by third parties. Regularly review and update third-party security measures to ensure they meet organizational standards. | ||
| A.13.2.1 Information transfer policies and procedures | Establish policies and procedures for the secure transfer of information. | Develop and enforce policies for securely transferring information, including encryption and access controls. Regularly review and update information transfer policies to address new security threats. | ||
| A.13.2.2 Agreements on information transfer | Ensure agreements with third parties include information security requirements. | Include information security clauses in contracts and agreements with third parties involved in information transfer. Regularly review and update these agreements to ensure ongoing compliance with security requirements. | ||
| A.14 | System Acquisition, Development, and Maintenance | A.14.1.1 Information security requirements analysis and specification | Define and specify information security requirements for new systems or enhancements. | Ensure information security requirements are included in the specifications for new systems and system enhancements. Regularly review and update security requirements to address new threats and technologies. |
| A.14.1.2 Securing application services on public networks | Implement controls to secure application services accessed via public networks. | Use secure communication protocols and other controls to protect application services accessed over public networks. Regularly review and update these controls to address new security threats. | ||
| A.14.2.1 Secure development policy | Establish a policy for secure software development. | Develop and enforce a secure development policy that includes security requirements and best practices for software development. Regularly review and update the policy to reflect changes in development practices and security threats. | ||
| A.14.2.2 System change control procedures | Implement change control procedures for system development and maintenance activities. | Use formal change control processes to manage and document changes to systems during development and maintenance. Regularly review and update change control procedures to ensure they remain effective. | ||
| A.15 | Supplier Relationships | A.15.1.1 Information security policy for supplier relationships | Establish and enforce information security policies for supplier relationships. | Develop and enforce information security policies for managing relationships with suppliers and third-party service providers. Regularly review and update these policies to ensure ongoing compliance with security requirements. |
| A.15.1.2 Addressing security within supplier agreements | Ensure supplier agreements include information security requirements. | Include specific information security clauses and requirements in contracts with suppliers. Regularly review and update these agreements to ensure they meet organizational standards. | ||
| A.15.2.1 Monitoring and review of supplier services | Regularly monitor and review supplier services for compliance with security requirements. | Conduct regular audits and reviews of supplier services to ensure compliance with information security requirements. Use audit findings to improve supplier management practices. | ||
| A.16 | Information Security Incident Management | A.16.1.1 Responsibilities and procedures | Define and implement responsibilities and procedures for managing information security incidents. | Develop and document incident management procedures and assign clear roles and responsibilities for incident response. Regularly review and update incident management procedures to ensure they remain effective. |
| A.16.1.2 Reporting information security events | Establish procedures for reporting information security events. | Implement mechanisms for timely reporting of information security events to the appropriate personnel and authorities. Regularly review and update reporting procedures to ensure they remain effective. | ||
| A.16.1.3 Reporting information security weaknesses | Implement mechanisms for reporting information security weaknesses. | Establish processes for reporting security weaknesses and vulnerabilities identified within the organization. Regularly review and update these processes to ensure they remain effective. | ||
| A.16.1.4 Assessment of and decision on information security events | Develop processes for assessing and deciding on actions for information security events. | Implement procedures for assessing the impact and deciding on appropriate actions for managing information security events. Regularly review and update these procedures to ensure they remain effective. | ||
| A.16.1.5 Response to information security incidents | Establish procedures for responding to information security incidents. | Develop and document incident response procedures to ensure timely and effective response to security incidents. Regularly review and update incident response procedures to ensure they remain effective. | ||
| A.17 | Information Security Aspects of Business Continuity Management | A.17.1.1 Planning information security continuity | Integrate information security into business continuity planning. | Ensure information security requirements are incorporated into business continuity and disaster recovery plans. Regularly review and update these plans to address new risks and threats. |
| A.17.1.2 Implementing information security continuity | Implement measures to ensure information security continuity during disruptions. | Develop and test plans to maintain information security during business disruptions or emergencies. Regularly review and update these plans to ensure they remain effective. | ||
| A.17.2.1 Availability of information processing facilities | Ensure the availability of critical information processing facilities. | Implement measures to ensure the availability of critical information processing facilities during and after disruptions. Regularly review and update these measures to ensure they remain effective. | ||
| A.18 | Compliance | A.18.1.1 Identification of applicable legislation and contractual requirements | Identify and document applicable legal, regulatory, and contractual information security requirements. | Conduct a thorough review to identify and document all relevant legal, regulatory, and contractual information security requirements. Regularly review and update this documentation to reflect changes in the legal and regulatory landscape. |
| A.18.1.2 Intellectual property rights | Implement controls to protect intellectual property rights. | Develop and enforce policies and procedures to protect intellectual property rights within the organization. Regularly review and update these policies to ensure ongoing compliance with legal and regulatory requirements. | ||
| A.18.2.1 Independent review of information security | Conduct independent reviews of information security policies and practices. | Schedule and conduct regular independent reviews and audits of information security policies and practices. Use audit findings to improve information security management. | ||
| A.18.2.2 Compliance with security policies and standards | Ensure compliance with established information security policies and standards. | Implement monitoring and auditing processes to ensure compliance with internal information security policies and standards. Use audit findings to improve information security management. |