Reviewing_IT_Security_ISO 27001_Controls_Supplement by xiaohuicaicai


									                                                                                                              ISO 27001:2005 Standard

Clause                 Sec     Objective                               Control                         Detailed Controls                            Current Situation   Recommendation1
                               To provide management direction and
                               support for information security in
                       5.1     accordance with business requirements Information Security Policy
                               and relevant laws and regulations.

                                                                                                       An information security policy document
                                                                       Information security policy     should be approved by management, and
Security Policy        5.1.1                                                                           published and communicated to all
                                                                                                       employees and relevant external parties.

                                                                                                       The information security policy should be
                                                                       Review of information           reviewed at planned intervals or if
                       5.1.2                                                                           significant changes occur to ensure its
                                                                       security policy
                                                                                                       continuing suitability, adequacy, and

                               To manage information security within
                       6.1     the organization.                       Internal Organization

                                                                                                 Management should actively support
                                                                                                 security within the organization through
                                                                       Management commitment to clear direction, demonstrated
                                                                       information security      commitment, explicit assignment, and
                                                                                                 acknowledgment of information security
                                                                                                 Information security activities should be co-
                                                                       Information security co-  ordinated by representatives from
                                                                       ordination                different parts of the organization with
                                                                                                 relevant roles and job functions.
                                                                                                 All information security responsibilities
                                                                                                 should be clearly defined.
                                                                       Allocation of information
                                                                       security responsibilities

                                                                                                       A management authorization process for
                                                                       Authorization process for
                       6.1.4                                                                           new information processing facilities
                                                                       Information processing
                                                                                                       should be defined and implemented.
                                                                                                       Requirements for confidentiality or non-
                                                                                                       disclosure agreements reflecting the
                       6.1.5                                           Confidentiality agreements      organization’s needs for the protection of
                                                                                                       information should be identified and
                                                                                                       regularly reviewed.
                                                                                                       Appropriate contacts with relevant
                       6.1.6                                           Contact with authorities
                                                                                                       authorities should be maintained.
                                                                                                       Appropriate contacts with special interest
                                                                       Contact with special interest   groups or other specialist security forums
                                                                       groups                          and professional associations should be
Organization of                                                                                        maintained.
Information security
                                                                                                                  ISO 27001:2005 Standard

Organization of        Sec     Objective                                  Control                         Detailed Controls                               Current Situation   Recommendation1
Information security                                                                                      The organization’s approach to managing
                                                                                                          information security and its
                                                                                                          implementation (i.e., control objectives,
                                                                          Independent review of           controls, policies, processes, and
                       6.1.8                                                                              procedures for information security)
                                                                          information security
                                                                                                          should be reviewed independently at
                                                                                                          planned intervals, or when significant
                                                                                                          changes to the security implementation
                               To maintain the security of the
                               organization’s information and
                       6.2     information processing                     External Parties
                               facilities that are accessed, processed,
                               communicated to, or managed by
                               external parties.
                                                                                                            The risks to the organization’s information
                                                                                                            and information processing facilities from
                                                                          Identification of risk related to business processes involving external
                                                                          external parties                  parties should be identified and
                                                                                                            appropriate controls implemented before
                                                                                                            granting access.
                                                                                                            All identified security requirements should
                                                                          Addressing security when          be addressed before giving customers
                                                                          dealing with customers            access to the organization’s information or
                                                                                                            Agreements with third parties involving
                                                                                                            accessing, processing, communicating or
                                                                                                            managing the organization’s information
                                                                          Addressing security in third      or information processing facilities, or
                                                                          party agreements                  adding products or services to information
                                                                                                            processing facilities should cover all
                                                                                                            relevant security requirements.

                               To achieve and maintain appropriate
                       7.1     protection of organizational assets.       Responsibility for Assets

                                                                                                          All assets should be clearly identified and
                       7.1.1                                              Inventory of assets             an inventory of all important assets drawn
                                                                                                          up and maintained.
                                                                                                          All information and assets associated with
                                                                                                          information processing facilities should be
                       7.1.2                                              Ownership of assets
                                                                                                          owned by a designated part of the
                                                                                                          Rules for the acceptable use of information
                                                                                                          and assets associated with information
Asset Management       7.1.3                                              Acceptable use of assets        processing facilities should be identified,
                                                                                                          documented, and implemented.
                                                                                                        ISO 27001:2005 Standard
Asset Management

Clause             Sec     Objective                                Control                      Detailed Controls                              Current Situation   Recommendation1
                           To ensure that information receives an
                   7.2                                              Information Classification
                           appropriate level of protection.
                                                                                                 Information should be classified in terms of
                   7.2.1                                                                         its value, legal requirements, sensitivity,
                                                                    Classification guidelines
                                                                                                 and criticality to the organization.

                                                                                                 An appropriate set of procedures for
                                                                    Information labelling and    information labelling and handling should
                   7.2.2                                                                         be developed and implemented in
                                                                                                 accordance with the classification scheme
                                                                                                 adopted by the organization.

                           To ensure that employees, contractors
                           and third party users understand their
                           responsibilities, and are suitable for the
                   8.1     roles they are considered for, and to      Prior to Employment
                           reduce the risk of theft, fraud or misuse
                           of facilities.

                                                                                                 Security roles and responsibilities of
                                                                                                 employees, contractors and third party
                   8.1.1                                            Roles and responsibilities   users should be defined and documented
                                                                                                 in accordance with the organization’s
                                                                                                 information security policy.

                                                                                                 Background verification checks on all
                                                                                                 candidates for employment, contractors,
                                                                                                 and third party users should be carried out
                                                                                                 in accordance with relevant laws,
                   8.1.2                                            Screening                    regulations and ethics, and proportional to
                                                                                                 the business requirements, the
                                                                                                 classification of the information to be
                                                                                                 accessed, and the perceived risks.
                                                                                                 As part of their contractual obligation,
                                                                                                 employees, contractors and third party
                                                                                                 users should agree and sign the terms and
                                                                    Terms and conditions of
                   8.1.3                                                                         conditions of their employment contract,
                                                                                                 which should state their and the
                                                                                                 organization’s responsibilities for
                                                                                                 information security.

Human Resource
                                                                                                         ISO 27001:2005 Standard

Clause           Sec     Objective                                   Control                      Detailed Controls                             Current Situation   Recommendation1
                         To ensure that employees, contractors
                         and third party users are aware of
                         security threats and concerns, their
                 8.2     responsibilities and liabilities, and are   During Employment
                         equipped to support
Human Resource           organizational security policy in the
Security                 course of their normal work, and to
                         reduce the risk of human
                                                                                                  Management should require employees,
                                                                                                  contractors and third party users to apply
                 8.2.1                                               Management responsibility    security in accordance with established
                                                                                                  policies and procedures of the
                                                                                                  All employees of the organization and,
                                                                                                  where relevant, contractors and third party
                                                                     Information security         users should receive appropriate
                 8.2.2                                               awareness, education and     awareness training and regular updates in
                                                                     training                     organizational policies and procedures, as
                                                                                                  relevant for their job function.

                                                                                                  There should be a formal disciplinary
                 8.2.3                                               Disciplinary process         process for employees who have
                                                                                                  committed a security breach.
                         To ensure that employees, contractors
                         and third party users exit an               Termination or Change of
                         organization or change                      Employment
                         employment in an orderly manner.
                                                                                                  Responsibilities for performing
                 8.3.1                                                                            employment termination or change of
                                                                     Termination responsibility
                                                                                                  employment should be clearly defined and
                                                                                                  All employees, contractors and third party
                                                                                                  users should return all of the
                 8.3.2                                               Return of assets             organization’s assets in their possession
                                                                                                  upon termination of their employment,
                                                                                                  contract or agreement.
                                                                                                  The access rights of all employees,
                                                                                                  contractors and third party users to
                                                                                                  information and information processing
                 8.3.3                                               Removal of access rights     facilities should be removed upon
                                                                                                  termination of their employment, contract
                                                                                                  or agreement, or adjusted upon change.

                         To prevent unauthorized physical
                 9.1     access, damage, and interference to the
                                                                 Secure Areas
                         premises and information.
                                                                                                     ISO 27001:2005 Standard

Clause          Sec     Objective                               Control                       Detailed Controls                              Current Situation   Recommendation1
                                                                                              Security perimeters (barriers such as walls,
                                                                                              card controlled entry gates or manned
                9.1.1                                           Physical security perimeter   reception desks) should be used to protect
                                                                                              areas that contain information and
                                                                                              information processing facilities.

                                                                                              Secure areas should be protected by
                9.1.2                                                                         appropriate entry controls to ensure that
                                                                Physical entry controls
                                                                                              only authorized personnel are allowed
                                                                                              Physical security for offices, rooms, and
                                                                Securing offices, rooms and
                9.1.3                                                                         facilities should be designed and applied.
                                                                                              Physical protection against damage from
                                                                Protecting against external   fire, flood, earthquake, explosion, civil
                9.1.4                                                                         unrest, and other forms of natural or man-
                                                                and environmental threats
                                                                                              made disaster should be designed and
                                                                                              Physical protection and guidelines for
                9.1.5                                           Working in secure areas       working in secure areas should be
                                                                                              designed and applied.
                                                                                              Access points such as delivery and loading
                                                                                              areas and other points where
                                                                Public access, delivery and   unauthorized persons may enter the
                9.1.6                                                                         premises should be controlled and, if
                                                                loading areas
                                                                                              possible, isolated from information
                                                                                              processing facilities to avoid unauthorized
Physical and                                                                                  access.
                        To prevent loss, damage, theft or
                9.2     compromise of assets and interruption
Security                                                        Equipment Security
                        to the
                        organization’s activities.
                                                                                              Access points such as delivery and loading
                                                                                              areas and other points where
                                                                Equipment siting and          unauthorized persons may enter the
                9.2.1                                                                         premises should be controlled and, if
                                                                                              possible, isolated from information
                                                                                              processing facilities to avoid unauthorized
                                                                                              Equipment should be protected from
                9.2.2                                                                         power failures and other disruptions
                                                                Support utilities
                                                                                              caused by failures in supporting utilities.

                                                                                              Power and telecommunications cabling
                9.2.3                                                                         carrying data or supporting information
                                                                Cabling security
                                                                                              services should be protected from
                                                                                              interception or damage.
                                                                                              Equipment should be correctly maintained
                9.2.4                                           Equipment maintenance         to ensure its continued availability and
                                                                                                  ISO 27001:2005 Standard

Clause   Sec      Objective                                 Control                        Detailed Controls                              Current Situation   Recommendation1
                                                                                           Security should be applied to off-site
                                                            Security of equipment off-     equipment taking into account the
                                                            premises                       different risks of working outside the
                                                                                           organization’s premises.
                                                                                           All items of equipment containing storage
                                                            Secure disposal or reuse of    media should be checked to ensure that
         9.2.6                                                                             any sensitive data and licensed software
                                                                                           has been removed or securely overwritten
                                                                                           prior to disposal.
                                                                                           Equipment, information or software
         9.2.7                                              Removal of property            should not be taken off-site without prior

                  To ensure the correct and secure
                                                            Operational Procedures and
         10.1     operation of information processing
                                                                                           Operating procedures should be
                                                            Documented operating
         10.1.1                                                                            documented, maintained, and made
                                                                                           available to all users who need them.
                                                                                           Changes to information processing
         10.1.2                                             Change Management              facilities and systems should be controlled.

                                                                                           Duties and areas of responsibility should
                                                                                           be segregated to reduce opportunities for
         10.1.3                                             Segregation of duties          unauthorized or unintentional modification
                                                                                           or misuse of the organization’s assets.

                                                                                           Development, test, and operational
                                                            Separation of development      facilities should be separated to reduce the
         10.1.4                                                                            risks of unauthorised access or changes to
                                                            and operations facilities
                                                                                           the operational system.

                  To implement and maintain the
                  appropriate level of information security Third Party Service Delivery
         10.2     and service                               Management
                  delivery in line with third party service
                  delivery agreements.
                                                                                           It should be ensured that the security
                                                                                           controls, service definitions and delivery
         10.2.1                                             Service delivery               levels included in the third party service
                                                                                           delivery agreement are implemented,
                                                                                           operated, and maintained by the third
                                                                                           The services, reports and records provided
                                                            Monitoring and review of       by the third party should be regularly
                                                            third party services           monitored and reviewed, and audits
                                                                                           should be carried out regularly.
                                                                                                 ISO 27001:2005 Standard

Clause   Sec      Objective                                Control                        Detailed Controls                             Current Situation   Recommendation1
                                                                                          Changes to the provision of services,
                                                                                          including maintaining and improving
                                                                                          existing information security policies,
                                                           Manage changes to the third    procedures and controls, should be
                                                           party services                 managed, taking account of the criticality
                                                                                          of business systems and processes involved
                                                                                          and re-assessment of risks.

                  To minimize the risk of systems failures. System Planning and
                                                                                          The use of resources should be monitored,
                                                                                          tuned, and projections made of future
         10.3.1                                            Capacity management            capacity requirements to ensure the
                                                                                          required system performance.

                                                                                          Acceptance criteria for new information
                                                                                          systems, upgrades, and new versions
         10.3.2                                            System acceptance              should be established and suitable tests of
                                                                                          the system(s) carried out during
                                                                                          development and prior to acceptance.

                  To protect the integrity of software and Protection against Malicious
                  information.                             and Mobile Code
                                                                                          Detection, prevention, and recovery
                                                           Controls against malicious     controls to protect against malicious code
                                                           code                           and appropriate user awareness
                                                                                          procedures should be implemented.
                                                                                          Where the use of mobile code is
                                                                                          authorized, the configuration should
                                                                                          ensure that the authorised mobile code
         10.4.2                                            Controls against mobile code   operates according to a clearly defined
                                                                                          security policy, and unauthorized mobile
                                                                                          code should be prevented from executing.

                  To maintain the integrity and availability
         10.5     of information and information             Back-Up
                  processing facilities.
                                                                                          Back-up copies of information and
         10.5.1                                                                           software should be taken and tested
                                                           Information backup
                                                                                          regularly in accordance with the agreed
                                                                                          backup policy.
                  To ensure the protection of information
                  in networks and the protection of the   Network Security
                  supporting                              Management
                                                                                                           ISO 27001:2005 Standard

Clause               Sec      Objective                              Control                        Detailed Controls                            Current Situation   Recommendation1
                                                                                                    Networks should be adequately managed
                                                                                                    and controlled, in order to be protected
                     10.6.1                                          Network controls               from threats, and to maintain security for
                                                                                                    the systems and applications using the
                                                                                                    network, including information in transit.

                                                                                                    Security features, service levels, and
                                                                                                    management requirements of all network
                     10.6.2                                          Security of network services   services should be identified and included
Communications and                                                                                  in any network services agreement,
Operations                                                                                          whether these services are provided in-
Management                                                                                          house or outsourced.
                              To prevent unauthorized disclosure,
                     10.7     modification, removal or destruction of
                                                                      Media Handling
                              assets, and
                              interruption to business activities.
                                                                                                    There should be procedures in place for
                                                                     Management of removable
                     10.7.1                                                                         the management of removable media.
                                                                                                    Media should be disposed of securely and
                     10.7.2                                          Disposal of Media              safely when no longer required, using
                                                                                                    formal procedures.
                                                                                                    Procedures for the handling and storage of
                                                                     Information handling           information should be established to
                     10.7.3                                                                         protect this information from
                                                                                                    unauthorized disclosure or misuse.

                                                                     Security of system             System documentation should be
                                                                     documentation                  protected against unauthorized access.
                              To maintain the security of information
                              and software exchanged within an
                     10.8                                             Exchange of Information
                              organization and
                              with any external entity.
                                                                                                   Formal exchange policies, procedures, and
                                                                     Information exchange policies controls should be in place to protect the
                     10.8.1                                                                        exchange of information through the use
                                                                     and procedures
                                                                                                   of all types of communication facilities.

                                                                                                    Agreements should be established for the
                     10.8.2                                                                         exchange of information and software
                                                                     Exchange agreements
                                                                                                    between the organization and external
                                                                                                    Media containing information should be
                                                                                                    protected against unauthorized access,
                     10.8.3                                          Physical media in transit      misuse or corruption during transportation
                                                                                                    beyond an organization’s physical
                                                                                                    Information involved in electronic
                     10.8.4                                          Electronic messaging           messaging should be appropriately
                                                                                                  ISO 27001:2005 Standard

Clause   Sec       Objective                              Control                          Detailed Controls                             Current Situation   Recommendation1
                                                                                       Policies and procedures should be
                                                                                       developed and implemented to protect
         10.8.5                                           Business information systems information associated with the
                                                                                       interconnection of business information
                   To ensure the security of electronic
         10.9      commerce services, and their secure    Electronic Commerce Services
                                                                                           Information involved in electronic
                                                                                           commerce passing over public networks
         10.9.1                                           Electronic commerce              should be protected from fraudulent
                                                                                           activity, contract dispute, and
                                                                                           unauthorized disclosure and modification.

                                                                                           Information involved in on-line
                                                                                           transactions should be protected to
                                                                                           prevent incomplete transmission, mis-
         10.9.2                                           On-Line transactions             routing, unauthorized message alteration,
                                                                                           unauthorized disclosure, unauthorized
                                                                                           message duplication or replay.

                                                                                           The integrity of information being made
         10.9.3                                                                            available on a publicly available system
                                                          Publicly available information
                                                                                           should be protected to prevent
                                                                                           unauthorized modification.
                   To detect unauthorized information
         10.10                                            Monitoring
                   processing activities.
                                                                                           Audit logs recording user activities,
                                                                                           exceptions, and information security
         10.10.1                                          Audit logging                    events should be produced and kept for an
                                                                                           agreed period to assist in future
                                                                                           investigations and access control
                                                                                           Procedures for monitoring use of
                                                                                           information processing facilities should be
         10.10.2                                          Monitoring system use            established and the results of the
                                                                                           monitoring activities reviewed regularly.

                                                                                        Logging facilities and log information
         10.10.3                                          Protection of log information should be protected against tampering and
                                                                                        unauthorized access.
                                                          Administrator and operator    System administrator and system operator
                                                          logs                          activities should be logged.
                                                                                        Faults should be logged, analysed, and
         10.10.5                                          Fault logging
                                                                                        appropriate action taken.
                                                                                        The clocks of all relevant information
                                                                                        processing systems within an organization
         10.10.6                                          Clock synchronization         or security domain should be synchronized
                                                                                        with an agreed accurate time source.
                                                                                                ISO 27001:2005 Standard

Clause   Sec      Objective                               Control                        Detailed Controls                             Current Situation   Recommendation1
                  To control access to information.       Business Requirement for
                                                          Access Control
                                                                                         An access control policy should be
         11.1.1                                                                          established, documented, and reviewed
                                                          Access control policy
                                                                                         based on business and security
                                                                                         requirements for access.
                  To ensure authorized user access and to
         11.2     prevent unauthorized access to          User Access Management
                  information systems.
                                                                                         There should be a formal user registration
                                                                                         and de-registration procedure in place for
         11.2.1                                           User registration              granting and revoking access to all
                                                                                         information systems and services.

                                                                                         The allocation and use of privileges should
         11.2.2                                           Privilege measurement
                                                                                         be restricted and controlled.
                                                                                         The allocation of passwords should be
         11.2.3                                           User password management       controlled through a formal management
                                                                                         Management should review users’ access
         11.2.4                                           Review of user access rights   rights at regular intervals using a formal
                  To prevent unauthorized user access,
         11.3     and compromise or theft of information
                                                         User Responsibilities
                  information processing facilities.
                                                                                         Users should be required to follow good
         11.3.1                                           Password use                   security practices in the selection and use
                                                                                         of passwords.
                                                                                         Users should ensure that unattended
         11.3.2                                           Unattended user equipment
                                                                                         equipment has appropriate protection.
                                                                                         A clear desk policy for papers and
                                                          Clear desk and clear screen    removable storage media and a clear
         11.3.3                                                                          screen policy for information processing
                                                                                         facilities should be adopted.

                  To prevent unauthorized access to
         11.4                                             Network Access Control
                  networked services.
                                                                                         Users should only be provided with access
                                                          Policy on use of network
         11.4.1                                                                          to the services that they have been
                                                                                         specifically authorized to use.
                                                                                         Appropriate authentication methods
                                                          User authentication for
         11.4.2                                                                          should be used to control access by remote
                                                          external connections
                                                                                         Automatic equipment identification should
                                                          Equipment identification in    be considered as a means to authenticate
                                                          networks                       connections from specific locations and
                                                                                                        ISO 27001:2005 Standard

Clause           Sec      Objective                               Control                        Detailed Controls                              Current Situation   Recommendation1
                                                                                                Physical and logical access to diagnostic
                                                                  Remote diagnostic and
                 11.4.4                                                                         and configuration ports should be
                                                                  configuration port protection
                                                                                                Groups of information services, users, and
                 11.4.5                                           Segregation in networks       information systems should be segregated
                                                                                                on networks.
                                                                                                For shared networks, especially those
                                                                                                extending across the organization’s
Access control
                                                                                                boundaries, the capability of users to
                 11.4.6                                           Network connection control connect to the network should be
                                                                                                restricted, in line with the access control
                                                                                                policy and requirements of the business
                                                                                                applications (see 11.1).
                                                                                                Routing controls should be implemented
                                                                                                for networks to ensure that computer
                 11.4.7                                           Network routing control       connections and information flows do not
                                                                                                breach the access control policy of the
                                                                                                business applications.

                          To prevent unauthorized access to       Operating System Access
                          operating systems.                      Control
                                                                                                 Access to operating systems should be
                 11.5.1                                           Secure log-on procedures       controlled by a secure log-on procedure.

                                                                                                 All users should have a unique identifier
                                                                                                 (user ID) for their personal use only, and a
                                                                  User identification and        suitable authentication technique should
                                                                  authentication                 be chosen to substantiate the claimed
                                                                                                 identity of a user.

                                                                                                Systems for managing passwords should
                                                                  Password management
                 11.5.3                                                                         be interactive and should ensure quality
                                                                                                The use of utility programs that might be
                 11.5.4                                                                         capable of overriding system and
                                                                  Use of system utilities
                                                                                                application controls should be restricted
                                                                                                and tightly controlled.
                                                                                                Inactive sessions should shut down after a
                 11.5.5                                           Session time-out
                                                                                                defined period of inactivity.
                                                                                                Restrictions on connection times should be
                 11.5.6                                           Limitation of connection time used to provide additional security for high-
                                                                                                risk applications.
                          To prevent unauthorized access to
                 11.6     information held in application systems. Application Access Control

                                                                                                 Access to information and application
                                                                                                 system functions by users and support
                 11.6.1                                           Information access restriction personnel should be restricted in
                                                                                                 accordance with the defined access control
                                                                                                                ISO 27001:2005 Standard

Clause                Sec      Objective                                  Control                       Detailed Controls                              Current Situation   Recommendation1
                                                                                                        Sensitive systems should have a dedicated
                      11.6.2                                              Sensitive system isolation    (isolated) computing environment.

                               To ensure information security when
                                                                          Mobile Computing and
                      11.7     using mobile computing and
                               teleworking facilities.
                                                                                                        A formal policy should be in place, and
                                                                          Mobile computing and          appropriate security measures should be
                      11.7.1                                                                            adopted to protect against the risks of
                                                                                                        using mobile computing and
                                                                                                        communication facilities.
                                                                                                        A policy, operational plans and procedures
                      11.7.2                                              Teleworking                   should be developed and implemented for
                                                                                                        teleworking activities.

                               To ensure that security is an integral     Security Requirements of
                               part of information systems.               Information Systems
                                                                                                       Statements of business requirements for
                                                                        Security requirement analysis new information systems, or
                      12.1.1                                                                           enhancements to existing information
                                                                        and specifications
                                                                                                       systems should specify the requirements
                                                                                                       for security controls.
                               To prevent errors, loss, unauthorized
                                                                        Correct Processing in
                      12.2     modification or misuse of information in
                                                                                                       Data input to applications should be
                      12.2.1                                            Input data validation          validated to ensure that this data is correct
                                                                                                       and appropriate.
                                                                                                       Validation checks should be incorporated
                                                                                                       into applications to detect any corruption
                      12.2.2                                            Control of internal processing of information through processing errors
                                                                                                       or deliberate acts.

                                                                                                        Requirements for ensuring authenticity
                                                                                                        and protecting message integrity in
                      12.2.3                                              Message integrity             applications should be identified, and
                                                                                                        appropriate controls identified and
                                                                                                        Data output from an application should be
                                                                                                        validated to ensure that the processing of
                      12.2.4                                              Output data validation        stored information is correct and
                                                                                                        appropriate to the circumstances.

                               To protect the confidentiality,
                      12.3     authenticity or integrity of information
                                                                          Cryptographic Controls
                               by cryptographic means.

                                                                                                        A policy on the use of cryptographic
                                                                          Policy on the use of
                      12.3.1                                                                            controls for protection of information
                                                                          cryptographic controls
                                                                                                        should be developed and implemented.

Information Systems
Development and
                                                                                                                 ISO 27001:2005 Standard

Clause                Sec      Objective                                 Control                          Detailed Controls                             Current Situation   Recommendation1
                                                                                                          Key management should be in place to
                      12.3.2                                             Key management                   support the organization’s use of
Information Systems
                                                                                                          cryptographic techniques.
                               To ensure the security of system files.
Development and       12.4                                               Security of System Files
Maintenance                                                                                               There should be procedures in place to
                                                                         Control of operational
                      12.4.1                                                                              control the installation of software on
                                                                                                          operational systems.
                                                                                                          Test data should be selected carefully, and
                      12.4.2                                             Protection of system test data
                                                                                                          protected and controlled.
                                                                         Access control to program        Access to program source code should be
                                                                         source library                   restricted.
                               To maintain the security of application
                                                                         Security in Development &
                      12.5     system software and information.
                                                                         Support Processes
                                                                                                          The implementation of changes should be
                      12.5.1                                             Change control procedures        controlled by the use of formal change
                                                                                                          control procedures.
                                                                                                          When operating systems are changed,
                                                                         Technical review of              business critical applications should be
                      12.5.2                                             applications after Operating     reviewed and tested to ensure there is no
                                                                         system changes                   adverse impact on organizational
                                                                                                          operations or security.
                                                                                                          Modifications to software packages should
                                                                         Restrictions on changes to       be discouraged, limited to necessary
                                                                         software packages                changes, and all changes should be strictly
                                                                                                          Opportunities for information leakage
                      12.5.4                                             Information leakage
                                                                                                          should be prevented.
                                                                                                          Outsourced software development should
                                                                         Outsourced software
                      12.5.5                                                                              be supervised and monitored by the
                               To reduce risks resulting from
                                                                         Technical Vulnerability
                      12.6     exploitation of published technical
                                                                                                          Timely information about technical
                                                                                                          vulnerabilities of information systems
                                                                         Control of technical             being used should be obtained, the
                      12.6.1                                                                              organization's exposure to such
                                                                                                          vulnerabilities evaluated, and appropriate
                                                                                                          measures taken to address the associated

                               To ensure information security events
                               and weaknesses associated with
                                                                     Reporting Information
                               information systems
                      13.1                                           Security Events and
                               are communicated in a manner allowing
                               timely corrective action to be taken.
                                                                                                                 ISO 27001:2005 Standard

Clause                Sec      Objective                                 Control                          Detailed Controls                             Current Situation   Recommendation1
                                                                                                          Information security events should be
                                                                         Reporting Information            reported through appropriate
                                                                         security events                  management channels as quickly as
                                                                                                          All employees, contractors and third party
                                                                                                          users of information systems and services
                                                                         Reporting security               should be required to note and report any
                                                                         weaknesses                       observed or suspected security weaknesses
                                                                                                          in systems or services.

                               To ensure a consistent and effective
                                                                     Management of Information
                               approach is applied to the management
Information Security 13.2                                            Security Incidents and
                               of information
Incident Management                                                  Improvements
                               security incidents.
                                                                                                          Management responsibilities and
                                                                         Responsibilities and             procedures should be established to
                      13.2.1                                                                              ensure a quick, effective, and orderly
                                                                                                          response to information security incidents.

                                                                                                          There should be mechanisms in place to
                                                                         Learning from information        enable the types, volumes, and costs of
                                                                         security incidents               information security incidents to be
                                                                                                          quantified and monitored.
                                                                                                          Where a follow-up action against a person
                                                                                                          or organization after an information
                                                                                                          security incident involves legal action
                      13.2.3                                             Collection of evidence           (either civil or criminal), evidence should
                                                                                                          be collected, retained, and presented to
                                                                                                          conform to the rules for evidence laid
                                                                                                          down in the relevant jurisdiction(s).

                               To counteract interruptions to business
                               activities and to protect critical business
                               processes                                   Information Security Aspects
                      14.1     from the effects of major failures of       of Business Continuity
                               information systems or disasters and to Management
                               ensure their timely
                                                                                                        A managed process should be developed
                                                                                                        and maintained for business continuity
                                                                         Including Information security
                                                                                                        throughout the organization that
                      14.1.1                                             in business continuity
                                                                                                        addresses the information security
                                                                         management process
                                                                                                        requirements needed for the
                                                                                                        organization’s business continuity.

Business Continuity
                                                                                                               ISO 27001:2005 Standard

Clause                Sec      Objective                               Control                          Detailed Controls                               Current Situation   Recommendation1
                                                                                                        Events that can cause interruptions to
                                                                                                        business processes should be identified,
                                                                       Business continuity and risk     along with the probability and impact of
Business Continuity                                                    assessment                       such interruptions and their consequences
Management                                                                                              for information security.

                                                                                                     Plans should be developed and
                                                                                                     implemented to maintain or restore
                                                                       Developing and implementing operations and ensure availability of
                      14.1.3                                           continuity plans including    information at the required level and in
                                                                       information security          the required time scales following
                                                                                                     interruption to, or failure of, critical
                                                                                                     business processes.
                                                                                                     A single framework of business continuity
                                                                                                     plans should be maintained to ensure all
                                                                       Business continuity planning plans are consistent, to consistently
                                                                       framework                     address information security requirements,
                                                                                                     and to identify priorities for testing and
                                                                       Testing, maintaining and re- Business continuity plans should be tested
                      14.1.5                                           assessing business continuity and updated regularly to ensure that they
                                                                       plans                         are up to date and effective.

                               To avoid breaches of any law, statutory,
                               regulatory or contractual obligations,   Compliance with Legal
                               and of any security requirements.        Requirements

                                                                                                        All relevant statutory, regulatory, and
                                                                                                        contractual requirements and the
                                                                       Identification of applicable     organization’s approach to meet these
                      15.1.1                                                                            requirements should be explicitly defined,
                                                                                                        documented, and kept up to date for each
                                                                                                        information system and the organization.

                                                                                                        Appropriate procedures should be
                                                                                                        implemented to ensure compliance with
                                                                                                        legislative, regulatory, and contractual
                                                                       Intellectual Property Rights (   requirements on the use of material in
                                                                       IPR)                             respect of which there may be intellectual
                                                                                                        property rights and on the use of
                                                                                                        proprietary software products.

                                                                                                        Important records should be protected
                                                                       Protection of organizational     from loss, destruction, and falsification, in
                      15.1.3                                                                            accordance with statutory, regulatory,
                                                                                                        contractual, and business requirements.

                                                                                                      Data protection and privacy should be
                                                                       Data protection and privacy of ensured as required in relevant legislation,
                                                                       personal information           regulations, and, if applicable, contractual
Compliance                                                                                            clauses.
                                                                                                               ISO 27001:2005 Standard

Clause                 Sec       Objective                               Control                        Detailed Controls                             Current Situation                        Recommendation1
                                                                         Prevention of misuse of        Users should be deterred from using
                       15.1.5                                            information processing         information processing facilities for
                                                                         facilities                     unauthorized purposes.
                                                                                                        Cryptographic controls should be used in
                                                                         Regulation of cryptographic
                       15.1.6                                                                           compliance with all relevant agreements,
                                                                                                        laws, and regulations.
                                To ensure compliance of systems with     Compliance with Security
                       15.2     organizational security policies and     Policies and Standards and
                                standards.                               Technical compliance
                                                                                                        Managers should ensure that all security
                                                                         Compliance with security       procedures within their area of
                       15.2.1                                                                           responsibility are carried out correctly to
                                                                                                        achieve compliance with security policies
                                                                                                        and standards.
                                                                                                        Information systems should be regularly
                                                                         Technical compliance
                       15.2.2                                                                           checked for compliance with security
                                                                                                        implementation standards.
                                To maximize the effectiveness of and to
                                                                        Information System Audit
                       15.3     minimize interference to/from the
                                information systems audit process.
                                                                                                        Audit requirements and activities involving
                                                                         Information system audit       checks on operational systems should be
                       15.3.1                                                                           carefully planned and agreed to minimize
                                                                                                        the risk of disruptions to business
                                                                                                        Access to information systems audit tools
                                                                         Protection of information
                       15.3.2                                                                           should be protected to prevent any
                                                                         system audit tools
                                                                                                        possible misuse or compromise.
 There are not recommendations in every row. This does not mean controls are sufficient or adequate and require action. This control may require a predicate control. Subsequent reviews may indicate the need for additional controls as the organization matures. Nor
are there identified controls in every row. This does not mean that these are the only controls. There may be mitigating or compensating controls in operations, which was not reviewed.

To top