Privacy & Security Hub

Frameworks

ISO/IEC 27001:2022

Information security, cybersecurity and privacy protection — Information security management systems — Requirements

Source:

@ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements⁠

Mindmap

⁠

⁠

Operational capabilities

Control type

Security domains

Cybersecurity concepts

Chapter

ISO 27001 Control name

Operational capabilities

Control type

Security domains

Cybersecurity concepts

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the information security management system

4.4 Information security management system

5.1 Leadership and commitment

5.2 Policy

5.3 Organizational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

6.3 Planning of changes

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Continual improvement

10.2 Nonconformity and corrective action

A5.1 Policies for information security

A5.2 Information security roles and responsibilities

A5.3 Segregation of duties

A5.4 Management responsibilities

A5.5 Contact with authorities

A5.6 Contact with special interest groups

A5.7 Threat intelligence

A5.8 Information security in project management

A5.9 Inventory of information and other associated assets

A5.10 Acceptable use of information and other associated assets

A5.11 Return of assets

A5.12 Classification of information

A5.13 Labelling of information

A5.14 Information transfer

A5.15 Access control

A5.16 Identity management

A5.17 Authentication information

A5.18 Access rights

A5.19 Information security in supplier relationships

A5.20 Addressing information security within supplier agreements

A5.21 Managing information security in the information and communication technology (ICT) supply chain

A5.22 Monitoring, review and change management of supplier services

A5.23 Information security for use of cloud services

A5.24 Information security incident management planning and preparation

A5.25 Assessment and decision on information security events

A5.26 Response to information security incidents

A5.27 Learning from information security incidents

A5.28 Collection of evidence

A5.29 Information security during disruption

A5.30 ICT readiness for business continuity

A5.31 Legal, statutory, regulatory and contractual requirements

A5.32 Intellectual property rights

A5.33 Protection of records

A5.34 Privacy and protection of personal identifiable information (PII)

A5.35 Independent review of information security

A5.36 Compliance with policies, rules and standards for information security

A5.37 Documented operating procedures

A6.1 Screening

A6.2 Terms and conditions of employment

A6.3 Information security awareness, education and training

A6.4 Disciplinary process

A6.5 Responsibilities after termination or change of employment

A6.6 Confidentiality or non-disclosure agreements

A6.7 Remote working

A6.8 Information security event reporting

A7.1 Physical security perimeters

A7.2 Physical entry

A7.3 Securing offices, rooms and facilities

A7.4 Physical security monitoring

A7.5 Protecting against physical and environmental threats

A7.6 Working in secure areas

A7.7 Clear desk and clear screen

A7.8 Equipment siting and protection

A7.9 Security of assets off-premises

A7.10 Storage media

A7.11 Supporting utilities

A7.12 Cabling security

A7.13 Equipment maintenance

A7.14 Secure disposal or re-use of equipment

A8.1 User end point devices

A8.2 Privileged access rights

A8.3 Information access restriction

A8.4 Access to source code

A8.5 Secure authentication

A8.6 Capacity management

A8.7 Protection against malware

A8.8 Management of technical vulnerabilities

A8.9 Configuration management

A8.10 Information deletion

A8.11 Data masking

A8.12 Data leakage prevention

A8.13 Information backup

A8.14 Redundancy of information processing facilities

A8.15 Logging

A8.16 Monitoring activities

A8.17 Clock synchronization

A8.18 Use of privileged utility programs

A8.19 Installation of software on operational systems

A8.20 Networks security

A8.21 Security of network services

A8.22 Segregation of networks

A8.23 Web filtering

A8.24 Use of cryptography

A8.25 Secure development life cycle

A8.26 Application security requirements

A8.27 Secure system architecture and engineering principles

A8.28 Secure coding

A8.29 Security testing in development and acceptance

A8.30 Outsourced development

A8.31 Separation of development, test and production environments

A8.32 Change management

A8.33 Test information

A8.34 Protection of information systems during audit testing

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.