ISO 27001 Annex A Controls

A set of topic-specific information security policies must be defined, approved by management, published, communicated, and reviewed regularly.

Roles and responsibilities for information security must be allocated and communicated.

Conflicting duties and areas of responsibility must be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of assets.

Management must require all personnel to apply information security in accordance with the established policies and procedures.

Appropriate contacts with relevant authorities (regulators, law enforcement, fire, NCSC) must be maintained.

Appropriate contacts with special interest groups or specialist security forums must be maintained.

Information relating to information security threats must be collected and analysed to produce threat intelligence.

Information security must be integrated into project management throughout the project lifecycle.

An inventory of information and other associated assets, including owners, must be developed and maintained.

Rules for acceptable use and procedures for handling information and associated assets must be identified, documented, and implemented.

Personnel and external party users must return all organisational assets in their possession upon change or termination of employment, contract, or agreement.

Information must be classified according to the information security needs of the organisation based on confidentiality, integrity, availability, and relevant stakeholder requirements.

An appropriate set of procedures for information labelling must be developed and implemented in accordance with the information classification scheme.

Information transfer rules, procedures, or agreements must be in place for all transfer facilities within the organisation and between the organisation and other parties.

Rules to control physical and logical access to information and other associated assets must be established and implemented based on business and information security requirements.

The full lifecycle of identities must be managed.

Allocation and management of authentication information must be controlled by a management process, including advising personnel on appropriate handling of authentication information.

Access rights to information and other associated assets must be provisioned, reviewed, modified, and removed in accordance with the organisation's topic-specific policy on and rules for access control.

Processes and procedures must be defined and implemented to manage the information security risks associated with the use of supplier's products or services.

Relevant information security requirements must be established and agreed with each supplier based on the type of supplier relationship.

Processes and procedures must be defined and implemented to manage information security risks associated with the ICT products and services supply chain.

The organisation must regularly monitor, review, evaluate, and manage change in supplier information security practices and service delivery.

Processes for acquisition, use, management, and exit from cloud services must be established in accordance with the organisation's information security requirements.

The organisation must plan and prepare for managing information security incidents by defining, establishing, and communicating processes, roles, and responsibilities.

The organisation must assess information security events and decide if they are to be categorised as information security incidents.

Information security incidents must be responded to in accordance with the documented procedures.

Knowledge gained from information security incidents must be used to strengthen and improve the information security controls.

The organisation must establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events.

The organisation must plan how to maintain information security at an appropriate level during disruption.

ICT readiness must be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

Legal, statutory, regulatory, and contractual requirements relevant to information security and the organisation's approach to meet these requirements must be explicitly identified, documented, and kept up to date.

The organisation must implement appropriate procedures to protect intellectual property rights.

Records must be protected from loss, destruction, falsification, unauthorised access, and unauthorised release.

The organisation must identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations.

The organisation's approach to managing information security and its implementation must be reviewed independently at planned intervals or when significant changes occur.

Compliance with the organisation's information security policy, topic-specific policies, rules, and standards must be regularly reviewed.

Operating procedures for information processing facilities must be documented and made available to personnel who need them.

Background verification checks on all candidates for employment must be carried out prior to joining the organisation and on an ongoing basis.

Employment contracts must state responsibilities for information security, including the employee's and the organisation's responsibilities.

All personnel and, where relevant, contractors must receive appropriate information security awareness education and training, and regular updates of the organisation's policies and procedures.

A disciplinary process must be formalised and communicated to take action against personnel and other interested parties who have committed an information security violation.

Information security responsibilities and duties that remain valid after termination or change of employment must be defined, enforced, and communicated to relevant personnel and other interested parties.

Confidentiality or non-disclosure agreements reflecting the organisation's needs for the protection of information must be identified, regularly reviewed, documented, and signed by personnel and other relevant interested parties.

Security measures must be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organisation's premises.

The organisation must provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Security perimeters must be defined and used to protect areas that contain information and other associated assets.

Secure areas must be protected by appropriate entry controls and access points.

Physical security for offices, rooms, and facilities must be designed and implemented.

Premises must be continuously monitored for unauthorised physical access.

Protection against physical and environmental threats, such as natural disasters, must be designed and implemented.

Security measures for working in secure areas must be designed and implemented.

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities must be defined and appropriately enforced.

Equipment must be sited securely and protected.

Off-site assets must be protected.

Storage media must be managed through their lifecycle of acquisition, use, transportation, and disposal in accordance with the organisation's classification scheme and handling requirements.

Information processing facilities must be protected from power failures and other disruptions caused by failures in supporting utilities.

Cables carrying power, data, or supporting information services must be protected from interception, interference, or damage.

Equipment must be maintained correctly to ensure availability, integrity, and confidentiality of information.

Items of equipment containing storage media must be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Information stored on, processed by, or accessible via user endpoint devices must be protected.

The allocation and use of privileged access rights must be restricted and managed.

Access to information and other associated assets must be restricted in accordance with the established topic-specific policy on access control.

Read and write access to source code, development tools, and software libraries must be appropriately managed.

Secure authentication technologies and procedures must be implemented based on information access restrictions and the topic-specific policy on access control.

The use of resources must be monitored and adjusted in line with current and expected capacity requirements.

Protection against malware must be implemented and supported by appropriate user awareness.

Information about technical vulnerabilities of information systems in use must be obtained, the organisation's exposure to such vulnerabilities must be evaluated, and appropriate measures must be taken.

Configurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed.

Information stored in information systems, devices, or in any other storage media must be deleted when no longer required.

Data masking must be used in accordance with the organisation's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Data leakage prevention measures must be applied to systems, networks, and any other devices that process, store, or transmit sensitive information.

Backup copies of information, software, and systems must be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Information processing facilities must be implemented with redundancy sufficient to meet availability requirements.

Logs that record activities, exceptions, faults, and other relevant events must be produced, stored, protected, and analysed.

Networks, systems, and applications must be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

The clocks of information processing systems used by the organisation must be synchronised to approved time sources.

The use of utility programs that might be capable of overriding system and application controls must be restricted and tightly controlled.

Procedures and measures must be implemented to securely manage software installation on operational systems.

Networks and network devices must be secured, managed, and controlled to protect information in systems and applications.

Security mechanisms, service levels, and service requirements of network services must be identified, implemented, and monitored.

Groups of information services, users, and information systems must be segregated in the organisation's networks.

Access to external websites must be managed to reduce exposure to malicious content.

Rules for the effective use of cryptography, including cryptographic key management, must be defined and implemented.

Rules for the secure development of software and systems must be established and applied.

Information security requirements must be identified, specified, and approved when developing or acquiring applications.

Principles for engineering secure systems must be established, documented, maintained, and applied to any information system development or integration activities.

Secure coding principles must be applied to software development.

Security testing processes must be defined and implemented in the development lifecycle.

The organisation must direct, monitor, and review the activities related to outsourced system development.

Development, testing, and production environments must be separated and secured.

Changes to information processing facilities and information systems must be subject to change management procedures.

Test information must be appropriately selected, protected, and managed.

Audit tests and other assurance activities involving assessment of operational systems must be planned and agreed between the tester and appropriate management.