ISO 27002
Here we list all the ISO 27002 controls required by the standard (sections 5-18 and subheadings) each linked into a description and our take on how they should be interpreted.
Bear with us as we add this content, we do intend it to be as comprehensive as our ISO 9001 breakdown.
Section 5 Information Security Policies
Section 6 Organisation of Information Security
- Roles and Responsibility
- Segregation of Duties
- Contact with Authorities
- Special Interest Groups
- Project Management
- Mobile Devices
- Teleworking
Section 7 Human Resource Security
- Screening
- Terms and Conditions of Employment
- During Employment
- Disciplinary process
- Termination / Change of Employment
Section 8 Asset Management
- Inventory of Assets and Ownership
- Acceptable Use
- Return of Assets
- Information Classification and Labelling
- Handling
- Media Handling, Disposal & Physical Media Transfer
Section 9 Access Control
- Access Control Policy
- Access to Networks / Network Services
- User Access Management
- User Responsibilities
- System and Application Access Control
Section 10 Cryptography
Section Ten – Improvement
Section 11 Physical and Environmental Security
Section 12 Operations Security
- Operational procedures and responsibility
- Protection from Malware
- Backup
- Logging and Monitoring
- Operational Software
- Technical vulnerability management
- Information Systems audits
Section 13 Communications Security
Section 14 System Acquisition, development and maintenance
Section 15 Supplier Relationships
Section 16 Information Security Incident Management
Section 17 Business Continuity Management
Section 18 : Compliance
Incidentally other standards do exits which largely cover the same activities mentioned above, such as CIS / SANS 20 whose 20 guidelines are here borrowed from Wikipedia:
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises