| ‘ISO 27001:2022 Controls | App | Reason | ||
|---|---|---|---|---|
| Section | Control | Control Objective/Control | ||
| A5 Organisational Controls | A.5.1 | Policies for information security | Y | BR/BP |
| A.5.2 | Information security roles and responsibilities | Y | BR/BP | |
| A.5.3 | Segregation of duties | Y | BR/BP | |
| A.5.4 | Management responsibilities | Y | BR/BP | |
| A.5.5 | Contact with authorities | Y | BR/BP | |
| A.5.6 | Contact with special interest groups | Y | BR/BP | |
| A.5.7 | Threat intelligence | Y | BR/BP/RRA | |
| A.5.8 | Information security in Project Management | Y | BR/BP | |
| A.5.9 | Inventory of information and other associated assets | Y | BR/BP/RRA | |
| A.5.10 | Acceptable use of information and other associated assets | Y | BR/BP | |
| A.5.11 | Return of assets | Y | BR/BP | |
| A.5.12 | Classification of information | Y | BR/BP | |
| A.5.13 | Labelling of information | Y | BR/BP | |
| A.5.14 | Information transfer | Y | BR/BP | |
| A.5.15 | Access control | Y | BR/BP | |
| A.5.16 | Identity management | Y | BR/BP | |
| A.5.17 | Authentication information | Y | BR/BP | |
| A.5.18 | Access rights | Y | BR/BP | |
| A.5.19 | Information security in supplier relationships | Y | BR/BP | |
| A.5.20 | Addressing information security within supplier agreements | Y | BR/BP | |
| A.5.21 | Managing information security in the information and communication technology (ICT) supply-chain | Y | BR/BP | |
| A.5.22 | Monitoring, review and change management of supplier services | Y | BR/BP | |
| A.5.23 | Information security for use of cloud services | Y | BR/BP | |
| A.5.24 | Information security incident management planning and preparation | Y | BR/BP | |
| A.5.25 | Assessment and decision on information security events | Y | BR/BP | |
| A.5.26 | Response to information security incidents | Y | BR/BP/CO | |
| A.5.27 | Learning from information security incidents | Y | BR/BP | |
| A.5.28 | Collection of evidence | Y | BR/BP | |
| A.5.29 | Information security during disruption | Y | BR/BP | |
| A.5.30 | ICT readiness for business continuity | Y | BR/BP | |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Y | BR/BP | |
| A.5.32 | Intellectual property rights | Y | BR/BP | |
| A.5.33 | Protection of records | Y | BR/BP | |
| A.5.34 | Privacy and protection of personal identifiable information (PII) | Y | BR/BP | |
| A.5.35 | Independent review of information security | Y | BR/BP | |
| A.5.36 | Compliance with policies, rules and standards for information security | Y | BR/BP | |
| A.5.37 | Documented operating procedures | Y | BR/BP | |
| A6 People Controls | A.6.1 | Screening | Y | BR/BP/CO |
| A.6.2 | Terms and conditions of employment | Y | BR/BP/CO | |
| A.6.3 | Information security awareness, education and training | Y | BR/BP/RRA | |
| A.6.4 | Disciplinary process | Y | BR/BP/CO | |
| A.6.5 | Responsibilities after termination or change of employment | Y | BR/BP/CO | |
| A.6.6 | Confidentiality or non-disclosure agreements | Y | BR/BP/CO | |
| A.6.7 | Remote working | Y | BR/BP/CO | |
| A.6.8 | Information security event reporting | Y | BR/BP/CO | |
| A7 Physical Controls | A.7.1 | Physical security perimeters | Y | BR/BP |
| A.7.2 | Physical entry | Y | BR/BP | |
| A.7.3 | Securing offices, rooms and facilities | Y | RRA | |
| A.7.4 | Physical security monitoring | Y | RRA | |
| A.7.5 | Protecting against physical and environmental threats | Y | RRA | |
| A.7.6 | Working in secure areas | Y | RRA | |
| A.7.7 | Clear desk and clear screen | Y | BR/BP | |
| A.7.8 | Equipment siting and protection | Y | RRA | |
| A.7.9 | Security of assets off-premises | Y | RRA | |
| A.7.10 | Storage media | Y | BR/BP | |
| A.7.11 | Supporting utilities | Y | RRA | |
| A.7.12 | Cabling security | Y | RRA | |
| A.7.13 | Equipment maintenance | Y | RRA | |
| A.7.14 | Secure disposal or re-use of equipment | Y | RRA | |
| A8 Technological Controls | A.8.1 | User end point devices | Y | BR/BP |
| A.8.2 | Privileged access rights | Y | BR/BP/RRA | |
| A.8.3 | Information access restriction | Y | BR/BP | |
| A.8.4 | Access to source code | Y | BR/BP | |
| A.8.5 | Secure authentication | Y | BR/BP | |
| A.8.6 | Capacity management | Y | BR/BP | |
| A.8.7 | Protection against malware | Y | BR/BP | |
| A.8.8 | Management of technical vulnerabilities | Y | BR/BP/RRA | |
| A.8.9 | Configuration management | Y | BR/BP | |
| A.8.10 | Information deletion | Y | BR/BP | |
| A.8.11 | Data masking | Y | BR/BP | |
| A.8.12 | Data leakage prevention | Y | BR/BP | |
| A.8.13 | Information backup | Y | BR/BP | |
| A.8.14 | Redundancy of information processing facilities | Y | BR/BP/RRA | |
| A.8.15 | Logging | Y | BR/BP/RRA | |
| A.8.16 | Monitoring activities | Y | BR/BP | |
| A.8.17 | Clock synchronization | Y | BR/BP | |
| A.8.18 | Use of privileged utility programs | Y | BR/BP | |
| A.8.19 | Installation of software on operational systems | Y | BR/BP | |
| A.8.20 | Networks security | Y | BR/BP/RRA | |
| A.8.21 | Security of network services | Y | BR/BP | |
| A.8.22 | Segregation of networks | Y | BR/BP | |
| A.8.23 | Web filtering | Y | BR/BP | |
| A.8.24 | Use of cryptography | Y | BR/BP | |
| A.8.25 | Secure development life cycle | Y | BR/BP | |
| A.8.26 | Application security requirements | Y | BR/BP | |
| A.8.27 | Secure system architecture and engineering principles | Y | BR/BP | |
| A.8.28 | Secure coding | Y | BR/BP | |
| A.8.29 | Security testing in development and acceptance | Y | BR/BP | |
| A.8.30 | Outsourced development | Y | BR/BP | |
| A.8.31 | Separation of development, test and production environments | Y | BR/BP | |
| A.8.32 | Change management | Y | BR/BP | |
| A.8.33 | Test information | Y | BR/BP | |
| A.8.34 | Protection of information systems during audit testing | Y | BR/BP | |