‘ISO 27001:2022 Controls |
App |
Reason |
Section |
Control |
Control Objective/Control |
|
|
A5 Organisational Controls |
A.5.1 |
Policies for information security |
Y |
BR/BP |
A.5.2 |
Information security roles and responsibilities |
Y |
BR/BP |
A.5.3 |
Segregation of duties |
Y |
BR/BP |
A.5.4 |
Management responsibilities |
Y |
BR/BP |
A.5.5 |
Contact with authorities |
Y |
BR/BP |
A.5.6 |
Contact with special interest groups |
Y |
BR/BP |
A.5.7 |
Threat intelligence |
Y |
BR/BP/RRA |
A.5.8 |
Information security in Project Management |
Y |
BR/BP |
A.5.9 |
Inventory of information and other associated assets |
Y |
BR/BP/RRA |
A.5.10 |
Acceptable use of information and other associated assets |
Y |
BR/BP |
A.5.11 |
Return of assets |
Y |
BR/BP |
A.5.12 |
Classification of information |
Y |
BR/BP |
A.5.13 |
Labelling of information |
Y |
BR/BP |
A.5.14 |
Information transfer |
Y |
BR/BP |
A.5.15 |
Access control |
Y |
BR/BP |
A.5.16 |
Identity management |
Y |
BR/BP |
A.5.17 |
Authentication information |
Y |
BR/BP |
A.5.18 |
Access rights |
Y |
BR/BP |
A.5.19 |
Information security in supplier relationships |
Y |
BR/BP |
A.5.20 |
Addressing information security within supplier agreements |
Y |
BR/BP |
A.5.21 |
Managing information security in the information and communication technology (ICT) supply-chain |
Y |
BR/BP |
A.5.22 |
Monitoring, review and change management of supplier services |
Y |
BR/BP |
A.5.23 |
Information security for use of cloud services |
Y |
BR/BP |
A.5.24 |
Information security incident management planning and preparation |
Y |
BR/BP |
A.5.25 |
Assessment and decision on information security events |
Y |
BR/BP |
A.5.26 |
Response to information security incidents |
Y |
BR/BP/CO |
A.5.27 |
Learning from information security incidents |
Y |
BR/BP |
A.5.28 |
Collection of evidence |
Y |
BR/BP |
A.5.29 |
Information security during disruption |
Y |
BR/BP |
A.5.30 |
ICT readiness for business continuity |
Y |
BR/BP |
A.5.31 |
Legal, statutory, regulatory and contractual requirements |
Y |
BR/BP |
A.5.32 |
Intellectual property rights |
Y |
BR/BP |
A.5.33 |
Protection of records |
Y |
BR/BP |
A.5.34 |
Privacy and protection of personal identifiable information (PII) |
Y |
BR/BP |
A.5.35 |
Independent review of information security |
Y |
BR/BP |
A.5.36 |
Compliance with policies, rules and standards for information security |
Y |
BR/BP |
A.5.37 |
Documented operating procedures |
Y |
BR/BP |
|
A6 People Controls |
A.6.1 |
Screening |
Y |
BR/BP/CO |
A.6.2 |
Terms and conditions of employment |
Y |
BR/BP/CO |
A.6.3 |
Information security awareness, education and training |
Y |
BR/BP/RRA |
A.6.4 |
Disciplinary process |
Y |
BR/BP/CO |
A.6.5 |
Responsibilities after termination or change of employment |
Y |
BR/BP/CO |
A.6.6 |
Confidentiality or non-disclosure agreements |
Y |
BR/BP/CO |
A.6.7 |
Remote working |
Y |
BR/BP/CO |
A.6.8 |
Information security event reporting |
Y |
BR/BP/CO |
|
A7 Physical Controls |
A.7.1 |
Physical security perimeters |
Y |
BR/BP |
A.7.2 |
Physical entry |
Y |
BR/BP |
A.7.3 |
Securing offices, rooms and facilities |
Y |
RRA |
A.7.4 |
Physical security monitoring |
Y |
RRA |
A.7.5 |
Protecting against physical and environmental threats |
Y |
RRA |
A.7.6 |
Working in secure areas |
Y |
RRA |
A.7.7 |
Clear desk and clear screen |
Y |
BR/BP |
A.7.8 |
Equipment siting and protection |
Y |
RRA |
A.7.9 |
Security of assets off-premises |
Y |
RRA |
A.7.10 |
Storage media |
Y |
BR/BP |
A.7.11 |
Supporting utilities |
Y |
RRA |
A.7.12 |
Cabling security |
Y |
RRA |
A.7.13 |
Equipment maintenance |
Y |
RRA |
A.7.14 |
Secure disposal or re-use of equipment |
Y |
RRA |
|
A8 Technological Controls |
A.8.1 |
User end point devices |
Y |
BR/BP |
A.8.2 |
Privileged access rights |
Y |
BR/BP/RRA |
A.8.3 |
Information access restriction |
Y |
BR/BP |
A.8.4 |
Access to source code |
Y |
BR/BP |
A.8.5 |
Secure authentication |
Y |
BR/BP |
A.8.6 |
Capacity management |
Y |
BR/BP |
A.8.7 |
Protection against malware |
Y |
BR/BP |
A.8.8 |
Management of technical vulnerabilities |
Y |
BR/BP/RRA |
A.8.9 |
Configuration management |
Y |
BR/BP |
A.8.10 |
Information deletion |
Y |
BR/BP |
A.8.11 |
Data masking |
Y |
BR/BP |
A.8.12 |
Data leakage prevention |
Y |
BR/BP |
A.8.13 |
Information backup |
Y |
BR/BP |
A.8.14 |
Redundancy of information processing facilities |
Y |
BR/BP/RRA |
A.8.15 |
Logging |
Y |
BR/BP/RRA |
A.8.16 |
Monitoring activities |
Y |
BR/BP |
A.8.17 |
Clock synchronization |
Y |
BR/BP |
A.8.18 |
Use of privileged utility programs |
Y |
BR/BP |
A.8.19 |
Installation of software on operational systems |
Y |
BR/BP |
A.8.20 |
Networks security |
Y |
BR/BP/RRA |
A.8.21 |
Security of network services |
Y |
BR/BP |
A.8.22 |
Segregation of networks |
Y |
BR/BP |
A.8.23 |
Web filtering |
Y |
BR/BP |
A.8.24 |
Use of cryptography |
Y |
BR/BP |
A.8.25 |
Secure development life cycle |
Y |
BR/BP |
A.8.26 |
Application security requirements |
Y |
BR/BP |
A.8.27 |
Secure system architecture and engineering principles |
Y |
BR/BP |
A.8.28 |
Secure coding |
Y |
BR/BP |
A.8.29 |
Security testing in development and acceptance |
Y |
BR/BP |
A.8.30 |
Outsourced development |
Y |
BR/BP |
A.8.31 |
Separation of development, test and production environments |
Y |
BR/BP |
A.8.32 |
Change management |
Y |
BR/BP |
A.8.33 |
Test information |
Y |
BR/BP |
A.8.34 |
Protection of information systems during audit testing |
Y |
BR/BP |
|