Annex A - Reference Control Objectives and Controls
A.5 - Information Security Policies
A.5.1 - Management Direction for Information Security To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.6 - Organisation of Information Security
A.6.1 - Internal Organisation To establish a management framework to initiate and control the implementation and operation of information security within the organisation.
A.6.2 - Mobile Devices and Teleworking To ensure the security of teleworking and use of mobile devices.
A.7 - Human Resource Security
A.7.1 - Prior to Employment To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
A.7.2 - During Employment To ensure that employees and contractors are aware and fulfill their information security responsibilities.
A.7.3 - Termination and Change of Employment To protect the organisation's interests as part of the process of changing or terminating employment.
A.8 - Asset Management
A.8.1 - Responsibility for Assets TO identify organisational assets and define appropriate protection responsibilities.
A.8.2 - Information Classification TO ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.
A.8.3 - Media Handling To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
A.9 - Access Control
A.9.1 - Business Requirements of Access Control To limit access to information and information processing facilities
A.9.2 - User Access Management To ensure authorised user access and to prevent unauthorised access to systems and services.
A.9.3 - User Responsibilites To make users accountable for safeguarding their authentication information.
A.9.4 - System and Application Access Contol To prevent unauthorised access to systems and applications.
A.10 - Cryptography
A.10.1 - Cryptographic Controls To ensure proper an effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
A.11 - Physical and Environmental Security
A.11.1 - Secure Areas To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities.
A.11.2 - Equipment To prevent loss, damage, theft or compromise of assets and interruption to the organisations operations.
A.12 - Operations Security
A.12.1 - Operational Procedures and Responsibilities To ensure correct and secure operations of information processing facilities.
A.12.2 - Protection From Malware To ensure that information and information processing facilities are protected against malware.
A.12.3 - Backup To protect against loss of data.
A.12.4 - Logging To record events and generate evidence.
A.12.5 - Control of Operation Software To ensure the integrity of operational systems.
A.12.6 - Technical Vulnerability Management To prevent exploitation of technical vulnerabilities.
A.12.7 - Information Systems Audit Considerations To minimise the impact of audit activities on operational systems.
A.13 - Communications Security
A.13.1 - Network Security Management TO ensure the protection of information in networks and its supporting information processing facilities.
A.13.2 - Information Transfer To maintain the security of information transferred within an organisation and with any external entity.
A.14 - System Acquisition, Development and Maintenance
A.14.1 - Security Requirements of Information Systems To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
A.14.2 - Security in Development and Support Processes To ensure that information security is designed and implemented within the development lifecycle of information systems.A
A.14.3 - Test Data To ensure the protection of data used for testing.
A.15 - Supplier Relationships
A.15.1 - Informatio Securitty in Supplier Relationships To ensure protection of the organisation's assets that is accessible by suppliers.
A.15.2 - Supplier Service Delivery Management To maintain an agreed level of information security and service delivery in line with supplier agreements.
A.16 - Information Security Incident Management
A.16.1 - Management of Information Security Incidents and Improvements To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A.17 - Information Security Aspects of Business Continuity Management
A.17.1 - Information Security Contiinuity Information security continuity shall be embedded in the organisations business continuity management systems.
A.17.2 - Redundancies To ensure availability of information processing facilities.
A.18 - Compliance
A.18.1 - Compliance with Legal and Contractural Requirements To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and off any security requirements.
A.18.2 - Information Security Reviews To ensure that information security is implemented and operated in accordance with the organisational policies and procedures.