ISO 27002 controls

Here we list all the ISO 27002 controls required by the standard (sections 5-18 and subheadings) each linked into a description and our take on how they should be interpreted:

Bear with us as we add this content, we do intend it to be as comprehensive as our ISO 9001 breakdown.

Section 5 Information Security Policies

• Policies
• Policy review

Section 6 Organisation of Information Security

• Roles and Responsibility
• Segregation of Duties
• Contact with Authorities
• Special Interest Groups
• Project Management
• Mobile Devices
• Teleworking

Section 7 Human Resource Security

• Screening
• Terms and Conditions of Employment
• During Employment
• Disciplinary process
• Termination / Change of Employment

Section 8 Asset Management

• Inventory of Assets and Ownership
• Acceptable Use
• Return of Assets
• Information Classification and Labelling
• Handling
• Media Handling, Disposal & Physical Media Transfer

Section 9 Access Control

• Access Control Policy
• Access to Networks / Network Services
• User Access Management
• User Responsibilities
• System and Application Access Control

Section 10 Cryptography

• Cryptographic controls

Section 11 Physical and Environmental Security

• Secure Areas
• Equipment

Section 12 Operations Security

• Operational procedures and responsibility
• Protection from Malware
• Backup
• Logging and Monitoring
• Operational Software
• Technical vulnerability management
• Information Systems audits

Section 13 Communications Security

• Network Security Management
• Information Transfer

Section 14 System Acquisition, development and maintenance

• Security Requirements of information systems
• Security in Development and Support Processes
• Test Data

Section 15 Supplier Relationships

• Information Security Implications
• Service Delivery Management

Section 16 Information Security Incident Management

• Incident management and improvements

Section 17 Business Continuity Management

• Continuity
• Redundancies

Section 18 : Compliance

• Legal and contractual requirements
• Information Security Reviews

Incidentally other standards do exits which largely cover the same activities mentioned above, such as CIS / SANS 20 whose 20 guidelines are here borrowed from Wikipedia:

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises