HOME LAB : HANDS-ON
- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
27002: A Comprehensive Overview
Completely Generated Using LLM'S
Introduction to ISO/IEC 27002:2022
This comprehensive guide provides an in-depth look at the information security controls outlined in ISO/IEC 27002:2022. This international standard offers a robust reference set of generic information security controls, along with practical guidance for their implementation. It's designed to help organizations establish and maintain strong information security management systems (ISMS) based on ISO/IEC 27001.
What is ISO/IEC 27002:2022? (Purpose and Scope)
ISO/IEC 27002:2022, titled "Information security, cybersecurity and privacy protection – Information security controls," is a pivotal international standard. It offers a comprehensive reference set of generic information security controls, accompanied by detailed implementation guidance. This document is specifically crafted to assist organizations in several key areas:
- Establishing an information security management system (ISMS) based on ISO/IEC 27001.
- Implementing information security controls aligned with internationally recognized best practices.
- Developing tailored, organization-specific information security management guidelines.
The standard acknowledges the diverse nature of information handling in modern organizations, encompassing creation, collection, processing, storage, transmission, and disposal across various forms, including electronic, physical, and verbal communications. It underscores that the value of information extends beyond tangible data to intangible assets like knowledge, concepts, ideas, and brands, all of which necessitate protection in an interconnected world.
Why is it essential for your organization? (Benefits and the Risk-Based Approach)
The implementation of ISO/IEC 27002:2022 controls is essential for several compelling reasons. Fundamentally, it enables organizations to achieve information security by deploying a suitable set of controls, thereby fulfilling their specific security and business objectives. A well-implemented ISMS, guided by this standard, provides critical assurance to both management and other interested parties that information and associated assets are adequately secured and protected against threats and harm, which in turn empowers the organization to achieve its stated business objectives.
A critical aspect of ISO/IEC 27002:2022 is its strong emphasis on a risk-based approach to information security. The standard explicitly states that the primary source of information security requirements stems from the assessment of risks to the organization. This risk assessment must consider the organization's overarching business strategy and objectives, culminating in the determination of controls necessary to ensure that residual risks align with the organization's predefined risk acceptance criteria. The selection of controls is thus directly dependent on decisions made following a clearly scoped risk assessment, taking into account risk acceptance criteria, treatment options, and the organization's broader risk management philosophy. This approach ensures that security investments are targeted and efficient, directly addressing the most pertinent threats and vulnerabilities. It is a fundamental principle that security efforts should be commensurate with the identified risks, advocating for a balanced allocation of resources for control implementation against the potential business impact of security incidents.
The Continuous Cycle: Implement, Monitor, Review, Improve.
Information security is not a static state but a dynamic process. ISO/IEC 27002:2022 champions a continuous improvement cycle, emphasizing that organizations must define, implement, monitor, review, and enhance their controls as necessary. This iterative process is crucial for maintaining the ongoing suitability, adequacy, and effectiveness of the organization's security posture.
The continuous review and improvement cycle is vital for adapting to an ever-changing environment. It mandates that information security policies and controls be reassessed at planned intervals and whenever significant changes occur within the organization's business strategy, technical environment, regulatory landscape, or the prevailing threat environment. Furthermore, a key component of this cycle involves actively learning from information security incidents. The knowledge gained from these events is explicitly intended to strengthen and refine existing information security controls, thereby reducing the likelihood or severity of future incidents. This constant adaptation acknowledges that the threat landscape is fluid and organizational contexts evolve, requiring a responsive and flexible security framework.
Organizational Controls (Clause 5)
Organizational controls form the bedrock of an effective information security management system. These 37 controls address the overarching structure, policies, and processes that govern how information security is managed, ensuring integration with strategic objectives and operational fabric.
Detailed Controls:
5.1 Policies for information security
What it is (Purpose):
This control mandates the definition, approval, communication, and regular review of an organization's overarching information security policy and its supporting topic-specific policies. This is fundamental because it ensures that management's direction and support for information security are consistently aligned with business objectives, legal obligations, and risk profiles.
How to do it (Implementation Guidance):
To implement this, an organization should first establish a high-level information security policy, formally approved by top management, reflecting business strategy, regulations, and risks. Supporting topic-specific policies (e.g., access control, incident management) should be developed. Responsibilities for policy creation, review, and approval must be allocated. All policies need effective communication to relevant parties in an accessible format, with recipients acknowledging understanding and compliance.
How to check it (Verification):
Regularly review policies (at fixed intervals and upon significant changes like new threats or business shifts). Lessons from incidents should inform reviews. Ensure policies remain suitable, adequate, and effective, identifying improvements. Maintain consistency across related policies.
5.2 Information security roles and responsibilities
What it is (Purpose):
This control focuses on defining and allocating specific roles and responsibilities for information security throughout the organization. Its importance lies in establishing a clear, approved structure for the implementation, operation, and ongoing management of information security, which is essential for accountability.
How to do it (Implementation Guidance):
Align allocations with information security policies. Responsibilities cover asset protection, security process execution, and risk management participation (including residual risk acceptance). Users must understand their security role. Document and communicate responsibilities with defined authorization levels. Ensure individuals in security roles are competent and their knowledge is current.
How to check it (Verification):
Verify responsibilities are documented and personnel understand them. Regularly assess competence and training of those in security roles. Periodically confirm accountability for delegated tasks.
5.3 Segregation of duties
What it is (Purpose):
This control mandates the separation of conflicting duties and areas of responsibility among different individuals. The primary aim is to significantly reduce the risk of fraud, error, and the bypassing of information security controls.
How to do it (Implementation Guidance):
Identify duties needing segregation (e.g., change initiation/approval/execution; access rights request/approval/implementation; code development/implementation/review). Consider collusion risks. For small organizations, use compensating controls like enhanced monitoring, audit trails, and management supervision if full segregation is impractical. Manage role-based access control to prevent conflicting role grants.
How to check it (Verification):
Regularly review roles and access rights for conflicts. Audit logs for activities that should be segregated. For numerous roles, verify use of automated tools to identify and remove conflicts.
5.4 Management responsibilities
What it is (Purpose):
This control emphasizes that management must actively require all personnel to adhere to the organization's established information security policy, topic-specific policies, and procedures. Its significance lies in ensuring that management's commitment to information security translates into tangible actions by all personnel.
How to do it (Implementation Guidance):
Management must visibly support security policies. Brief personnel on their security roles/responsibilities before granting asset access. Provide clear security expectation guidelines and mandate policy compliance. Ensure personnel receive appropriate security awareness, education, and training (see 6.3) and maintain relevant skills. Establish confidential channels for reporting violations (whistleblowing). Allocate adequate resources and project planning time for security processes and controls.
How to check it (Verification):
Review training records and assess awareness program effectiveness (link to 6.3 outcomes). Monitor incident reports for personnel non-compliance trends. Regularly assess resource allocation for security initiatives.
5.5 Contact with authorities
What it is (Purpose):
This control requires the establishment and maintenance of contact with relevant legal, regulatory, and supervisory authorities. This is important for ensuring an appropriate flow of information regarding information security, facilitating timely reporting of incidents, and helping the organization anticipate and prepare for upcoming regulatory changes.
How to do it (Implementation Guidance):
Clearly specify when and by whom authorities (law enforcement, regulatory bodies) should be contacted. Establish procedures for timely reporting of identified security incidents. Use these contacts to gain insights into current and future expectations of authorities, ensuring proactive compliance.
How to check it (Verification):
Maintain comprehensive records of all communications with authorities. Verify incident reporting procedures align with current regulatory requirements. Assess preparedness for new or evolving regulations.
5.6 Contact with special interest groups
What it is (Purpose):
This control advises establishing and maintaining contact with special interest groups, specialist security forums, and professional associations. The value of this lies in improving knowledge about best practices, staying current with the information security environment, receiving early warnings of threats and vulnerabilities, and gaining access to specialist advice.
How to do it (Implementation Guidance):
Consider membership in relevant groups. Actively participate to exchange information on new technologies, products, services, threats, and vulnerabilities. These connections also serve as liaison points during security incidents.
How to check it (Verification):
Track participation in relevant groups and forums. Assess how acquired intelligence and best practices are integrated into internal security strategies and operations.
5.7 Threat intelligence
What it is (Purpose):
This control mandates the collection and analysis of information related to information security threats to produce actionable threat intelligence. This is critical for providing awareness of the organization’s threat environment, enabling the implementation of appropriate mitigation actions to prevent harm and reduce the impact of potential security incidents.
How to do it (Implementation Guidance):
Establish clear objectives for the threat intelligence program. Identify, vet, and select reliable internal/external information sources (e.g., providers, government agencies, collaborative groups). Process and analyze collected information to ensure it is relevant, insightful, contextual, and actionable. Communicate intelligence to relevant individuals. Integrate intelligence into risk management, technical controls (firewalls, anti-malware), and security testing. Encourage mutual sharing of threat intelligence.
How to check it (Verification):
Evaluate how effectively threat intelligence informs risk assessments and enhances technical controls (e.g., incident assessment, malware protection, monitoring, web filtering). Continuously monitor timeliness and relevance of intelligence sources. Regularly track integration of threat intelligence into daily security operations.
5.8 Information security in project management
What it is (Purpose):
This control requires the integration of information security into project management throughout the entire project life cycle. This early and continuous integration is vital for effectively addressing information security risks related to projects and their deliverables, ultimately leading to more effective and cost-efficient security solutions.
How to do it (Implementation Guidance):
Implementation dictates that project management processes assess and treat information security risks from an early stage and periodically throughout the project. Security requirements, such as application security and intellectual property rights compliance, must be addressed in the initial phases. Project execution risks, including communication security, should also be considered. Regular reviews of progress on risk treatment and evaluations of the effectiveness of implemented security measures are necessary. Specific security responsibilities must be defined and allocated within the project team. Furthermore, security requirements for all project types, not just IT development, should be determined by considering factors like information classification, confidentiality, integrity, availability needs, authentication requirements, access provisioning, user duties, transaction logging, compliance, and third-party assurance.
How to check it (Verification):
To check this, organizations should follow up on information security considerations at predefined project milestones. It is important to verify that security requirements are explicitly documented and seamlessly integrated into all project deliverables. Reviewing project post-mortems for lessons learned related to security can also provide valuable feedback.
5.9 Inventory of information and other associated assets
What it is (Purpose):
This control mandates the development and maintenance of an accurate inventory of information and all associated assets, including their assigned owners. This is crucial for identifying all organizational assets that require protection, thereby preserving their information security and ensuring appropriate accountability through assigned ownership. This foundational step directly supports broader risk management, audit activities, vulnerability management, and incident response efforts.
How to do it (Implementation Guidance):
Implementation requires identifying all information and associated assets and determining their importance from an information security perspective. This documentation should be maintained in dedicated or existing inventories, ensuring accuracy, currency, and consistency, potentially through regular reviews or automated updates. The location of assets should be included where relevant. Each asset must be classified in accordance with the organization's information classification scheme (referencing 5.12 and 5.13). Ownership of each asset should be assigned to an individual or a group, with a defined process for timely assignment and reassignment as roles change or assets are transferred. Asset owners are then responsible for the proper management of their assets throughout their lifecycle, including ensuring correct inventorying, classification, protection, establishing acceptable use requirements, defining access restrictions, overseeing secure deletion, managing associated risks, and supporting personnel who handle their information.
How to check it (Verification):
To check this, an organization should regularly audit its asset inventory for accuracy, completeness, and alignment with the actual physical and logical assets. It is also important to verify that asset owners are clearly assigned and are fulfilling their defined duties. Consistency in the application of information classification and access restrictions based on the inventory should also be regularly assessed.
5.10 Acceptable use of information and other associated assets
What it is (Purpose):
This control requires the identification, documentation, and implementation of clear rules and procedures for the acceptable use and handling of information and other associated assets. Its purpose is to ensure that all organizational assets are appropriately protected, used, and handled, and that all personnel and external users are fully aware of their responsibilities regarding information security.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on acceptable use. This policy should clearly define expected and unacceptable behaviors, permitted and prohibited uses of information and assets, and outline any monitoring activities performed by the organization. Detailed procedures should be developed for the entire information lifecycle, informed by the asset's classification (referencing 5.12) and identified risks. These procedures should cover aspects such as access restrictions, maintaining records of authorized users, protecting temporary and permanent copies of information, storing assets according to manufacturer specifications (referencing 7.8), clear labeling of storage media (referencing 7.10), and authorized disposal methods (referencing 8.10). Special attention should be given to identifying and controlling the use of third-party assets, such as public cloud services, and any organizational assets associated with them, typically through formal agreements.
How to check it (Verification):
To check this, the acceptable use policies and procedures should be periodically reviewed for their relevance and effectiveness. Monitoring for compliance with these rules, often through logging and monitoring activities (referencing 8.15, 8.16), is crucial. Regular awareness training sessions are also essential to ensure that all personnel and external users fully understand and adhere to the established rules.
5.11 Return of assets
What it is (Purpose):
This control specifies that personnel and other interested parties must return all organizational assets in their possession upon a change or termination of their employment, contract, or agreement. This is vital for protecting the organization's assets and sensitive information during personnel transitions, thereby preventing unauthorized retention or copying of valuable data.
How to do it (Implementation Guidance):
Implementation necessitates formalizing the change or termination process to explicitly include the return of all previously issued physical and electronic assets. If personnel have purchased or used their own personal equipment for organizational work, procedures must be in place to ensure that all relevant information is securely traced, transferred to the organization, and then securely deleted from the equipment (referencing 7.14). Any important knowledge held by departing personnel that is critical to ongoing operations should be formally documented and transferred. Proactive measures should also be taken to prevent unauthorized copying of relevant information, such as intellectual property, by personnel during their notice periods. The organization should clearly identify and document all assets that are to be returned, including user endpoint devices, portable storage devices, specialist equipment, authentication hardware, and physical copies of information.
How to check it (Verification):
To check this, organizations should audit the asset return process for completeness and timeliness. Verification of secure deletion of information from both returned and personal devices is essential. Furthermore, the prompt removal of access rights (referencing 5.18) as an integral part of the termination process should be regularly confirmed.
5.12 Classification of information
What it is (Purpose):
This control requires information to be classified based on the organization's information security needs, specifically considering confidentiality, integrity, availability, and relevant interested party requirements. This is paramount for ensuring that the protection needs of information are accurately identified and understood in accordance with its importance to the organization, which then facilitates appropriate handling and control measures.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on information classification to all relevant interested parties. The classification scheme should meticulously incorporate requirements for confidentiality, integrity, and availability, while also considering business needs for sharing or restricting information, ensuring data integrity, assuring availability, and complying with legal obligations. Assets other than information may also be classified in alignment with the information they store or process. Information owners should be held accountable for the classification of their data. The scheme itself should include clear conventions for classification and criteria for periodic review, ensuring that classifications are updated as the value, sensitivity, and criticality of information change throughout its lifecycle. This scheme must align with the organization's access control policy (referencing 5.1) and be consistently applied across the entire organization. When sharing information with other organizations, agreements should include procedures for identifying and interpreting classification levels to ensure mutual understanding.
How to check it (Verification):
To check this, the classification scheme and its application should be regularly reviewed for suitability and consistency. Auditing information assets to verify correct classification and the corresponding protective controls is crucial. Additionally, assessing agreements with external parties for clear classification interpretation ensures that shared information is handled appropriately.
5.13 Labelling of information
What it is (Purpose):
This control mandates the development and implementation of appropriate procedures for information labelling, in accordance with the organization's adopted information classification scheme. The purpose of labelling is to facilitate clear communication of information classification and to support the automation of information processing and management.
How to do it (Implementation Guidance):
Implementation requires procedures that cover information and other associated assets in all formats. Labels should be easily recognizable and directly reflect the established classification scheme (referencing 5.12). The procedures should provide clear guidance on where and how labels are attached, considering how the information is accessed or assets are handled based on storage media types. They should also define cases where labelling might be omitted (e.g., for non-confidential information to reduce workload) or where it is technically not possible. For digital information, metadata should be utilized to identify, manage, and control information, especially regarding confidentiality, enabling efficient searching and facilitating automated system decisions based on classification labels. All personnel and interested parties must be made aware of these labelling procedures and provided with necessary training to ensure correct labelling and handling. Outputs from systems containing sensitive or critical information should always carry an appropriate classification label.
How to check it (Verification):
To check this, labelling procedures should be periodically reviewed for effectiveness and consistency. Auditing samples of information, both physical and digital, is necessary to verify correct labelling. Assessing system configurations can confirm proper metadata application and automated handling based on labels.
5.14 Information transfer
What it is (Purpose):
This control requires the establishment of rules, procedures, or agreements for all types of information transfer facilities, both within the organization and between the organization and external parties. Its purpose is to maintain the security of information while it is in transit, protecting it from interception, unauthorized access, copying, modification, misrouting, destruction, and denial of service.
How to do it (Implementation Guidance):
Implementation begins with establishing and communicating a topic-specific policy on information transfer. Rules, procedures, and agreements must be in place to protect information during electronic, physical, and verbal transfers, reflecting the information's classification. These measures should include controls against interception and unauthorized access (potentially using cryptographic techniques, referencing 8.24), ensuring traceability and non-repudiation (maintaining a chain of custody), identifying appropriate contacts (e.g., information owners, security officers), defining responsibilities and liabilities in case of incidents, using an agreed labelling system (referencing 5.13), addressing the reliability and availability of transfer services, adhering to acceptable use guidelines (referencing 5.10), and complying with retention/disposal guidelines and relevant legal/contractual requirements (referencing 5.31-5.34). Specific considerations apply to different transfer types: Electronic transfer, Physical storage media transfer, Verbal transfer.
How to check it (Verification):
To check this, organizations should regularly review their information transfer policies and procedures. Auditing logs for transfer activities helps ensure compliance with established controls and agreements. Conducting regular training and awareness sessions on secure transfer practices is also vital, and reviewing incident reports related to information transfer provides valuable feedback for continuous improvement.
5.15 Access control
What it is (Purpose):
This control involves establishing and implementing rules to govern both physical and logical access to information and other associated assets, based on the organization's business and information security requirements. The fundamental purpose is to ensure that only authorized entities gain access, thereby preventing unauthorized access and safeguarding the confidentiality, integrity, and availability of information.
How to do it (Implementation Guidance):
Implementation begins with asset owners determining their specific access control requirements. A topic-specific policy on access control should then be defined and communicated to all relevant interested parties. This policy should consider various factors: which entities require what type of access, the security of applications (referencing 8.26), physical access controls (referencing 7.2, 7.3, 7.4), principles of information dissemination like 'need-to-know' (referencing 5.10, 5.12, 5.13), restrictions on privileged access (referencing 8.2), the importance of segregation of duties (referencing 5.3), adherence to legal, regulatory, and contractual obligations (referencing 5.31-5.34, 8.3), the separation of access control functions (e.g., request, authorization, administration), formal authorization processes (referencing 5.16, 5.18), the management of access rights (referencing 5.18), and comprehensive logging (referencing 8.15). The access control rules should be implemented by meticulously defining and mapping appropriate access rights and restrictions to specific entities, which can include human users, machines, devices, or services. Consistency between access rights, information classification, and physical perimeter security is crucial. Furthermore, organizations should consider incorporating dynamic access control elements, such as user location or network connection type, to enhance security.
How to check it (Verification):
To check this, organizations should regularly review their access control policies, rules, and their practical implementation. Auditing access logs (referencing 8.15) for any unauthorized attempts or anomalous activity is a continuous verification step. Periodic access rights reviews (referencing 5.18) are also essential. Finally, conducting penetration testing and vulnerability assessments (referencing 8.29) provides a robust method to test the effectiveness of implemented access controls.
5.16 Identity management
What it is (Purpose):
This control focuses on managing the full life cycle of identities, encompassing both individuals and systems. Its core purpose is to enable the unique identification of all individuals and systems accessing the organization’s information and associated assets, which in turn facilitates the appropriate assignment of access rights and ensures accountability.
How to do it (Implementation Guidance):
Implementation requires processes that ensure that for identities assigned to persons, each specific identity is linked to a single individual, thereby enabling accountability for actions performed with that identity. Shared identities are only permitted when absolutely necessary for business or operational reasons and must be subject to dedicated approval and thorough documentation. Identities assigned to non-human entities must also undergo appropriately segregated approval and independent ongoing oversight. A critical aspect is the timely disabling or removal of identities when they are no longer required (e.g., when a person leaves the organization or changes roles). Organizations should also strive to avoid duplicate identities within the same context. Comprehensive records of all significant events concerning the use and management of user identities and authentication information must be maintained. A supporting process should be in place to handle changes to user identity information, potentially involving re-verification of trusted documents. When using identities provided by third parties (e.g., social media credentials), the organization must ensure that these identities provide the required level of trust and that any associated risks are sufficiently managed (referencing 5.19, 5.17).
How to check it (Verification):
To check this, organizations should regularly audit identity records for accuracy and completeness. Reviewing the processes for identity provisioning, modification, and de-provisioning is essential to ensure timeliness and adherence to policy. Monitoring for unauthorized or dormant accounts is also a continuous verification activity.
5.17 Authentication information
What it is (Purpose):
This control addresses the controlled allocation and management of authentication information, such as passwords, PINs, and biometrics, and includes advising personnel on its appropriate handling. This is critical for ensuring proper entity authentication and preventing failures in authentication processes, which are foundational for secure access to systems and information.
How to do it (Implementation Guidance):
Implementation involves a robust allocation and management process. This process should ensure that automatically generated temporary authentication information (like first-time passwords or PINs) is non-guessable and unique for each person, requiring users to change them upon first use. Procedures must be established to verify a user's identity before providing new, replacement, or temporary authentication information. Authentication information, including temporary credentials, should be transmitted securely (avoiding clear text electronic mail). Users should acknowledge receipt of authentication information, and default authentication information provided by vendors must be changed immediately after system or software installation. Confidential records of significant events concerning the allocation and management of authentication information must be kept. Users also bear significant responsibilities: they must be advised to keep secret authentication information confidential, change compromised information immediately, and select strong passwords (non-guessable, not dictionary words, incorporating alphanumeric and special characters, and meeting a minimum length). The reuse of the same passwords across distinct services and systems should be prohibited, and these obligations should be included in employment terms (referencing 6.2). When passwords are used, the password management system itself should allow users to select and change their own passwords, enforce strong password policies, force first-login changes, prevent reuse of previous or commonly used/compromised passwords, avoid displaying passwords in clear text during entry, and store/transmit passwords in protected form using approved cryptographic techniques (referencing 8.24).
How to check it (Verification):
To check this, organizations should regularly audit password strength and compliance with established password policies. Monitoring for failed login attempts and brute-force attacks (referencing 8.5) provides real-time insights into potential weaknesses. Verification of secure transmission and storage of authentication information is also crucial, along with assessing the effectiveness of user awareness and training on handling authentication information.
5.18 Access rights
What it is (Purpose):
This control governs the provisioning, review, modification, and removal of access rights to information and other associated assets, strictly in accordance with the organization’s topic-specific policy and rules for access control. Its purpose is to ensure that all access to information and assets is precisely defined and authorized based on business requirements, thereby preventing unauthorized access and mitigating risks, particularly from disgruntled or departing personnel.
How to do it (Implementation Guidance):
The provisioning and revocation process for physical and logical access rights must be robust. This includes obtaining authorization from the asset owner (referencing 5.9), considering business requirements and the access control policy, and adhering to segregation of duties principles. Access rights must be promptly removed when no longer needed, especially for individuals who have left the organization. Temporary access rights should be granted for limited periods and automatically revoked upon expiration. The process must verify that the granted access level aligns with the access control policy and other security requirements. Rights should only be activated after successful authorization. A central record of all granted access rights must be maintained, and changes to users' logical and physical access rights should be meticulously recorded. Regular reviews of physical and logical access rights are essential, particularly after any internal organizational changes (e.g., job changes, promotions) or employment termination (referencing 6.1-6.5), and specifically for privileged access rights. Before any change or termination of employment, a user's access rights should be reviewed and adjusted or removed based on an evaluation of risk factors such as the reason for termination, the user's current responsibilities, and the value of the assets they can access.
How to check it (Verification):
To check this, organizations should conduct regular access reviews (e.g., quarterly or semi-annually), requiring formal sign-off from asset owners or managers. Auditing access logs for access rights changes ensures they align with approved requests. Verifying that access rights are promptly removed upon termination or role change is a critical step. Furthermore, periodically testing the 'least privilege' principle by auditing actual access versus required access can identify over-provisioning.
5.19 Information security in supplier relationships
What it is (Purpose):
This control focuses on defining and implementing processes and procedures to manage information security risks associated with the use of supplier products or services. The overarching purpose is to maintain an agreed level of information security across all supplier relationships, thereby mitigating risks that could arise from inadequate supplier security practices, malicious supplier personnel, or vulnerabilities within supplier-provided products.
How to do it (Implementation Guidance):
Implementation begins with establishing and communicating a topic-specific policy on supplier relationships. Organizations must identify the types of suppliers (e.g., ICT services, logistics) that could impact the confidentiality, integrity, and availability of their information. This involves evaluating and selecting suppliers based on the sensitivity of information and services, often through market analysis, customer references, document reviews, or certifications. Organizations must define what information, ICT services, and physical infrastructure suppliers can access, monitor, control, or use. A critical step is assessing and managing information security risks stemming from suppliers' access to organizational assets (including risks from malicious supplier personnel) and from malfunctioning or vulnerable products and services. Ongoing activities include monitoring supplier compliance, mitigating non-compliance, handling incidents and contingencies in collaboration with suppliers, and ensuring supplier resilience and recovery capabilities. Organizational personnel interacting with suppliers should receive appropriate awareness and training. Managing the secure transfer of information and assets, and ensuring secure termination of supplier relationships (including de-provisioning access, information handling, intellectual property ownership, data portability, and secure disposal) are also vital. Procedures for continuing information processing in the event a supplier becomes unable to provide services should also be considered.
How to check it (Verification):
To check this, organizations should regularly review supplier contracts for adherence to security requirements. Conducting supplier audits or requesting third-party attestations (referencing 5.22) provides assurance. Continuous monitoring of supplier performance and incident reports related to supplier services is also crucial. Finally, verifying that exit strategies for supplier services are documented and tested ensures smooth transitions and continued security.
5.20 Addressing information security within supplier agreements
What it is (Purpose):
This control emphasizes the necessity of establishing and agreeing upon relevant information security requirements with each supplier through documented agreements, tailored to the specific type of supplier relationship. This is crucial for maintaining an agreed level of information security by ensuring a clear and mutual understanding of both parties' obligations.
How to do it (Implementation Guidance):
Implementation involves including comprehensive terms in supplier agreements that satisfy identified information security requirements. These terms should cover a broad spectrum, such as a description of the information to be provided or accessed, methods of provision/access, information classification (referencing 5.10, 5.12, 5.13) and mapping between schemes, legal/statutory/regulatory/contractual requirements (including data protection, PII, IP, copyright), and the obligation for each party to implement an agreed set of controls (e.g., access control, performance review, monitoring, reporting, auditing). Other vital inclusions are rules for acceptable use, authorization procedures for supplier personnel, security requirements for the supplier's ICT infrastructure, indemnities for failure, incident management procedures (especially notification and collaboration), training/awareness requirements, provisions for sub-contracting, relevant contacts, screening requirements (where permissible), mechanisms for assurance (e.g., third-party attestations, independent reports), the right to audit, periodic reports on control effectiveness, defect/conflict resolution, backup alignment, alternate facility availability, change management notification, physical security controls, information transfer controls, and comprehensive termination clauses (including records management, asset return, secure disposal, and ongoing confidentiality obligations). Organizations should maintain a register of all external agreements and regularly review and update them to ensure they remain fit for purpose and include relevant security clauses.
How to check it (Verification):
To check this, organizations should regularly review supplier agreements for the completeness and currency of their security clauses. It is essential to verify that the security requirements stipulated in these agreements are being met through ongoing monitoring and audits (referencing 5.22). Establishing a clear process for managing and updating supplier contracts is also a key verification step.
5.21 Managing information security in the ICT supply chain
What it is (Purpose):
This control specifically addresses the definition and implementation of processes and procedures to manage information security risks associated with the ICT products and services supply chain. Its purpose is to maintain an agreed level of information security by proactively addressing risks that can arise from malfunctioning or vulnerable components and services acquired through this complex chain.
How to do it (Implementation Guidance):
Implementation requires defining specific information security requirements for ICT product or service acquisition. Organizations should mandate that ICT service suppliers propagate these security requirements throughout their own supply chains if they sub-contract parts of the service. Similarly, ICT product suppliers should be required to propagate appropriate security practices for components obtained from other suppliers. Requesting information from suppliers about software components used in products and their secure configuration is also crucial. Implementing a monitoring process and acceptable methods for validating compliance (e.g., penetration testing, third-party attestations) is essential. Organizations must identify and document critical product or service components that require increased scrutiny, especially if outsourced, and obtain assurance of their traceability throughout the supply chain. This includes verifying that delivered ICT products are genuine and unaltered (e.g., using anti-tamper labels, cryptographic hash verifications) and function as expected without unwanted features. Obtaining formal certification or evaluation scheme assurance for required security levels is also advised. Rules for sharing information regarding supply chain issues and compromises should be defined. Finally, managing the ICT component life cycle and associated security risks, such as identifying alternative suppliers for discontinued components, is a key aspect.
How to check it (Verification):
To check this, organizations should regularly assess the security posture of critical ICT supply chain components. Verifying the authenticity and integrity of acquired ICT products is paramount. Reviewing supplier reports on security practices within their supply chain provides valuable insight. Ultimately, ensuring that ICT products are acquired from reputable sources is a fundamental control.
5.22 Monitoring, review and change management of supplier services
What it is (Purpose):
This control emphasizes the continuous monitoring, review, evaluation, and management of changes in supplier information security practices and service delivery. Its purpose is to maintain an agreed level of information security and service delivery in line with supplier agreements, ensuring that incidents and problems are managed properly and that changes in supplier services or business status do not adversely affect service delivery.
How to do it (Implementation Guidance):
Implementation involves a structured process for managing the relationship between the organization and its suppliers. This includes continuously monitoring service performance levels to verify compliance with agreements. Organizations must monitor changes made by suppliers, such as enhancements, new applications, policy updates, and new or changed controls. Changes in supplier services, including network modifications, new technologies, product versions, facility relocations, or changes in sub-suppliers, must also be monitored. Regularly reviewing service reports from suppliers and holding progress meetings are essential. Conducting audits of suppliers and sub-suppliers, alongside reviewing independent auditor's reports, is crucial for verifying compliance. Information security incidents related to supplier services must be reported and reviewed, and identified vulnerabilities managed. Organizations should also review the information security aspects of a supplier's relationships with its own suppliers. Assurance that the supplier maintains sufficient service capability and workable plans for business continuity (referencing 5.29, 5.30, 5.35, 5.36, 8.14) is vital. Responsibilities for reviewing compliance and enforcing agreement requirements must be assigned to suppliers. Finally, regular evaluation of suppliers' information security levels and taking appropriate actions for observed deficiencies are key components.
How to check it (Verification):
To check this, organizations should regularly review supplier performance metrics and service level agreements (SLAs). Periodic audits of supplier security controls and processes are necessary. Tracking and managing identified deficiencies and corrective actions ensures continuous improvement. Reviewing supplier change logs and incident reports provides ongoing visibility into their security posture.
5.23 Information security for use of cloud services
What it is (Purpose):
This control requires the establishment of processes for the acquisition, use, management, and exit from cloud services, all in accordance with the organization’s information security requirements. The objective is to specifically define and manage information security within the context of cloud service utilization.
How to do it (Implementation Guidance):
Implementation begins with establishing and communicating a topic-specific policy on the use of cloud services. Organizations must clearly define and communicate how they intend to manage the information security risks associated with cloud services, potentially integrating this with existing external party management approaches (referencing 5.21, 5.22). Acknowledging the shared responsibility model in cloud environments, it is essential to define and appropriately implement the responsibilities of both the cloud service provider (CSP) and the organization as the cloud service customer. Key aspects to define include relevant security requirements, cloud service selection criteria and scope, roles and responsibilities, which controls are managed by the CSP versus the customer, how to obtain and utilize CSP security capabilities and assurance, and how to manage controls, interfaces, and changes when using multiple cloud services. Procedures for handling cloud security incidents, an approach for monitoring and evaluating ongoing cloud use, and clear exit strategies for cloud services are also vital. Cloud service agreements, even if pre-defined, must be thoroughly reviewed to ensure they address the organization's confidentiality, integrity, availability, and information handling requirements, along with appropriate service level objectives. Risk assessments specific to cloud service usage should be conducted, and any residual risks formally identified and accepted by management. Agreements should include provisions for data protection and service availability, such as adherence to industry standards, access controls, malware protection, approved storage locations, incident support, sub-contracting requirements, digital evidence gathering, exit support, backup, and the return of information. Organizations should also consider requiring advance notification from CSPs for any substantive customer-impacting changes, such as technical infrastructure alterations or changes in geographical jurisdiction or sub-contractors. Maintaining close contact with CSPs for mutual information exchange and monitoring is also crucial.
How to check it (Verification):
To check this, organizations should regularly review cloud service agreements and CSP certifications or attestations. Monitoring CSP performance against agreed-upon SLAs and security metrics is ongoing. Testing exit strategies and data portability from cloud services is a critical verification step. Finally, conducting regular risk assessments specifically tailored to cloud service usage ensures that evolving risks are continuously managed.
5.24 Information security incident management planning and preparation
What it is (Purpose):
This control emphasizes the critical need for organizations to plan and prepare for managing information security incidents by defining, establishing, and communicating comprehensive incident management processes, roles, and responsibilities. The overarching purpose is to ensure a quick, effective, consistent, and orderly response to information security incidents, thereby minimizing their potential impact on the organization.
How to do it (Implementation Guidance):
Implementation involves establishing appropriate information security incident management processes and clearly communicating the associated roles and responsibilities to all relevant internal and external interested parties. This includes defining common methods for reporting information security events (referencing 6.8) and establishing both an incident management process (covering administration, documentation, detection, triage, prioritization, analysis, communication, and coordination) and an incident response process (for assessing, responding to, and learning from incidents). It is crucial to ensure that only competent personnel handle incident-related issues, providing them with necessary procedure documentation and periodic training, and identifying ongoing training and certification needs. Incident management objectives and priorities, including resolution timeframes based on potential consequences and severity, must be agreed upon with management. Procedures should be developed for event evaluation, monitoring, detecting, classifying, analyzing, and reporting events and incidents (referencing 8.15, 8.16, 5.25, 6.8). These procedures must also cover managing incidents to conclusion (including response, escalation, crisis management, continuity plan activation, controlled recovery, and communication, referencing 5.26), coordinating with internal and external parties (referencing 5.5, 5.6), logging activities, handling evidence (referencing 5.28), conducting root cause analysis, and identifying lessons learned and improvements. Reporting procedures should detail actions for events, utilize incident forms, provide feedback to reporters, and ensure the creation of incident reports. External reporting requirements, such as breach notifications to regulators, must also be considered.
How to check it (Verification):
To check this, organizations should periodically test their incident response plans through drills and simulations. Reviewing incident reports for adherence to procedures and timeliness of response is essential. Assessing the effectiveness of training and the competence of incident response personnel provides crucial feedback. Finally, verifying that lessons learned from incidents are systematically integrated back into processes and controls ensures continuous improvement.
5.25 Assessment and decision on information security events
What it is (Purpose):
This control requires organizations to assess information security events and make a clear decision on whether they should be categorized as information security incidents. Its purpose is to ensure the effective categorization and prioritization of events, which is a prerequisite for initiating an appropriate and timely response.
How to do it (Implementation Guidance):
Implementation involves agreeing upon a categorization and prioritization scheme for information security incidents. This scheme must include clear criteria for determining when an event qualifies as an incident. The designated point of contact is responsible for assessing each information security event using this agreed scheme. Personnel responsible for coordinating and responding to information security incidents are typically the ones who perform this assessment and make the final decision. The results of this assessment and decision must be meticulously recorded for future reference and verification.
How to check it (Verification):
To check this, organizations should regularly review event logs and incident records to verify the consistent application of the categorization scheme. Assessing the timeliness and accuracy of event assessments is also important. Periodic reviews of the categorization criteria ensure they remain relevant to the evolving threat landscape and organizational context.
5.26 Response to information security incidents
What it is (Purpose):
This control mandates that information security incidents are responded to strictly in accordance with documented procedures. Its primary purpose is to ensure an efficient and effective response to incidents, thereby minimizing harm to organizational assets and operations.
How to do it (Implementation Guidance):
Implementation requires establishing and communicating clear procedures for information security incident response to all relevant interested parties. A designated team with the necessary competency (referencing 5.24) should be responsible for responding to incidents. The response process should encompass several critical steps: containing affected systems to prevent further spread, collecting evidence (referencing 5.28) as soon as possible, escalating the incident as required (potentially involving crisis management activities and invoking business continuity plans, referencing 5.29, 5.30), ensuring all response activities are properly logged for later analysis, communicating the existence and relevant details of the incident to internal and external interested parties following the 'need-to-know' principle, coordinating with internal and external parties (authorities, special interest groups, suppliers, clients) to improve response effectiveness, formally closing and recording the incident once successfully addressed, conducting information security forensic analysis as needed (referencing 5.28), performing post-incident analysis to identify the root cause (referencing 5.27), and identifying and managing information security vulnerabilities and weaknesses that contributed to or failed to prevent the incident.
How to check it (Verification):
To check this, organizations should regularly review incident response timelines and assess their effectiveness against defined objectives. Auditing incident logs for completeness and adherence to established procedures is crucial. Conducting post-incident reviews is essential for identifying areas for improvement, and verifying that evidence collection procedures are consistently followed ensures legal and disciplinary readiness.
5.27 Learning from information security incidents
What it is (Purpose):
This control dictates that knowledge gained from information security incidents must be actively used to strengthen and improve existing information security controls. Its overarching purpose is to reduce the likelihood or consequences of future incidents by proactively addressing root causes and continuously enhancing the organization's security posture.
How to do it (Implementation Guidance):
Implementation involves establishing procedures to quantify and monitor the types, volumes, and costs associated with information security incidents. The information derived from the evaluation of these incidents should be systematically used to enhance the incident management plan, including refining incident scenarios and procedures (referencing 5.24). It is also vital to identify recurring or serious incidents and their underlying causes to update the organization’s information security risk assessment and determine and implement necessary additional controls. Furthermore, this knowledge should be used to enhance user awareness and training (referencing 6.3) by providing concrete examples of what can happen, how to respond, and how to avoid similar incidents in the future.
How to check it (Verification):
To check this, organizations should track key metrics on incident types, volumes, and costs. It is important to verify that risk assessments are consistently updated based on the analysis of incident data. Finally, assessing whether identified improvements to controls and training programs are effectively implemented and lead to measurable reductions in incident recurrence or impact is crucial.
5.28 Collection of evidence
What it is (Purpose):
This control requires the establishment and implementation of procedures for the identification, collection, acquisition, and preservation of evidence related to information security events. Its purpose is to ensure a consistent and effective management of evidence, which is crucial for disciplinary actions and potential legal proceedings, maximizing the admissibility of such evidence.
How to do it (Implementation Guidance):
Implementation involves developing internal procedures that consider the requirements of different jurisdictions to enhance the chances of evidence admissibility across relevant legal forums. These procedures must provide detailed instructions for the identification, collection, acquisition, and preservation of evidence, taking into account various types of storage media, devices, and their operational status (e.g., powered on or off). It must be demonstrable that records are complete and untampered, that electronic copies are identical to their originals, and that any information system from which evidence was gathered was operating correctly at the time of recording. Seeking certification or other relevant means of qualification for personnel and tools involved in evidence handling is recommended to strengthen the value of preserved evidence. When digital evidence crosses organizational or jurisdictional boundaries, it must be ensured that the organization is legally entitled to collect the required information. It is advisable to involve legal counsel or law enforcement early in any contemplated legal action to obtain advice on the specific evidence required.
How to check it (Verification):
To check this, organizations should regularly review their evidence collection procedures for compliance with legal and forensic standards. Conducting mock incident exercises can effectively test the organization's evidence collection capabilities in a simulated environment. Verifying the training and certification of personnel involved in evidence handling is also a critical step.
5.29 Information security during disruption
What it is (Purpose):
This control focuses on planning how to maintain information security at an appropriate level during periods of disruption. Its purpose is to protect information and other associated assets during disruptions, ensuring that security is maintained or restored at the required levels and within specified timeframes.
How to do it (Implementation Guidance):
Implementation requires organizations to determine their specific requirements for adapting information security controls during disruption and to integrate these requirements into their broader business continuity management processes. Plans must be developed, implemented, tested, reviewed, and evaluated to ensure that the security of critical business processes can be maintained or restored following an interruption or failure. This involves implementing and maintaining information security controls, supporting systems, and tools within both business continuity and ICT continuity plans. Processes must also be established to maintain existing information security controls during disruption, and where this is not possible, to implement effective compensating controls.
How to check it (Verification):
To check this, security considerations should be integrated into all business continuity plan testing and exercises. Business impact analyses (BIAs) should be reviewed to ensure that potential consequences of loss of confidentiality and integrity of information are thoroughly considered, in addition to availability impacts. Finally, verifying that compensating controls are well-documented and ready for activation in the event of a disruption is crucial.
5.30 ICT readiness for business continuity
What it is (Purpose):
This control specifies that ICT readiness should be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements. Its purpose is to ensure the continuous availability of the organization’s information and other associated assets during a disruption, thereby supporting the uninterrupted operation of business objectives.
How to do it (Implementation Guidance):
Implementation begins with deriving ICT continuity requirements from a comprehensive Business Impact Analysis (BIA). The BIA process should assess the impacts of disruption on business activities, identify prioritized activities with defined Recovery Time Objectives (RTOs), and determine the necessary resources (including ICT services) and their respective RTOs. The BIA can also extend to define performance and capacity requirements for ICT systems and Recovery Point Objectives (RPOs) for information. Based on the BIA and risk assessment, organizations should identify and select appropriate ICT continuity strategies (e.g., before, during, and after disruption). Plans must then be developed, implemented, and tested to meet the required availability levels of ICT services within specified timeframes following interruptions or failures. Organizations must ensure an adequate organizational structure for disruption management, supported by competent personnel. ICT continuity plans, including response and recovery procedures, must be regularly evaluated through exercises and tests and formally approved by management. These plans should explicitly include performance and capacity specifications, RTOs for services, and RPOs for information.
How to check it (Verification):
To check this, organizations should regularly test their ICT continuity plans, including failover and recovery procedures. Reviewing RTOs and RPOs against actual recovery performance in tests is essential. Assessing the overall effectiveness of ICT continuity strategies in maintaining critical business operations during simulated disruptions provides crucial validation.
5.31 Legal, statutory, regulatory and contractual requirements
What it is (Purpose):
This control mandates the identification, documentation, and continuous updating of all legal, statutory, regulatory, and contractual requirements relevant to information security, along with the organization’s approach to meeting these obligations. Its fundamental purpose is to ensure comprehensive compliance with all applicable requirements, thereby avoiding legal penalties, reputational damage, and breaches of contractual agreements.
How to do it (Implementation Guidance):
Implementation requires that external requirements be meticulously considered across various organizational activities: when developing information security policies and procedures, designing and implementing controls, classifying information and assets, performing risk assessments and treatment, defining processes and roles, and establishing supplier contractual requirements. Organizations must identify all relevant legislation and regulations, including those applicable in other countries if conducting international business, using foreign products/services, or transferring information across borders. These identified laws and regulations must be regularly reviewed to stay current with changes and new requirements. Specific processes and individual responsibilities for meeting these requirements must be defined and documented. Special attention should be paid to legal requirements concerning cryptography (e.g., import/export restrictions, usage limitations, mandatory access by authorities, digital signature validity), and legal advice should be sought when dealing with cryptographic tools or encrypted information across jurisdictional borders. Finally, contractual requirements from clients, suppliers (referencing 5.20), and insurance providers must also be identified and addressed.
How to check it (Verification):
To check this, organizations should conduct regular legal and compliance reviews or audits. Maintaining a comprehensive register of applicable laws, regulations, and contracts is essential. It is also crucial to verify that policies and procedures are consistently updated in response to legal changes and to assess adherence to contractual security clauses.
5.32 Intellectual property rights
What it is (Purpose):
This control requires the implementation of appropriate procedures to protect intellectual property rights (IPR). Its purpose is to ensure compliance with legal, statutory, regulatory, and contractual requirements related to IPR and the use of proprietary products, thereby safeguarding the organization's valuable intellectual assets.
How to do it (Implementation Guidance):
Implementation involves defining and communicating a topic-specific policy on IPR protection. Procedures for IPR compliance should be published, clearly defining the compliant use of software and information products. Organizations must acquire software only through known and reputable sources to prevent copyright infringement. Maintaining appropriate asset registers that identify all assets with IPR protection requirements, along with proof and evidence of licenses and manuals, is crucial. It is essential to ensure that any maximum number of users or resources permitted within a license is not exceeded. Regular reviews should be conducted to confirm that only authorized and licensed software is installed. Procedures for maintaining appropriate license conditions and for the secure disposal or transfer of software to others must be in place. Organizations must also comply with the terms and conditions for software and information obtained from public networks and external sources, and strictly avoid unauthorized duplication, conversion, or extraction from commercial recordings or copyrighted documents. Finally, organizations must manage the risks of their own personnel and third parties failing to uphold the organization’s own intellectual property rights.
How to check it (Verification):
To check this, organizations should regularly audit software installations and usage against license agreements. Reviewing contracts with third parties for clear IPR clauses is essential. Conducting awareness training on IPR obligations for all personnel helps foster compliance. Monitoring for unauthorized copying or distribution of proprietary material provides ongoing assurance.
5.33 Protection of records
What it is (Purpose):
This control mandates the protection of records from loss, destruction, falsification, unauthorized access, and unauthorized release. Its purpose is to ensure compliance with legal, statutory, regulatory, and contractual requirements, as well as community or societal expectations, related to the protection and availability of records, which serve as both evidence of business activity and valuable information assets.
How to do it (Implementation Guidance):
Implementation requires organizations to issue guidelines on the storage, handling, chain of custody, and disposal of records, specifically including measures to prevent manipulation. These guidelines should align with the organization’s records management policy. A retention schedule must be established, defining specific records and the period for which they should be retained, taking into consideration national or regional legislation, regulations, and societal expectations. The storage and handling system should facilitate the identification of records and their retention periods, while also permitting appropriate destruction after the retention period if they are no longer needed. When deciding on the protection of specific records, their corresponding information security classification (referencing 5.12) should be considered. Records should be categorized by type (e.g., accounting, personnel, legal) with details on retention periods and allowable storage media (physical or electronic). Data storage systems must be chosen to allow retrieval of required records within an acceptable timeframe and format. For electronic media, procedures must ensure the ability to access records throughout the retention period (both storage media and format readability), safeguarding against loss due to future technology changes. Any related cryptographic keys and programs associated with encrypted archives or digital signatures must also be retained for the duration the records are kept (referencing 8.24). Storage and handling procedures should be implemented in accordance with manufacturer recommendations, considering the possibility of media deterioration.
How to check it (Verification):
To check this, organizations should regularly audit record retention schedules and disposal processes for compliance. Verifying the integrity and authenticity of critical records is crucial. Testing retrieval capabilities for archived electronic records, including decryption if applicable, ensures long-term accessibility. Assessing the security of record storage facilities, both physical and electronic, provides ongoing assurance.
5.34 Privacy and protection of PII
What it is (Purpose):
This control requires organizations to identify and meet the requirements regarding the preservation of privacy and protection of Personally Identifiable Information (PII) in accordance with applicable laws, regulations, and contractual requirements. Its purpose is to ensure compliance with legal and contractual obligations, protect individuals' privacy rights, and mitigate the significant risks of penalties and reputational damage associated with PII breaches.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on privacy and PII protection to all relevant interested parties. Organizations must develop, implement, and communicate detailed procedures for privacy preservation and PII protection to everyone involved in PII processing. Compliance with these procedures and all relevant legislation often benefits from the appointment of a dedicated privacy officer or a responsible person who can provide guidance to personnel, service providers, and other interested parties on their individual responsibilities and the specific procedures to follow. The responsibility for handling PII must explicitly consider relevant legislation and regulations, particularly those pertaining to cross-border PII transfers. Appropriate technical and organizational measures to protect PII must be implemented.
How to check it (Verification):
To check this, organizations should conduct regular privacy impact assessments (PIAs) (referencing ISO/IEC 29134) to identify and mitigate privacy risks. Auditing PII processing activities for compliance with established policies and regulations is crucial. Verification of the effectiveness of technical and organizational measures for PII protection provides ongoing assurance. Finally, reviewing data breach incidents involving PII for lessons learned and corrective actions is essential for continuous improvement.
5.35 Independent review of information security
What it is (Purpose):
This control mandates that the organization’s approach to managing information security and its implementation (encompassing people, processes, and technologies) should be independently reviewed at planned intervals or when significant changes occur. The purpose of this is to ensure the continuing suitability, adequacy, and effectiveness of the organization’s information security management approach and to identify opportunities for improvement.
How to do it (Implementation Guidance):
Implementation requires establishing formal processes for conducting independent reviews. Management is responsible for planning and initiating these periodic reviews, which should assess opportunities for improvement and the need for changes to the security approach, including policies, topic-specific policies, and other controls. It is crucial that these reviews are carried out by individuals who are independent of the area under review (e.g., the internal audit function, an independent manager, or an external third-party organization specializing in such reviews) and possess the appropriate competence. The results of these independent reviews must be reported to the management who initiated them, and if appropriate, to top management, with all records meticulously maintained. If the reviews identify that the organization’s approach is inadequate, management must initiate corrective actions. In addition to periodic reviews, independent reviews should also be considered when laws and regulations change, significant incidents occur, new business ventures or products/services are introduced or modified, or when security controls and procedures undergo significant changes.
How to check it (Verification):
To check this, organizations should maintain a clear schedule of independent reviews and track their completion. Reviewing reports from independent reviews and verifying that corrective actions are implemented and effective is essential. Assessing the independence and competence of the reviewers also provides crucial assurance.
5.36 Compliance with policies, rules and standards for information security
What it is (Purpose):
This control requires regular review of compliance with the organization’s information security policy, topic-specific policies, rules, and standards. Its purpose is to ensure that information security is consistently implemented and operated in accordance with the organization’s defined requirements, facilitating the identification and prompt addressing of any non-compliance.
How to do it (Implementation Guidance):
Implementation involves managers, service owners, product owners, or information owners identifying specific methods for reviewing compliance. The use of automated measurement and reporting tools should be considered to enhance the efficiency of these regular reviews. If any non-compliance is identified, managers must take specific steps: identify the root causes, evaluate the necessity for corrective actions to achieve compliance, implement appropriate corrective actions, and then review these actions to verify their effectiveness and identify any remaining deficiencies or weaknesses. The results of these reviews and corrective actions must be recorded and maintained. Managers should report these results to the individuals conducting independent reviews (referencing 5.35) when such reviews take place within their area of responsibility. Corrective actions should be completed in a timely manner, proportionate to the associated risk, and progress should be addressed at subsequent reviews if not fully completed.
How to check it (Verification):
To check this, organizations should establish a clear schedule for compliance reviews and meticulously track all findings. Reviewing corrective action plans and their implementation status is crucial. Leveraging automated tools for continuous monitoring of compliance, where feasible, can significantly enhance efficiency. Finally, ensuring that findings from compliance reviews feed into broader management reviews and independent audits reinforces the continuous improvement cycle.
5.37 Documented operating procedures
What it is (Purpose):
This control mandates that operating procedures for information processing facilities are documented and made readily available to all personnel who require them. Its purpose is to ensure the correct and secure operation of information processing facilities, thereby reducing errors, enhancing consistency, and supporting operational resilience.
How to do it (Implementation Guidance):
Implementation involves preparing detailed documented procedures for all operational activities associated with information security. This is particularly important for activities that need to be performed consistently by many people, are performed rarely (and thus might be forgotten), are new and present a risk if not performed correctly, or are being handed over to new personnel. These procedures should explicitly specify responsible individuals, secure installation and configuration of systems, automated and manual processing and handling of information, backup (referencing 8.13) and resilience measures, scheduling requirements (including interdependencies), instructions for handling errors or exceptional conditions (e.g., restrictions on utility programs, referencing 8.18), support and escalation contacts (including external support), storage media handling instructions (referencing 7.10, 7.14), system restart and recovery procedures, the management of audit trail and system log information (referencing 8.15, 8.17) and video monitoring systems (referencing 7.4), monitoring procedures (for capacity, performance, and security, referencing 8.6, 8.16), and maintenance instructions. These documented operating procedures must be regularly reviewed and updated as needed, with all changes formally authorized. Where technically feasible, information systems should be managed consistently using the same procedures, tools, and utilities.
How to check it (Verification):
To check this, organizations should regularly review operating procedures for accuracy, completeness, and adherence to established policies. Auditing operational activities against these documented procedures helps ensure compliance. Verifying that procedures are accessible to relevant personnel and that adequate training is provided on their use is also crucial. Continuous monitoring for deviations from documented procedures helps identify potential risks or areas for improvement.
People Controls (Clause 6)
People controls emphasize the critical role of the human element. These 8 controls address measures to ensure individuals understand and fulfill their information security responsibilities throughout the employee lifecycle, from recruitment to termination.
Detailed Controls:
6.1 Screening
What it is (Purpose):
This control requires conducting background verification checks on all candidates prior to joining the organization and on an ongoing basis, with the scope proportional to business requirements, the classification of information to be accessed, and perceived risks. Its purpose is to ensure that all personnel are eligible and suitable for their roles and remain so throughout their employment, thereby mitigating risks from insider threats or individuals who may not be trustworthy.
How to do it (Implementation Guidance):
Implementation involves performing a screening process for all types of personnel, including full-time, part-time, and temporary staff. For individuals contracted through suppliers, screening requirements should be explicitly included in contractual agreements. Information collected during screening must be handled in compliance with relevant legislation (e.g., privacy, PII protection, employment law). Verification checks should include, where permitted, satisfactory references, curriculum vitae accuracy, confirmation of qualifications, independent identity verification, and more detailed checks (e.g., credit, criminal records) for critical roles. For individuals hired for specific information security roles, competence and trustworthiness are paramount. Procedures should define clear criteria and limitations for these reviews. If verification cannot be completed in a timely manner, mitigating controls, such as delayed onboarding or reduced access, should be implemented. Periodic checks are also necessary to confirm ongoing suitability.
How to check it (Verification):
To check this, organizations should maintain detailed records of all screening checks and their results. The screening process itself should be periodically reviewed for compliance with legal requirements and its overall effectiveness. Verification that mitigating controls are consistently applied when initial screenings are delayed is also important.
6.2 Terms and conditions of employment
What it is (Purpose):
This control mandates that employment contractual agreements explicitly state the personnel’s and the organization’s responsibilities for information security. The objective is to ensure that personnel fully understand their information security responsibilities for their roles, fostering compliance and accountability from the outset.
How to do it (Implementation Guidance):
Implementation involves incorporating the organization’s information security policy and relevant topic-specific policies into contractual obligations. The agreements should clarify aspects such as confidentiality or non-disclosure agreements (referencing 6.6), legal responsibilities and rights (e.g., regarding copyright laws or data protection legislation, referencing 5.32, 5.34), responsibilities for information and asset management (referencing 5.9-5.13), handling information received from interested parties, and the actions to be taken if personnel disregard the organization’s security requirements (referencing 6.4). Information security roles and responsibilities should be communicated to candidates during the pre-employment process. Organizations must ensure that personnel agree to terms and conditions concerning information security that are appropriate to their level of access to organizational assets. These terms should be reviewed and updated whenever laws, regulations, or information security policies change. Furthermore, responsibilities that remain valid after employment termination (referencing 6.5) should be clearly specified.
How to check it (Verification):
To check this, organizations should review employment contracts to ensure the inclusion and clarity of all security clauses. Verifying that personnel formally acknowledge and agree to these security terms is also crucial. Periodic reviews of the terms and conditions ensure their alignment with current policies and regulations.
6.3 Information security awareness, education and training
What it is (Purpose):
This control requires providing appropriate information security awareness, education, and training, along with regular updates, relevant to job functions, for both organizational personnel and relevant interested parties. This is critical for ensuring that individuals are aware of and fulfill their information security responsibilities, which in turn reduces human error and significantly enhances the organization's overall security posture.
How to do it (Implementation Guidance):
Implementation involves establishing a comprehensive information security awareness, education, and training program aligned with the organization’s policies and procedures, taking into account the information to be protected and the controls in place. This training should occur periodically, with initial awareness, education, and training provided to new personnel and those transitioning to new roles with different security requirements. Assessing personnel understanding at the end of these activities is vital to gauge knowledge transfer and program effectiveness. The awareness program should aim to make personnel conscious of their security responsibilities and how to discharge them. It should be planned considering different roles, scheduled regularly, and built upon lessons learned from security incidents. Various channels (e.g., campaigns, e-learning, newsletters) should be used, covering management commitment, compliance needs, personal accountability, basic security procedures (e.g., event reporting, password security), and contact points for advice. The education and training program should identify, prepare, and implement plans for technical teams requiring specific skills to configure and maintain security levels for devices, systems, applications, and services. It should address skill gaps and utilize various forms (lectures, self-studies, on-the-job training) and delivery means. Technical personnel should be encouraged to stay updated through professional channels.
How to check it (Verification):
To check this, organizations should track participation rates and completion of awareness and training programs. Evaluating knowledge retention through assessments or quizzes is important. Analyzing incident reports to identify if human error or lack of awareness contributed to incidents helps in adjusting training content and frequency. Reviewing training materials for currency and relevance ensures the program remains effective.
6.4 Disciplinary process
What it is (Purpose):
This control mandates the formalization and communication of a disciplinary process for actions against personnel and other relevant interested parties who commit an information security policy violation. Its purpose is to ensure that individuals understand the consequences of security policy violations, to deter future misconduct, and to provide a structured and appropriate framework for addressing such violations.
How to do it (Implementation Guidance):
Implementation requires that the disciplinary process is not initiated without prior verification that a security policy violation has indeed occurred (referencing 5.28). The formal process should provide for a graduated response, taking into consideration factors such as the nature and gravity of the breach, whether the offense was intentional or accidental, if it is a first or repeated offense, and whether the violator was properly trained. The response must also consider relevant legal, statutory, regulatory, contractual, and business requirements. The disciplinary process itself serves as a deterrent to prevent personnel and other interested parties from violating information security policies and procedures. Deliberate violations may necessitate immediate action. Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements. Conversely, recognizing and rewarding individuals who demonstrate excellent security behavior can also promote a positive security culture.
How to check it (Verification):
To check this, organizations should maintain comprehensive records of all disciplinary actions and their outcomes. The disciplinary process should be periodically reviewed for fairness, consistency, and effectiveness. Analyzing trends in policy violations can help identify systemic issues or areas where improved awareness or controls are needed.
6.5 Responsibilities after termination or change of employment
What it is (Purpose):
This control requires defining, enforcing, and communicating information security responsibilities and duties that remain valid after termination or a change of employment. Its purpose is to protect the organization’s interests, particularly regarding confidential information and intellectual property, during personnel transitions.
How to do it (Implementation Guidance):
Implementation involves the process for managing termination or employment changes explicitly defining which information security responsibilities and duties will continue to be valid. This typically includes obligations related to confidentiality of information, intellectual property, and other knowledge obtained, as well as responsibilities outlined in any confidentiality agreements (referencing 6.6). These continuing responsibilities and duties should be clearly stipulated in the individual’s terms and conditions of employment (referencing 6.2) or other relevant contracts. Changes in responsibility or employment should be managed as a combination of terminating the old responsibilities and initiating the new ones. It is crucial to identify and formally transfer information security roles and responsibilities held by any individual who leaves or changes job roles. A process must also be established for communicating these changes and relevant operating procedures to personnel, other interested parties, and relevant contacts. This process should also be applied to external personnel (e.g., suppliers) when their contract or job with the organization terminates or changes.
How to check it (Verification):
To check this, organizations should audit the termination or change of employment checklist to ensure that all security-related steps are completed. Verifying that access rights are promptly revoked (referencing 5.18) is a critical step. Confirmation that ongoing confidentiality obligations are clearly communicated and acknowledged by departing individuals provides additional assurance.
6.6 Confidentiality or non-disclosure agreements
What it is (Purpose):
This control mandates the identification, documentation, regular review, and signing of confidentiality or non-disclosure agreements (NDAs) by personnel and other relevant interested parties, reflecting the organization’s needs for information protection. Its primary purpose is to legally maintain the confidentiality of information accessible by personnel or external parties.
How to do it (Implementation Guidance):
Implementation involves ensuring that NDAs address the requirement to protect confidential information using legally enforceable terms. The specific terms within these agreements should be determined based on the type of information being handled, its classification level, its intended use, and the permissible access by the other party. Key elements to consider for inclusion in NDAs are: a clear definition of the information to be protected, the expected duration of the agreement (including cases requiring indefinite confidentiality), required actions upon agreement termination, the responsibilities of signatories to prevent unauthorized disclosure, the ownership of information, trade secrets, and intellectual property, permitted use of confidential information, the right to audit and monitor activities involving confidential information (especially in highly sensitive circumstances), processes for notification and reporting of unauthorized disclosure, terms for information return or destruction upon termination, and expected actions in case of non-compliance. Organizations must also ensure compliance with these agreements across all applicable jurisdictions (referencing 5.31, 5.32, 5.33, 5.34). Requirements for NDAs should be reviewed periodically and whenever changes occur that influence these requirements.
How to check it (Verification):
To check this, organizations should maintain a central repository of all signed NDAs. Periodically reviewing NDA templates for their legal adequacy and alignment with current organizational needs is essential. Incorporating NDA compliance into both internal and external audit processes provides ongoing verification. Finally, ensuring that termination clauses of NDAs are consistently enforced is crucial.
6.7 Remote working
What it is (Purpose):
This control requires the implementation of specific security measures when personnel are working remotely, to protect information accessed, processed, or stored outside the organization’s premises. Its purpose is to ensure the security of information in remote working environments, which often present unique risks not present in traditional office settings.
How to do it (Implementation Guidance):
Implementation involves issuing a topic-specific policy on remote working that clearly defines relevant conditions and restrictions. Organizations should consider the physical security of the remote working site, including the local environment and different jurisdictions, and establish rules for the remote physical environment (e.g., lockable filing cabinets, secure transportation, clear desk policies, secure printing and disposal of assets, and information security event reporting, referencing 6.8). Communication security requirements must be addressed, taking into account the need for remote access to organizational systems and the sensitivity of information transmitted. The policy should also cover the use of remote access technologies (e.g., virtual desktop access) for privately owned equipment. Threats of unauthorized access from other persons at the remote site (e.g., family, friends) or in public places must be considered, as well as the use of home and public networks and wireless network configuration. Security measures such as firewalls and malware protection should be implemented. Secure mechanisms for remote system deployment, initialization, authentication, and access privileges (e.g., multi-factor authentication) are vital. Organizations should specify the provision of suitable equipment and storage furniture, define permitted work and information classification, and outline authorized internal systems and services. Providing training on secure remote working, suitable communication equipment (e.g., device screen locks, inactivity timers, location tracking, remote wipe capabilities), and addressing physical security, rules on family/visitor access, hardware/software support, insurance, backup/business continuity, and audit/security monitoring are all part of this control. Finally, procedures for the revocation of authority and access rights, and the return of equipment when remote working activities terminate, must be established.
How to check it (Verification):
To check this, organizations should audit remote working configurations for compliance with the established policy. Reviewing logs for remote access activities and any anomalies is crucial. Conducting periodic security awareness refreshers specifically tailored for remote workers helps reinforce best practices. Testing remote wipe capabilities and data recovery procedures ensures readiness for device loss or theft.
6.8 Information security event reporting
What it is (Purpose):
This control mandates that the organization provides a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. Its purpose is to support timely, consistent, and effective reporting of these events, enabling quick action to prevent or minimize the impact of potential information security incidents.
How to do it (Implementation Guidance):
Implementation requires making all personnel and users aware of their responsibility to report information security events as quickly as possible. They must also be informed of the specific procedures for reporting and the designated point of contact. The reporting mechanism itself should be designed to be as easy, accessible, and available as possible. Situations to be considered for reporting include ineffective security controls, breaches of confidentiality, integrity, or availability, human errors, non-compliance with policies, physical security breaches, unauthorized system changes, malfunctions, access violations, vulnerabilities, and suspected malware infections. It is crucial to advise personnel not to attempt to prove suspected vulnerabilities independently, as this could be misinterpreted as misuse, cause damage to systems, or corrupt digital evidence, potentially leading to legal liability.
How to check it (Verification):
To check this, organizations should track the volume and types of reported security events. Assessing the timeliness of reporting and the initial response to these reports is also important. Conducting periodic awareness campaigns specifically on reporting procedures helps reinforce the message. Finally, reviewing feedback processes ensures that those who report events are notified of outcomes, fostering a culture of trust and encouraging future reporting.
Physical Controls (Clause 7)
Physical controls are essential for safeguarding information and associated assets from unauthorized physical access, damage, and interference. These 14 controls cover the physical environment, buildings, equipment, and storage media.
Detailed Controls:
7.1 Physical security perimeters
What it is (Purpose):
This control requires the definition and use of security perimeters to protect areas containing information and other associated assets. Its purpose is to prevent unauthorized physical access, damage, and interference to the organization’s information and assets.
How to do it (Implementation Guidance):
Implementation involves defining security perimeters and determining the appropriate siting and strength of each perimeter based on the information security requirements of the assets contained within. Buildings or sites housing information processing facilities must have physically sound perimeters, meaning no gaps or easily exploitable areas. Exterior roofs, walls, ceilings, and flooring should be of solid construction. All external doors must be suitably protected with control mechanisms such as bars, alarms, and locks. Doors and windows should be locked when unattended, and external protection for windows, especially at ground level, should be considered. Ventilation points also require attention. Fire doors on a security perimeter should be alarmed, monitored, and regularly tested in conjunction with walls to establish the required level of resistance, ensuring they operate in a failsafe manner. Additional barriers and perimeters may be necessary to control physical access between areas with different security requirements inside the main security perimeter. Physical security measures should be designed with the capability to be strengthened during periods of increased threat.
How to check it (Verification):
To check this, organizations should regularly inspect their physical perimeters for any vulnerabilities, such as gaps or weak points. Periodic testing of alarm systems and physical access controls is also essential. Reviewing physical security incident reports can help identify any breaches related to perimeter effectiveness.
7.2 Physical entry
What it is (Purpose):
This control mandates that secure areas are protected by appropriate entry controls and access points. Its fundamental purpose is to ensure that only authorized individuals gain physical access to the organization’s information and other associated assets.
How to do it (Implementation Guidance):
Implementation involves several key aspects. Access points, such as delivery and loading areas, must be controlled and, where possible, isolated from information processing facilities to prevent unauthorized entry. Access to sites and buildings should be restricted to authorized personnel only, with a formal process for managing access rights (provision, periodic review, update, and revocation, referencing 5.18). A secure physical logbook or electronic audit trail of all access must be maintained and monitored, with logs and sensitive authentication information protected. Technical mechanisms for access management, such as access cards, biometrics, or two-factor authentication, should be established and implemented, with double security doors considered for highly sensitive areas. A reception area, monitored by personnel or other means, should control physical access. Personnel and interested parties should be required to wear visible identification, and security personnel must be immediately notified of unescorted visitors or those without visible identification. Supplier personnel should only be granted restricted, authorized, and monitored access when necessary. Special attention is required for physical access security in multi-tenant buildings. Physical security measures should be designed to be strengthened during increased threat likelihood. Other entry points, like emergency exits, must also be secured. A key management process for physical keys or authentication information (referencing 5.17) should be established, including a logbook or annual key audit.
How to check it (Verification):
To check this, organizations should regularly review physical access logs and audit trails for any anomalies. Periodic tests of access control systems (e.g., card readers, biometric scanners) are essential. Observing and auditing visitor management procedures helps ensure compliance. Finally, performing unannounced checks of delivery and loading area controls can identify weaknesses.
7.3 Securing offices, rooms and facilities
What it is (Purpose):
This control focuses on the design and implementation of physical security measures for offices, rooms, and facilities. Its purpose is to prevent unauthorized physical access, damage, and interference to the organization’s information and other associated assets located within these specific areas.
How to do it (Implementation Guidance):
Implementation involves siting critical facilities to avoid public access. Buildings should be unobtrusive and provide minimal indication of their purpose, with no obvious signs, either outside or inside, identifying the presence of information processing activities. Facilities should be configured to prevent confidential information or activities from being visible and audible from the outside, with electromagnetic shielding considered where appropriate. Directories, internal telephone books, and online accessible maps that identify the locations of confidential information processing facilities should not be readily available to any unauthorized person.
How to check it (Verification):
To check this, regular physical inspections of critical facilities are necessary to ensure adherence to siting and visibility guidelines. Assessing the effectiveness of measures to prevent visual or auditory leakage of confidential information is also important. Audits of internal documentation and online resources should confirm that sensitive location information is not inadvertently disclosed.
7.4 Physical security monitoring
What it is (Purpose):
This control mandates the continuous monitoring of premises for unauthorized physical access. Its purpose is to detect and deter unauthorized physical access to the organization's information and assets.
How to do it (Implementation Guidance):
Implementation involves monitoring physical premises using a variety of surveillance systems, which may include security guards, intruder alarms, video monitoring systems (such as closed-circuit television), and physical security information management software. Access to buildings housing critical systems should be continuously monitored to detect unauthorized access or suspicious behavior. This can be achieved by installing video monitoring systems to view and record access to sensitive areas both inside and outside the premises. Intruder alarms, such as contact, sound, or motion detectors, should be installed (according to relevant standards) and periodically tested. These alarms should cover all external doors and accessible windows, and unoccupied areas should be alarmed at all times, with coverage also extended to other critical areas like computer or communications rooms.
How to check it (Verification):
To check this, organizations should regularly review surveillance footage and alarm logs for any suspicious activity or breaches. Periodic testing of all monitoring systems, including alarms and CCTV, is crucial to ensure their operational effectiveness. Compliance with legal requirements regarding monitoring, especially PII protection and retention periods, should be audited.
7.5 Protecting against physical and environmental threats
What it is (Purpose):
This control focuses on designing and implementing protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure. Its purpose is to prevent or reduce the consequences of events originating from these physical and environmental threats.
How to do it (Implementation Guidance):
Implementation requires performing risk assessments to identify the potential consequences of physical and environmental threats before initiating critical operations at a physical site, and at regular intervals thereafter. Necessary safeguards must be implemented, and changes to threats continuously monitored. Organizations should obtain specialist advice on managing risks from threats like fire, flood, earthquake, explosion, civil unrest, toxic waste, environmental emissions, and other natural or human-caused disasters. The location and construction of physical premises should consider local topography (e.g., elevation, water bodies, fault lines) and urban threats (e.g., areas prone to political unrest, criminal activity, or terrorist attacks).
How to check it (Verification):
To check this, organizations should regularly review risk assessments for physical and environmental threats and verify that corresponding safeguards are in place. Periodic testing of fire suppression, flood detection, and surge protection systems is essential. Compliance with safety regulations and emergency response plans should also be audited.
7.6 Working in secure areas
What it is (Purpose):
This control specifies that security measures for working in secure areas should be designed and implemented. Its purpose is to protect information and other associated assets within secure areas from damage and unauthorized interference by personnel working in those locations.
How to do it (Implementation Guidance):
Implementation requires that security measures apply to all personnel and cover all activities taking place within the secure area. Personnel should only be made aware of the existence of, or activities within, a secure area on a strict "need-to-know" basis. Unsupervised work in secure areas should be avoided for both safety reasons and to reduce opportunities for malicious activities. Vacant secure areas should be physically locked and periodically inspected. Photographic, video, audio, or other recording equipment (e.g., cameras in user endpoint devices) should not be allowed unless specifically authorized. The carrying and use of user endpoint devices in secure areas should be appropriately controlled. Finally, emergency procedures should be prominently posted in a readily visible or accessible manner.
How to check it (Verification):
To check this, organizations should conduct regular inspections of secure areas to ensure adherence to established working procedures. Auditing access logs for secure areas can identify any unauthorized or unsupervised entries. Reviewing incident reports related to secure area activities can highlight potential weaknesses in these controls.
7.7 Clear desk and clear screen
What it is (Purpose):
This control requires that clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities, are defined and appropriately enforced. Its purpose is to reduce the risks of unauthorized access, loss, and damage to information on desks, screens, and in other accessible locations, both during and outside normal working hours.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on clear desk and clear screen to all relevant interested parties. This policy should guide practices such as locking away sensitive or critical business information (on paper or electronic media) when not required, especially when the office is vacated, ideally in secure furniture. User endpoint devices should be protected by key locks or other security means when not in use or unattended. Devices should be left logged off or protected with a screen and keyboard locking mechanism controlled by user authentication when unattended, with all computers and systems configured with a timeout or automatic logout feature. Originators should immediately collect outputs from printers or multi-function devices, with consideration for printers that require authentication for print release. Documents and removable storage media containing sensitive information should be securely stored and, when no longer required, disposed of using secure disposal mechanisms. Rules and guidance for the configuration of pop-ups on screens (e.g., turning off new email/messaging pop-ups during presentations or in public areas) should be established. Sensitive or critical information on whiteboards and other displays should be cleared when no longer required. Organizations should also have procedures in place for vacating facilities, including a final sweep to ensure assets are not left behind.
How to check it (Verification):
To check this, organizations can conduct periodic unannounced inspections to ensure compliance with clear desk and clear screen policies. Reviewing system configurations to verify automatic screen locks and logout features are enabled is also important. Auditing printer logs for uncollected sensitive printouts can identify non-compliance.
7.8 Equipment siting and protection
What it is (Purpose):
This control dictates that equipment should be securely sited and protected. Its purpose is to reduce the risks stemming from physical and environmental threats, as well as from unauthorized access and damage to equipment.
How to do it (Implementation Guidance):
Implementation involves siting equipment in a manner that minimizes unnecessary access into work areas and avoids unauthorized access. Information processing facilities handling sensitive data should be carefully positioned to reduce the risk of information being viewed by unauthorized persons during their use. Controls must be adopted to minimize the risk of potential physical and environmental threats, such as theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism. Guidelines for eating, drinking, and smoking in proximity to information processing facilities should be established. Environmental conditions, such as temperature and humidity, should be monitored for conditions that could adversely affect equipment operation. Lightning protection should be applied to all buildings, and lightning protection filters fitted to all incoming power and communications lines. The use of special protection methods, such as keyboard membranes for industrial environments, should be considered. Equipment processing confidential information should be protected to minimize information leakage due to electromagnetic emanation. Finally, information processing facilities managed by the organization should be physically separated from those not managed by the organization.
How to check it (Verification):
To check this, organizations should conduct regular physical inspections of equipment siting and protection measures. Environmental monitoring systems should be reviewed for proper functioning and alerts. Audits of power and communication line protection, including lightning protection filters, are also important.
7.9 Security of assets off-premises
What it is (Purpose):
This control requires that off-site assets are protected. Its purpose is to prevent the loss, damage, theft, or compromise of off-site devices and to avoid interruptions to the organization’s operations.
How to do it (Implementation Guidance):
Implementation involves protecting any device used outside the organization’s premises that stores or processes information (e.g., mobile devices), including both organization-owned and privately-owned devices used for work (Bring Your Own Device - BYOD). The use of such devices must be authorized by management. Guidelines for protection include: not leaving equipment and storage media unattended in public or unsecured places; observing manufacturers’ instructions for protecting equipment (e.g., against strong electromagnetic fields, water, heat); maintaining a chain of custody log when off-premises equipment is transferred between individuals, ensuring unnecessary information is securely deleted before transfer; and, where necessary, requiring authorization for equipment and media removal from premises, with a record kept for audit. Specific attention should be paid to protecting against viewing information on devices in public transport and the risks of "shoulder surfing." Implementing location tracking and remote wiping capabilities for devices is also crucial.
How to check it (Verification):
To check this, organizations should audit off-premises asset registers and chain of custody logs. Remote wipe capabilities and location tracking systems should be periodically tested. Reviewing incident reports related to lost or stolen off-premises devices helps identify areas for improvement in protective measures.
7.10 Storage media
What it is (Purpose):
This control dictates that storage media must be managed throughout their life cycle—from acquisition and use to transportation and disposal—in accordance with the organization’s classification scheme and handling requirements. Its purpose is to ensure that only authorized disclosure, modification, removal, or destruction of information occurs on storage media.
How to do it (Implementation Guidance):
Implementation for **removable storage media** involves establishing and communicating a topic-specific policy on their management. Where necessary, authorization should be required for media removal from the organization, with a record kept for audit. All storage media must be stored in a safe, secure environment according to their information classification, protected against environmental threats (e.g., heat, moisture, electromagnetic fields) and following manufacturer specifications. If confidentiality or integrity are critical, cryptographic techniques should be used to protect information on removable media. To mitigate degradation risks, information should be transferred to fresh media before becoming unreadable. Storing multiple copies of valuable information on separate media further reduces loss risk. Registration of removable storage media can limit information loss. Removable storage media ports (e.g., SD card slots, USB ports) should only be enabled for organizational reasons, and information transfer to such media should be monitored. When transferring physical storage media (including paper), security measures from 5.14 must be applied.
How to check it (Verification):
To check this, organizations should regularly audit storage media inventories and disposal logs. Periodic verification of secure deletion or destruction methods for retired media is crucial. Testing the effectiveness of cryptographic protection on removable media ensures data confidentiality.
7.11 Supporting utilities
What it is (Purpose):
This control addresses the protection of information processing facilities from power failures and other disruptions caused by failures in supporting utilities. Its purpose is to prevent loss, damage, or compromise of information and other associated assets, and to avoid interruptions to the organization’s operations due to utility failures.
How to do it (Implementation Guidance):
Implementation requires ensuring that equipment supporting utilities (e.g., electricity, telecommunications, water supply, gas, ventilation, air conditioning) is configured, operated, and maintained in accordance with relevant manufacturer’s specifications. Utilities should be regularly appraised for their capacity to meet business growth and interactions with other supporting utilities. Equipment supporting utilities must be regularly inspected and tested to ensure proper functioning. Where necessary, alarms should be raised to detect utility malfunctions. For critical facilities, utilities should have multiple feeds with diverse physical routing. If utility equipment is connected to a network, it should be on a separate network from the information processing facilities. Connection of utility equipment to the internet should only occur when needed and in a secure manner. Emergency lighting and communications must be provided. Emergency switches and valves to cut off power, water, gas, or other utilities should be located near emergency exits or equipment rooms. Emergency contact details must be recorded and readily available to personnel in the event of an outage.
How to check it (Verification):
To check this, organizations should regularly test uninterruptible power supplies (UPS), generators, and other backup utility systems. Reviewing maintenance records for utility equipment ensures proper upkeep. Monitoring utility consumption and performance can help identify potential capacity issues before they lead to disruption.
7.12 Cabling security
What it is (Purpose):
This control mandates that cables carrying power, data, or supporting information services are protected from interception, interference, or damage. Its purpose is to prevent loss, damage, theft, or compromise of information and other associated assets, and to avoid interruptions to the organization’s operations related to power and communications cabling.
How to do it (Implementation Guidance):
Implementation involves considering several guidelines for cabling security. Power and telecommunications lines entering information processing facilities should be underground where possible, or subject to adequate alternative protection (e.g., floor cable protectors, utility poles). Underground cables should be protected from accidental cuts (e.g., with armored conduits or presence signals). Power cables should be segregated from communications cables to prevent interference. For sensitive or critical systems, further controls include installing armored conduit, locked rooms or boxes, and alarms at inspection and termination points. The use of electromagnetic shielding to protect cables should be considered. Periodic technical sweeps and physical inspections should be conducted to detect unauthorized devices attached to cables. Controlled access to patch panels and cable rooms (e.g., with mechanical keys or PINs) is essential. The use of fiber-optic cables can also enhance security. All cables should be labeled at each end with sufficient source and destination details to enable physical identification and inspection. Specialist advice should be sought on how to manage risks arising from cabling incidents or malfunctions.
How to check it (Verification):
To check this, organizations should conduct regular visual inspections of cabling infrastructure. Periodic technical sweeps for unauthorized tapping devices or interference can provide assurance. Auditing access logs for cable rooms and patch panels helps ensure only authorized personnel have access.
7.13 Equipment maintenance
What it is (Purpose):
This control requires that equipment is maintained correctly to ensure the availability, integrity, and confidentiality of information. Its purpose is to prevent loss, damage, theft, or compromise of information and other associated assets, and to avoid interruptions to the organization’s operations caused by a lack of maintenance.
How to do it (Implementation Guidance):
Implementation involves maintaining equipment in accordance with the supplier’s recommended service frequency and specifications. The organization should implement and monitor a comprehensive maintenance program. Only authorized maintenance personnel should carry out repairs and maintenance on equipment. Detailed records of all suspected or actual faults, as well as all preventive and corrective maintenance activities, must be kept. Appropriate controls should be implemented when equipment is scheduled for maintenance, considering whether the maintenance is performed by internal personnel or external parties, and subjecting maintenance personnel to suitable confidentiality agreements. Maintenance personnel should be supervised when carrying out on-site maintenance. Access for remote maintenance must be authorized and controlled. If equipment containing information is taken off premises for maintenance, security measures for assets off-premises (referencing 7.9) must be applied. Compliance with all maintenance requirements imposed by insurance policies is also essential. Before equipment is returned to operation after maintenance, it should be inspected to ensure no tampering and proper functioning. Finally, if equipment is determined to be disposed of, measures for secure disposal or re-use (referencing 7.14) must be applied.
How to check it (Verification):
To check this, organizations should regularly review equipment maintenance logs and schedules for compliance with manufacturer recommendations and internal policies. Auditing the authorization and control of maintenance activities, especially for remote or off-site work, is crucial. Verification that equipment is inspected for tampering after maintenance also provides assurance.
7.14 Secure disposal or re-use of equipment
What it is (Purpose):
This control mandates that items of equipment containing storage media are verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use. Its purpose is to prevent the leakage of information from equipment that is being disposed of or re-used.
How to do it (Implementation Guidance):
Implementation requires verifying whether equipment contains storage media before disposal or re-use. Storage media containing confidential or copyrighted information must be physically destroyed, or the information must be destroyed, deleted, or overwritten using techniques that make the original information non-retrievable, rather than merely using standard delete functions. Detailed guidance on secure disposal of storage media is provided in 7.10, and on information deletion in 8.10. Labels and markings identifying the organization or indicating classification, owner, system, or network must be removed prior to disposal, including when reselling or donating equipment. Organizations should also consider the removal of security controls, such as access controls or surveillance equipment, at the end of a lease or when moving out of premises. This decision depends on factors like lease agreements, minimizing the risk of leaving sensitive systems for the next tenant, and the ability to reuse controls at a new facility.
How to check it (Verification):
To check this, organizations should audit equipment disposal records to confirm that secure methods were applied. Periodic checks of equipment designated for re-use should verify that all sensitive data and licensed software have been properly removed or overwritten. For external disposal services, obtaining certificates of destruction or data sanitization is a key verification step.
Technological Controls (Clause 8)
Technological controls represent the technical safeguards implemented to protect information and information processing facilities. This section covers a wide array of controls, from securing user endpoint devices and managing access rights to protecting against malware, managing vulnerabilities, and ensuring secure development practices.
Detailed Controls:
8.1 User endpoint devices
What it is (Purpose):
This control mandates the protection of information stored on, processed by, or accessible via user endpoint devices. Its purpose is to mitigate the specific risks introduced by the use of these devices, which are often highly mobile and used in less controlled environments.
How to do it (Implementation Guidance):
Implementation requires organizations to establish and communicate a topic-specific policy on the secure configuration and handling of user endpoint devices. This policy should be comprehensive, covering aspects such as the type and classification level of information the devices can handle, device registration, physical protection requirements, restrictions on software installation, mandatory software updates, rules for network connections (e.g., requiring personal firewalls), access controls, storage device encryption, malware protection, remote disabling/deletion/lockout capabilities, backup procedures, guidelines for web service usage, and the use of partitioning capabilities to separate organizational and personal data. A key consideration is whether sensitive information should only be accessed, not stored, on these devices, potentially requiring additional technical safeguards like disabling local storage or offline file access. Wherever feasible, these recommendations should be enforced through configuration management (referencing 8.9) or automated tools.
How to check it (Verification):
To check this, organizations should audit user endpoint device configurations for compliance with the policy. Reviewing logs for remote access activities and any anomalies is important. Periodic security awareness refreshers for users, especially remote workers, are crucial. Testing remote wipe capabilities and data recovery procedures ensures readiness for device loss or theft.
8.2 Privileged access rights
What it is (Purpose):
This control requires that the allocation and use of privileged access rights are strictly restricted and managed. Its purpose is to ensure that only authorized users, software components, and services are granted privileged access rights, thereby preventing their misuse, which is a major contributing factor to system failures or breaches.
How to do it (Implementation Guidance):
Implementation involves controlling privileged access rights through a formal authorization process, in accordance with the relevant topic-specific policy on access control (referencing 5.15). This includes meticulously identifying users who require privileged access for each system or process (e.g., operating systems, databases, applications). Privileged access rights should be allocated on an event-by-event basis, only to individuals with the necessary competence and based on the minimum requirements for their functional roles. An authorization process must be maintained, and a record of all allocated privileges kept. Requirements for the expiry of privileged access rights should be defined and implemented. Measures must be taken to ensure users are aware when they are operating in a privileged access mode, potentially through specific user identities, interface settings, or dedicated equipment. Authentication requirements for privileged access should be higher than for normal access, potentially requiring re-authentication or step-up authentication. Users with privileged access rights should be regularly reviewed to verify their continued qualification. Specific rules should be established to avoid the use of generic administration user IDs (like "root"), and their authentication information must be securely managed (referencing 5.17). Temporary privileged access, often referred to as "break glass" procedures, should be granted only for the necessary time window to implement approved changes. All privileged access to systems must be logged for audit purposes. Finally, privileged identities should not be shared or linked to multiple persons; each person should have a separate identity with specific privileged access rights, used solely for administrative tasks and not for day-to-day general tasks.
How to check it (Verification):
To check this, organizations should regularly audit privileged access logs to detect any unauthorized use or anomalies. Periodic reviews of privileged access rights are essential to ensure they align with current roles and responsibilities. Testing the "break glass" procedures and verifying their logging mechanisms provides assurance.
8.3 Information access restriction
What it is (Purpose):
This control mandates that access to information and other associated assets is restricted in accordance with the established topic-specific policy on access control. Its purpose is to ensure that only authorized access occurs and to prevent any unauthorized access to information and associated assets.
How to do it (Implementation Guidance):
Implementation involves several key considerations. Access to sensitive information should not be allowed for unknown user identities or anonymously; public or anonymous access should only be granted to storage locations that contain no sensitive information. Configuration mechanisms must be provided to control access to information within systems, applications, and services. This includes controlling which specific data can be accessed by a particular user and which identities or groups of identities have specific access types (e.g., read, write, delete, execute). Physical or logical access controls should be provided for the isolation of sensitive applications, application data, or systems.
How to check it (Verification):
To check this, organizations should regularly audit access configurations within systems and applications to ensure they align with access restriction policies. Testing dynamic access management rules and their effectiveness in real-time scenarios is crucial. Reviewing logs for any attempts to access restricted information or bypass controls provides continuous monitoring.
8.4 Access to source code
What it is (Purpose):
This control requires that read and write access to source code, development tools, and software libraries are appropriately managed. Its purpose is to prevent the introduction of unauthorized functionality, avoid unintentional or malicious changes, and maintain the confidentiality of valuable intellectual property embedded within the code.
How to do it (Implementation Guidance):
Implementation involves strictly controlling access to source code and associated items (e.g., designs, specifications, verification plans) and development tools (e.g., compilers, builders, test platforms). This is best achieved by controlling central storage of code, preferably within a source code management system. Read access and write access to source code may differ based on personnel roles; for instance, read access might be broad, but write access restricted to privileged personnel or designated owners. When multiple developers use code components, read access to a centralized repository should be implemented. If open-source or third-party code components are used, read access to external repositories may be broad, but write access should still be restricted. Guidelines for controlling access to program source libraries include managing access according to established procedures, granting read/write access based on business needs and risk mitigation, updating source code via change control (referencing 8.32) only after authorization, avoiding direct developer access to repositories (using tools instead), securing program listings, and maintaining an audit log of all accesses and changes to source code. If source code is intended for publication, additional controls like digital signatures to provide assurance on its integrity should be considered.
How to check it (Verification):
To check this, organizations should regularly audit access controls on source code repositories and development tools. Reviewing audit logs for all accesses and changes to source code is crucial. Verifying that source code updates follow change control procedures and are properly authorized provides assurance.
8.5 Secure authentication
What it is (Purpose):
This control mandates the implementation of secure authentication technologies and procedures, based on information access restrictions and the topic-specific policy on access control. Its purpose is to ensure that a user or an entity is securely authenticated when access to systems, applications, and services is granted.
How to do it (Implementation Guidance):
Implementation requires choosing a suitable authentication technique that substantiates the claimed identity of a user, software, or messages. The strength of authentication should be appropriate for the classification of the information to be accessed. For critical information systems, stronger authentication methods beyond simple passwords, such as digital certificates, smart cards, tokens, or biometric means, should be employed. Multi-factor authentication, combining multiple factors (e.g., what you know, what you have, what you are), is recommended for critical systems, and can be combined with adaptive techniques to require additional factors under specific circumstances (e.g., unusual location or device). Biometric authentication information must be invalidated if compromised, and alternative authentication techniques should be available to address issues like unavailability due to environmental conditions.
How to check it (Verification):
To check this, organizations should regularly audit log-on procedures and authentication configurations. Monitoring for failed login attempts and brute-force attacks is crucial. Periodic testing of multi-factor authentication mechanisms and adaptive authentication rules ensures their effectiveness. Reviewing logs for alerts related to authentication breaches provides continuous oversight.
8.6 Capacity management
What it is (Purpose):
This control requires that the use of resources is monitored and adjusted in line with current and expected capacity requirements. Its purpose is to ensure the required capacity of information processing facilities, human resources, offices, and other facilities, thereby maintaining availability and performance.
How to do it (Implementation Guidance):
Implementation involves identifying capacity requirements for all relevant resources, taking into account the business criticality of the concerned systems and processes. System tuning and monitoring should be applied to ensure and improve system availability and efficiency. Organizations should perform stress-tests of systems and services to confirm sufficient capacity for peak performance requirements. Detective controls should be in place to indicate problems in a timely manner. Projections of future capacity requirements must consider new business and system needs, as well as current and projected trends in information processing capabilities, with particular attention to resources with long procurement lead times or high costs. Managers, service owners, or product owners should monitor the utilization of key system resources to identify and avoid potential limitations and dependencies on key personnel that could threaten system security or services, and plan appropriate actions.
How to check it (Verification):
To check this, organizations should regularly review capacity planning documents and resource utilization reports. Conducting stress tests and performance monitoring helps verify that systems can handle peak loads. Auditing the implementation of capacity increase or demand reduction strategies ensures that adjustments are made in line with requirements.
8.7 Protection against malware
What it is (Purpose):
This control mandates the implementation of protection against malware, supported by appropriate user awareness. Its purpose is to ensure that information and other associated assets are protected against the pervasive and evolving threat of malware.
How to do it (Implementation Guidance):
Implementation involves a multi-faceted approach that goes beyond just malware detection and repair software. It requires establishing rules and controls to prevent or detect the use of unauthorized software (e.g., application allowlisting, referencing 8.19, 8.32) and malicious websites (e.g., blocklisting). Organizations should reduce vulnerabilities that malware could exploit through robust technical vulnerability management (referencing 8.8, 8.19). Regular automated validation of software and data content, especially for critical business processes, is essential to detect unapproved files or unauthorized amendments. Protective measures must be established against risks associated with obtaining files and software from external networks or media. Malware detection and repair software should be installed and regularly updated, performing scans on data received over networks or via electronic storage media, and on email/instant messaging attachments and downloads, at various points (e.g., email servers, desktop computers, network gateways).
How to check it (Verification):
To check this, organizations should regularly review malware detection logs and incident reports related to malware infections. Periodic vulnerability assessments (referencing 8.8) and penetration tests (referencing 8.29) can help identify weaknesses that malware could exploit. Verifying that anti-malware software is up-to-date and correctly configured across all systems is essential.
8.8 Management of technical vulnerabilities
What it is (Purpose):
This control requires organizations to obtain information about technical vulnerabilities in their information systems, evaluate their exposure to such vulnerabilities, and take appropriate measures. Its purpose is to proactively prevent the exploitation of technical vulnerabilities that could compromise information security.
How to do it (Implementation Guidance):
Implementation begins with **identifying technical vulnerabilities**, which necessitates an accurate and up-to-date asset inventory (referencing 5.9) detailing software vendors, names, versions, deployment states, and responsible personnel. Organizations must define roles and responsibilities for vulnerability management (monitoring, risk assessment, patching, tracking). They should identify and maintain awareness of relevant information resources for vulnerabilities and require suppliers of information systems to ensure vulnerability reporting, handling, and disclosure (referencing 5.20). Using vulnerability scanning tools and conducting planned, documented, and repeatable penetration tests (referencing 8.29) by competent and authorized persons are crucial for identification. Tracking the usage of third-party libraries and source code for vulnerabilities (referencing 8.28) is also important. Organizations should develop procedures to detect vulnerabilities in their products/services and receive vulnerability reports from internal or external sources, providing a public point of contact for disclosure and considering bug bounty programs.
How to check it (Verification):
To check this, organizations should regularly review vulnerability scan reports and penetration test results. Tracking the remediation status of identified vulnerabilities is crucial. Auditing the software update management process ensures patches are applied promptly and securely. Reviewing audit logs for vulnerability management activities provides oversight.
8.9 Configuration management
What it is (Purpose):
This control requires that configurations, including security configurations, of hardware, software, services, and networks are established, documented, implemented, monitored, and reviewed. Its purpose is to ensure that these components function correctly with required security settings and that configurations are not altered by unauthorized or incorrect changes, thereby preserving integrity and availability.
How to do it (Implementation Guidance):
Implementation involves defining and implementing processes and tools to enforce defined configurations for both newly installed and operational systems throughout their lifetime. Clear roles, responsibilities, and procedures must be in place to ensure satisfactory control of all configuration changes. Standard templates for the secure configuration of hardware, software, services, and networks should be defined, drawing upon publicly available guidance (e.g., vendor templates, independent security organizations). These templates should consider the required level of protection, support the organization’s policies and security requirements, and be feasible within the organizational context. They should be periodically reviewed and updated to address new threats, vulnerabilities, or new software/hardware versions.
How to check it (Verification):
To check this, configurations should be monitored using system management tools and regularly reviewed to verify settings, evaluate password strengths, and assess activities. Actual configurations should be compared with defined target templates, and any deviations addressed through automatic enforcement or manual corrective actions. System hardening is a typical part of configuration management.
8.10 Information deletion
What it is (Purpose):
This control mandates that information stored in information systems, devices, or any other storage media is deleted when no longer required. Its purpose is to prevent unnecessary exposure of sensitive information and to ensure compliance with legal, statutory, regulatory, and contractual requirements for information deletion.
How to do it (Implementation Guidance):
Implementation requires that sensitive information is not retained longer than necessary to reduce the risk of undesirable disclosure. When deleting information across systems, applications, and services, organizations should select a deletion method (e.g., electronic overwriting or cryptographic erasure) in accordance with business requirements and relevant laws and regulations. The results of deletion should be recorded as evidence. If service suppliers are used for information deletion, evidence of deletion must be obtained from them. Where third parties store the organization’s information, deletion requirements should be included in their agreements.
How to check it (Verification):
To check this, organizations should regularly audit information deletion logs and records. Periodic verification of secure deletion methods for various media types is crucial. For cloud services, obtaining assurance of data deletion from CSPs is essential.
8.11 Data masking
What it is (Purpose):
This control specifies that data masking should be used in accordance with the organization’s topic-specific policy on access control and other related policies, and business requirements, taking applicable legislation into consideration. Its purpose is to limit the exposure of sensitive data, including Personally Identifiable Information (PII), and to comply with legal, statutory, regulatory, and contractual requirements.
How to do it (Implementation Guidance):
Implementation involves considering techniques such as data masking, pseudonymization, or anonymization to hide sensitive data (e.g., PII). When using pseudonymization or anonymization, it must be verified that the data has been adequately transformed to prevent re-identification, considering all elements of the sensitive information. Additional techniques for data masking include encryption, nulling or deleting characters, varying numbers and dates, substitution, and replacing values with their hash. When implementing these techniques, organizations should ensure that not all users are granted access to all data, designing queries and masks to show only the minimum required data. Mechanisms for obfuscation of data should be designed and implemented for cases where some data should not be visible for certain records (e.g., patient records). If data is obfuscated, the PII principal may have the right to require that users cannot see that the data is obfuscated. Any legal or regulatory requirements (e.g., masking payment card information) must be considered.
How to check it (Verification):
To check this, organizations should regularly audit the effectiveness of data masking techniques in preventing unauthorized exposure of sensitive data. Reviewing access controls to masked data is crucial. Compliance with legal and regulatory requirements for data masking should be verified.
8.12 Data leakage prevention
What it is (Purpose):
This control mandates that data leakage prevention (DLP) measures are applied to systems, networks, and any other devices that process, store, or transmit sensitive information. Its purpose is to detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.
How to do it (Implementation Guidance):
Implementation involves considering several key steps to reduce the risk of data leakage. Organizations must identify and classify information that needs protection against leakage (e.g., personal information, pricing models, product designs). Channels through which data leakage could occur (e.g., email, file transfers, mobile devices, portable storage devices) must be monitored. Actions should be taken to prevent information from leaking, such as quarantining emails containing sensitive information. DLP tools should be utilized to identify and monitor sensitive information at risk of unauthorized disclosure, detect the disclosure of sensitive information (e.g., when uploaded to untrusted cloud services or sent via email), and block user actions or network transmissions that expose sensitive information (e.g., preventing copying of database entries into spreadsheets).
How to check it (Verification):
To check this, organizations should regularly review DLP tool logs and alerts for detected leakage attempts. Periodic testing of DLP rules and configurations is crucial to ensure they effectively identify and block sensitive data. Auditing compliance with policies regarding screenshots and data export provides additional assurance.
8.13 Information backup
What it is (Purpose):
This control requires that backup copies of information, software, and systems are maintained and regularly tested in accordance with an agreed topic-specific policy on backup. Its purpose is to enable recovery from the loss of data or systems, ensuring business continuity.
How to do it (Implementation Guidance):
Implementation begins with establishing a topic-specific policy on backup that addresses the organization’s data retention and information security requirements. Adequate backup facilities must be provided to ensure that all essential information and software can be recovered following an incident, failure, or loss of storage media. Plans for backing up information, software, and systems should be developed and implemented, aligning with the backup policy. When designing a backup plan, several factors must be considered: producing accurate and complete records of backup copies and documented restoration procedures; reflecting business requirements (e.g., Recovery Point Objective, referencing 5.30), security requirements, and information criticality in the extent and frequency of backups; storing backups in a safe, secure remote location sufficiently distant from the main site; providing backup information with appropriate physical and environmental protection (referencing Clause 7 and 8.1) consistent with the main site; regularly testing backup media to ensure reliability for emergency use, by restoring data onto a test system rather than overwriting originals; protecting backups with encryption where confidentiality is important; and taking care to detect inadvertent data loss before backups are taken.
How to check it (Verification):
To check this, organizations should regularly review backup policies and plans. Periodic testing of backup restoration procedures is crucial, ensuring data integrity and recovery time objectives are met. Auditing backup logs for successful completion and any failures provides ongoing assurance.
8.14 Redundancy of information processing facilities
What it is (Purpose):
This control mandates that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Its purpose is to ensure the continuous operation of information processing facilities, minimizing downtime and supporting business continuity.
How to do it (Implementation Guidance):
Implementation involves identifying requirements for the availability of business services and information systems. Organizations should design and implement systems architecture with appropriate redundancy, which can involve duplicating information processing facilities in part or entirely (e.g., spare components, two of everything). Procedures for the activation of redundant components and processing facilities must be planned and implemented, establishing whether activation is always on, or triggered automatically or manually in emergencies. The redundant components and facilities must ensure the same security level as the primary ones. Mechanisms should be in place to alert the organization to any failures in information processing facilities, enable the execution of planned procedures, and allow continued availability while facilities are repaired or replaced.
How to check it (Verification):
To check this, organizations should regularly test failover mechanisms for redundant systems and components. Reviewing incident reports related to system outages should assess whether redundancy measures successfully maintained availability. Auditing the configuration of redundant facilities ensures they provide the same security level as primary systems.
8.15 Logging
What it is (Purpose):
This control requires that logs recording activities, exceptions, faults, and other relevant events are produced, stored, protected, and analyzed. Its purpose is to record events, generate evidence, ensure the integrity of log information, prevent unauthorized access to logs, and enable the detection of information security events.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on logging. Logging facilities should be used to record information security events, which include user activities, exceptions, faults, and other events. These logs should be protected from tampering and unauthorized access, and regularly reviewed. The content of logs should be determined by business and information security requirements, considering privacy legislation. Logs should include: user IDs, dates, times, and details of log-on and log-off; records of successful and rejected system access attempts; records of access to privileged utilities; records of changes to system configurations (referencing 8.9); records of use of critical applications (e.g., financial transactions, database queries); records of information access and modification; records of security-related events (e.g., firewall alerts, anti-malware alerts); records of errors and faults; and records of system administration activities. Logs should be synchronized to an approved time source (referencing 8.17). Log facilities should be protected from unauthorized access, modification, or deletion, and should be regularly backed up (referencing 8.13). The capacity of logging facilities should be monitored (referencing 8.6) to prevent overflow. Logs should be analyzed regularly for evidence of malicious activity, unauthorized access, or system failures. Automated tools should be used for analysis where possible. Logs should be retained for a defined period based on legal, regulatory, and business requirements. For cloud services, the organization should define logging requirements in its agreement with the CSP (referencing 5.23).
How to check it (Verification):
To check this, organizations should regularly review log content for anomalies and potential security incidents. Auditing log protection mechanisms (e.g., access controls, integrity checks) ensures their security. Verifying log retention periods and backup procedures ensures compliance. Testing the effectiveness of log analysis tools and processes is also crucial.
8.16 Monitoring activities
What it is (Purpose):
This control requires the monitoring of networks, systems, and applications for anomalous behaviour and taking appropriate actions to evaluate potential information security incidents. Its purpose is to detect information security events and respond to them promptly, minimizing their impact.
How to do it (Implementation Guidance):
Implementation involves continuously monitoring networks, systems, and applications for anomalous behavior. This includes monitoring for: unauthorized access attempts; unusual network traffic patterns; system crashes; unauthorized changes to system configurations; unusual activity by privileged users; and attempts to bypass security controls. Automated tools (e.g., intrusion detection systems, security information and event management - SIEM systems) should be used to facilitate monitoring and alert relevant personnel to suspicious activities. Thresholds for alerts should be defined and tuned to minimize false positives while ensuring timely detection of actual threats. All monitoring activities should be documented, and logs of anomalous behavior should be collected and protected (referencing 8.15). Personnel responsible for monitoring should be adequately trained and competent to interpret alerts and take appropriate initial actions. Procedures for escalating detected anomalies to information security incident management processes (referencing 5.25) must be established and followed. Monitoring should also consider the use of external services (e.g., cloud services, referencing 5.23) and ensure that monitoring capabilities extend to these environments. Regular reviews of monitoring effectiveness and adjustments to monitoring parameters are essential to adapt to evolving threats and organizational changes.
How to check it (Verification):
To check this, organizations should regularly review monitoring logs and incident reports generated from monitoring activities. Periodic testing of monitoring tools and alert mechanisms (e.g., by simulating anomalous behavior) is crucial. Assessing the response times and effectiveness of personnel in handling detected anomalies provides crucial feedback. Finally, ensuring that monitoring configurations are regularly updated to reflect new threats and vulnerabilities is essential.
8.17 Clock synchronization
What it is (Purpose):
This control mandates the synchronization of the clocks of all information processing systems used by the organization to approved time sources. Its purpose is to ensure accurate and consistent timekeeping across all systems, which is critical for the proper functioning of logging, auditing, and incident investigation processes.
How to do it (Implementation Guidance):
Implementation involves establishing an approved time source (e.g., a national time standard, an internal time server synchronized to a reliable external source, or a public NTP server). All information processing systems, including servers, workstations, network devices, and applications, should be configured to synchronize their clocks with this approved time source. Automated synchronization mechanisms (e.g., Network Time Protocol - NTP) should be used wherever possible to ensure continuous and accurate timekeeping. The frequency of synchronization should be determined based on the criticality of the systems and the required precision for logging and auditing. Procedures for monitoring clock synchronization and addressing any discrepancies must be established. Logs of synchronization events and any failures should be maintained. For systems that cannot be directly synchronized to the approved time source, manual synchronization procedures should be documented and followed, with regular verification of their accuracy.
How to check it (Verification):
To check this, organizations should regularly audit system logs for clock synchronization events and any reported errors. Periodically testing the accuracy of system clocks against the approved time source is crucial. Reviewing incident reports to ensure that accurate timestamps facilitate effective investigation provides practical validation of this control.
8.18 Use of privileged utility programs
What it is (Purpose):
This control requires restricting and tightly controlling the use of utility programs that can be capable of overriding system and application controls. Its purpose is to prevent unauthorized access to and modification of information and information processing facilities, thereby reducing the risk of system compromise or data manipulation.
How to do it (Implementation Guidance):
Implementation involves identifying all utility programs that can override system and application controls (e.g., debuggers, system editors, low-level disk tools). Access to these programs should be strictly restricted to authorized personnel (referencing 8.2) who have a legitimate business need and are fully competent in their use. The use of such programs should be logged (referencing 8.15) and closely monitored (referencing 8.16) for any anomalous or unauthorized activity. Procedures for the use of privileged utility programs must be documented, including authorization processes, specific conditions for their use, and requirements for post-use review. Where possible, utility programs should be physically or logically separated from operational systems and only invoked when absolutely necessary for specific, authorized tasks. Automated tools should be considered to detect and prevent the unauthorized use of these programs. Any default or pre-installed utility programs with elevated privileges that are not required for operational purposes should be disabled or removed.
How to check it (Verification):
To check this, organizations should regularly audit access to and use of privileged utility programs. Reviewing logs for all activities performed with these programs is crucial. Periodic penetration tests can attempt to identify and exploit weaknesses related to utility program access. Verifying that unauthorized utility programs are not present on operational systems provides assurance.
8.19 Installation of software on operational systems
What it is (Purpose):
This control requires implementing procedures and measures to securely manage software installation on operational systems. Its purpose is to prevent the introduction of unauthorized, malicious, or vulnerable software onto operational systems, thereby maintaining their integrity and security.
How to do it (Implementation Guidance):
Implementation involves establishing a topic-specific policy on software installation and communicating it to all relevant interested parties. Only authorized software should be installed on operational systems. This can be achieved through: **software allowlisting** (permitting only explicitly approved software to run), **software blocklisting** (preventing known malicious or unauthorized software), or a combination. All software should be obtained from trusted and reputable sources. Before installation, software should be tested in a non-production environment (referencing 8.31) to ensure it functions as expected, is free from vulnerabilities, and does not introduce security risks. The installation process itself should follow documented procedures, including change management (referencing 8.32) and version control. Privileged access rights required for installation should be strictly controlled (referencing 8.2). Automated tools for software deployment and patch management (referencing 8.8) should be used where possible. Organizations should also define rules for the use of personal software on organizational systems (BYOD software) and ensure it complies with security policies. Regular audits of installed software should be conducted to identify and remove unauthorized or outdated versions. All software installations and changes should be logged (referencing 8.15).
How to check it (Verification):
To check this, organizations should regularly audit installed software against approved lists. Reviewing change management records for software installations ensures proper authorization. Periodic vulnerability scans can identify systems with outdated or unpatched software. Testing the effectiveness of allowlisting/blocklisting mechanisms provides assurance.
8.20 Networks security
What it is (Purpose):
This control mandates the securing, managing, and controlling of networks and network devices to protect information in systems and applications. Its purpose is to ensure the confidentiality, integrity, and availability of information transmitted over networks and processed by network devices.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on network security. Networks should be designed and managed to ensure secure connectivity and protect against unauthorized access, interference, and damage. This includes: defining network boundaries, implementing firewalls and intrusion prevention systems (IPS) at network perimeters and between network segments, configuring network devices securely (referencing 8.9), using secure protocols for network management, and encrypting network traffic where confidentiality is required (referencing 8.24). Access to network devices should be restricted to authorized personnel (referencing 8.2). Network security configurations should be regularly reviewed and updated to address new threats and vulnerabilities. Monitoring network traffic for anomalous behavior (referencing 8.16) and logging network events (referencing 8.15) are crucial. Organizations should also consider network segregation (referencing 8.22) to isolate sensitive systems or data. For wireless networks, additional security measures like strong encryption (e.g., WPA3), secure authentication (e.g., 802.1X), and disabling default administrative credentials are vital. Network security should be integrated into the overall information security architecture (referencing 8.27).
How to check it (Verification):
To check this, organizations should regularly audit network security configurations and firewall rules. Conducting network vulnerability scans and penetration tests helps identify weaknesses. Reviewing network traffic logs and IDS/IPS alerts for suspicious activity provides continuous monitoring. Periodic reviews of network architecture and security policies ensure ongoing effectiveness.
8.21 Security of network services
What it is (Purpose):
This control requires the identification, implementation, and monitoring of security mechanisms, service levels, and service requirements of network services. Its purpose is to ensure the secure and reliable provision and use of network services, protecting information transmitted and processed through them.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on network services security. Security mechanisms, service levels, and service requirements for all network services (e.g., DNS, DHCP, VPN, email, web hosting) should be identified and documented. This includes: defining security requirements for each service based on information classification and risk assessment; implementing appropriate security mechanisms (e.g., access controls, encryption, authentication, logging) for each service; and establishing service level agreements (SLAs) with internal or external providers that include security objectives. Network services should be configured securely, disabling unnecessary features and protocols (referencing 8.9). Access to network service configuration and management interfaces should be restricted to authorized personnel (referencing 8.2). Regular monitoring of network service performance and security events (referencing 8.16) is crucial. Changes to network services should follow change management procedures (referencing 8.32). Organizations should also consider the security implications of using third-party network services (referencing 5.19, 5.20).
How to check it (Verification):
To check this, organizations should regularly audit network service configurations and security mechanisms. Reviewing SLAs and monitoring reports for compliance with security objectives is essential. Periodic vulnerability scans and penetration tests on network services can identify weaknesses. Auditing access logs for network service management interfaces provides oversight.
8.22 Segregation of networks
What it is (Purpose):
This control requires segregating groups of information services, users, and information systems in the organization’s networks. Its purpose is to protect sensitive information and critical systems by isolating them from less secure network segments, thereby limiting the impact of a security breach.
How to do it (Implementation Guidance):
Implementation involves designing and implementing network segmentation based on a risk assessment and the organization’s information classification scheme (referencing 5.12). This can be achieved using firewalls, virtual local area networks (VLANs), routing controls, or other network segregation technologies. Common segregation strategies include: separating production environments from development and test environments (referencing 8.31); isolating critical business applications and data; segregating guest networks from internal networks; separating wireless networks from wired networks; and isolating networks used for privileged access (referencing 8.2). Access controls between segregated network segments should be strictly defined and enforced (referencing 8.3). Network security configurations (referencing 8.9) and firewall rules should be regularly reviewed and updated. Monitoring network traffic between segments for anomalous behavior (referencing 8.16) is crucial. Organizations should also consider micro-segmentation for granular control over individual workloads.
How to check it (Verification):
To check this, organizations should regularly audit network segmentation configurations and firewall rules. Conducting network penetration tests specifically targeting cross-segment access can identify weaknesses. Reviewing network traffic logs and intrusion detection system (IDS) alerts for unauthorized communication between segments provides continuous monitoring.
8.23 Web filtering
What it is (Purpose):
This control mandates the management of access to external websites to reduce exposure to malicious content. Its purpose is to protect organizational systems and users from web-borne threats, such as malware, phishing, and inappropriate content, thereby enhancing overall information security.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on acceptable web usage (referencing 5.10). Web filtering solutions (e.g., proxy servers, content filters, DNS filtering) should be deployed at network egress points. These solutions should be configured to: block access to known malicious websites (e.g., malware distribution sites, phishing sites); filter categories of websites deemed inappropriate or non-business related; and prevent access to websites that could facilitate data leakage (e.g., unauthorized cloud storage, file-sharing sites). The web filtering rules should be regularly updated to address new threats and evolving web content. Exceptions to filtering rules should be granted only after a formal risk assessment and approval process. Monitoring web access logs (referencing 8.15) for policy violations or suspicious activity (referencing 8.16) is crucial. User awareness and training (referencing 6.3) on safe web browsing practices and the risks of accessing untrusted websites are also essential. Organizations should consider integrating web filtering with other security controls, such as malware protection (referencing 8.7) and data leakage prevention (referencing 8.12).
How to check it (Verification):
To check this, organizations should regularly review web filtering logs and reports for blocked attempts and policy violations. Periodic testing of filtering rules and configurations ensures their effectiveness. Auditing exception requests and approvals for web access provides oversight. Reviewing security incidents related to web-borne threats can help refine filtering policies.
8.24 Use of cryptography
What it is (Purpose):
This control mandates the definition and implementation of rules for the effective use of cryptography, including cryptographic key management. Its purpose is to ensure the confidentiality, authenticity, and integrity of information by applying cryptographic techniques where appropriate, thereby protecting sensitive data from unauthorized disclosure or modification.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on the use of cryptography. This policy should define when and how cryptographic controls are to be used, based on information classification (referencing 5.12), risk assessment, and legal/regulatory requirements (referencing 5.31). The policy should specify: the types of information to be protected (e.g., data at rest, data in transit); the cryptographic algorithms and key lengths to be used (e.g., AES-256, RSA-2048); the cryptographic products or solutions to be deployed; and the roles and responsibilities for cryptographic key management. A robust **cryptographic key management** process is essential, covering the entire key lifecycle: generation, distribution, storage, backup, revocation, and destruction. Keys should be protected from unauthorized access, modification, and disclosure. Key rotation policies should be defined and enforced. Hardware Security Modules (HSMs) or other secure key storage solutions should be considered for highly sensitive keys. Organizations should also ensure that cryptographic solutions are properly implemented and configured (referencing 8.9), and that personnel involved in using or managing cryptography receive appropriate training (referencing 6.3). Regular reviews of cryptographic controls and key management practices are crucial to ensure their ongoing effectiveness and compliance with evolving standards.
How to check it (Verification):
To check this, organizations should regularly audit cryptographic implementations and key management practices. Periodic penetration tests can attempt to identify weaknesses in cryptographic controls. Reviewing incident reports related to data confidentiality breaches can indicate areas where cryptographic measures need strengthening. Compliance with legal and regulatory requirements for cryptography should also be verified.
8.25 Secure development life cycle
What it is (Purpose):
This control requires the establishment and application of rules for the secure development of software and systems. Its purpose is to ensure that information security is embedded throughout the entire development life cycle, thereby reducing vulnerabilities and preventing the introduction of security flaws into operational systems.
How to do it (Implementation Guidance):
Implementation involves integrating security activities into every phase of the software and system development life cycle (SDLC). This includes: defining and documenting secure development principles (referencing 8.27); incorporating security requirements into the design phase (referencing 8.26); applying secure coding principles during development (referencing 8.28); conducting security testing (referencing 8.29) throughout development and before acceptance; and managing changes securely (referencing 8.32). A topic-specific policy on secure development should be established and communicated to all relevant parties. Developers should receive appropriate security awareness and training (referencing 6.3) on secure coding practices and common vulnerabilities. The development environment should be separated from test and production environments (referencing 8.31). Organizations should also manage the security of outsourced development (referencing 8.30) and ensure that test information is appropriately protected (referencing 8.33). Regular reviews of the secure development life cycle process are crucial to ensure its effectiveness and continuous improvement.
How to check it (Verification):
To check this, organizations should regularly audit development processes for adherence to secure development principles. Reviewing security testing results and vulnerability reports from development and acceptance phases is crucial. Assessing developer training records and awareness of secure coding practices provides assurance. Finally, verifying the secure separation of development, test, and production environments is essential.
8.26 Application security requirements
What it is (Purpose):
This control requires identifying, specifying, and approving information security requirements when developing or acquiring applications. Its purpose is to ensure that information security is designed into applications from the outset, preventing the introduction of vulnerabilities and supporting the overall security posture.
How to do it (Implementation Guidance):
Implementation involves integrating security requirements into the application development or acquisition process. This includes: conducting a risk assessment for each application to identify its specific security needs; defining functional and non-functional security requirements (e.g., authentication, authorization, data integrity, logging, error handling, input validation, secure session management); specifying these requirements in design documents, contracts, or statements of work; and obtaining formal approval for these requirements from relevant stakeholders (e.g., information owners, security management). Security requirements should consider: the classification of information processed by the application (referencing 5.12); legal, statutory, regulatory, and contractual requirements (referencing 5.31); the intended use of the application; and potential threats and vulnerabilities. For acquired applications, security requirements should be included in supplier agreements (referencing 5.20). Organizations should also define requirements for secure configuration of applications (referencing 8.9) and secure interfaces with other systems. Regular reviews of application security requirements are crucial to ensure they remain relevant and effective.
How to check it (Verification):
To check this, organizations should regularly review application design documents and contracts for the inclusion and completeness of security requirements. Auditing the implementation of security requirements during development and testing phases is crucial. Conducting security testing (referencing 8.29) specifically against these requirements provides assurance. Finally, verifying that security requirements are approved by relevant stakeholders ensures alignment with business needs.
8.27 Secure system architecture and engineering principles
What it is (Purpose):
This control requires establishing, documenting, maintaining, and applying principles for engineering secure systems to any information system development activities. Its purpose is to ensure that security is built into the fundamental design and architecture of systems, thereby preventing design flaws and enhancing resilience against attacks.
How to do it (Implementation Guidance):
Implementation involves defining a set of secure system architecture and engineering principles that guide all system development and acquisition activities. These principles should be documented, communicated to relevant personnel (e.g., architects, developers, engineers), and regularly reviewed and updated. Common principles include: **Defense-in-Depth** (applying multiple layers of security controls); **Least Privilege** (granting only necessary access); **Secure by Design** (building security from the ground up); **Fail Securely** (systems should fail to a secure state); **Minimizing Attack Surface** (reducing points of vulnerability); **Separation of Concerns** (isolating critical functions); **Simplicity of Design** (reducing complexity to minimize errors); and **Trust but Verify** (assuming no component is fully trustworthy). Organizations should ensure that system architects and engineers receive appropriate training (referencing 6.3) on these principles and their application. Security architecture reviews should be conducted at key stages of the development life cycle (referencing 8.25). Threat modeling should be used to identify and mitigate design-level vulnerabilities. Secure configuration baselines (referencing 8.9) should be developed based on these principles. For outsourced development, these principles should be clearly communicated and enforced through agreements (referencing 8.30).
How to check it (Verification):
To check this, organizations should regularly audit system architecture designs against established secure engineering principles. Reviewing threat models and design review documentation provides insight into security considerations. Assessing the training and awareness of architects and engineers on these principles is crucial. Periodic penetration tests can validate whether design-level vulnerabilities have been effectively mitigated.
8.28 Secure coding
What it is (Purpose):
This control requires applying secure coding principles to software development. Its purpose is to prevent the introduction of security vulnerabilities during the coding phase, thereby reducing the risk of exploitable flaws in applications and systems.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating secure coding guidelines and standards to all developers. These guidelines should cover common vulnerabilities (e.g., OWASP Top 10) and best practices for various programming languages and platforms. Developers should receive regular training (referencing 6.3) on secure coding techniques, input validation, error handling, secure session management, and protection against common attacks (e.g., SQL injection, cross-site scripting). Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools should be integrated into the development pipeline to automatically identify coding flaws. Code reviews should include security checks, ideally by independent reviewers. Libraries and components used in development should be from trusted sources and regularly updated to address known vulnerabilities (referencing 8.8). Organizations should also define rules for access to source code (referencing 8.4) and manage the security of third-party or open-source components. Secure coding practices should be an integral part of the secure development life cycle (referencing 8.25).
How to check it (Verification):
To check this, organizations should regularly review secure coding guidelines and their adherence in code reviews. Auditing SAST/DAST tool reports and tracking remediation of identified coding flaws is crucial. Assessing developer training records and their understanding of secure coding principles provides assurance. Periodic penetration tests can validate the effectiveness of secure coding practices in preventing exploitable vulnerabilities.
8.29 Security testing in development and acceptance
What it is (Purpose):
This control requires defining and implementing security testing processes in the development life cycle. Its purpose is to identify and address security vulnerabilities and weaknesses in software and systems before they are deployed into production, thereby reducing the risk of exploitation.
How to do it (Implementation Guidance):
Implementation involves integrating various types of security testing throughout the development and acceptance phases. This includes: **Static Application Security Testing (SAST)** (analyzing source code for vulnerabilities without executing it); **Dynamic Application Security Testing (DAST)** (testing applications in a running state for vulnerabilities); **Interactive Application Security Testing (IAST)** (combining SAST and DAST elements); **Penetration Testing** (simulating real-world attacks to find exploitable vulnerabilities); and **Vulnerability Scanning** (automated checks for known vulnerabilities). Security testing should be planned and documented, with clear objectives, scope, and methodologies. Test environments should be separate from production (referencing 8.31) and use appropriate test information (referencing 8.33). Identified vulnerabilities must be prioritized based on risk and promptly remediated, with retesting to confirm fixes. Security testing should be performed by competent and authorized personnel, either internal or external. Results of security testing should be reported to relevant stakeholders (e.g., developers, project managers, security management) and integrated into the secure development life cycle (referencing 8.25) and vulnerability management process (referencing 8.8). Regression testing should be performed to ensure that new changes do not introduce new vulnerabilities or reintroduce old ones.
How to check it (Verification):
To check this, organizations should regularly review security testing plans, methodologies, and results. Tracking the remediation status of identified vulnerabilities and verifying retesting is crucial. Auditing the competence and independence of security testers provides assurance. Reviewing incident reports related to vulnerabilities that bypassed testing can help refine testing processes.
8.30 Outsourced development
What it is (Purpose):
This control requires directing, monitoring, and reviewing activities related to outsourced system development. Its purpose is to ensure that information security requirements are met when development is performed by external parties, thereby mitigating risks associated with third-party software development.
How to do it (Implementation Guidance):
Implementation involves extending the organization’s secure development life cycle (referencing 8.25) and application security requirements (referencing 8.26) to outsourced development. This includes: clearly defining information security requirements in contracts and agreements with outsourced developers (referencing 5.20); establishing secure development principles (referencing 8.27) and secure coding guidelines (referencing 8.28) that outsourced developers must follow; requiring security testing (referencing 8.29) to be performed by the outsourced party or independently by the organization; and ensuring secure access to source code and development environments (referencing 8.4, 8.31). Organizations should regularly monitor the outsourced development process for compliance with security requirements, potentially through audits, code reviews, and progress meetings. Communication channels for security incidents and vulnerabilities must be established. The organization should retain ownership of intellectual property rights (referencing 5.32) and ensure that test information is appropriately protected (referencing 8.33). Measures for secure delivery of software and systems from the outsourced party are also crucial, including verification of integrity and authenticity. Finally, a clear exit strategy for outsourced development should be defined.
How to check it (Verification):
To check this, organizations should regularly review contracts with outsourced developers for comprehensive security clauses. Auditing the outsourced development process for adherence to secure development principles and testing requirements is crucial. Reviewing security testing reports from the outsourced party and conducting independent security tests provides assurance. Verifying secure delivery mechanisms for developed software is also essential.
8.31 Separation of development, test and production environments
What it is (Purpose):
This control requires separating and securing development, testing, and production environments. Its purpose is to reduce the risk of unauthorized access or changes to operational systems and data, and to prevent the introduction of errors or vulnerabilities from development or test activities into the production environment.
How to do it (Implementation Guidance):
Implementation involves establishing physical and/or logical separation between development, test, and production environments. This separation should be enforced through network segregation (referencing 8.22), access controls (referencing 8.3), and distinct user identities and authentication mechanisms (referencing 5.16, 8.5). Data from the production environment should not be used in development or test environments unless it is appropriately masked (referencing 8.11) or anonymized to protect sensitive information. Access to each environment should be strictly controlled and granted only on a "need-to-use" basis, with privileged access rights (referencing 8.2) carefully managed. Changes to software and systems must follow a formal change management process (referencing 8.32) that includes testing in a non-production environment before deployment to production. Logging (referencing 8.15) and monitoring (referencing 8.16) should be implemented for all activities within each environment. Organizations should also ensure that development tools and software libraries are not installed or used in production environments. Regular audits of environment separation and access controls are crucial.
How to check it (Verification):
To check this, organizations should regularly audit network configurations and access controls between environments. Reviewing data masking implementations for test data is crucial. Auditing change management records ensures that changes are properly tested before production deployment. Periodic penetration tests targeting cross-environment access can identify weaknesses.
8.32 Change management
What it is (Purpose):
This control mandates that changes to information processing facilities and information systems are subjected to change management procedures. Its purpose is to ensure that changes are introduced in a controlled manner, minimizing risks to confidentiality, integrity, and availability, and preventing unintended disruptions or security vulnerabilities.
How to do it (Implementation Guidance):
Implementation involves establishing and communicating a topic-specific policy on change management. All changes to information processing facilities (e.g., hardware, software, network devices, operating systems, applications) and information systems must follow a formal change management process. This process should include: **request for change** (documenting the proposed change, its justification, and potential impact); **impact assessment** (evaluating security implications, dependencies, and risks); **approval** (obtaining authorization from relevant stakeholders, including security management and asset owners); **planning** (developing a detailed implementation plan, including rollback procedures); **testing** (conducting thorough testing in a non-production environment, referencing 8.31, to ensure functionality and security); **implementation** (executing the change according to the plan); and **review** (verifying successful implementation and assessing any unforeseen impacts). All change activities should be logged (referencing 8.15) and monitored (referencing 8.16). Emergency changes should have a streamlined but documented process, with post-implementation review and approval. Organizations should also manage changes to configurations (referencing 8.9) and software installations (referencing 8.19) through this process. User awareness and training (referencing 6.3) on change management procedures are important.
How to check it (Verification):
To check this, organizations should regularly audit change management records for completeness, authorization, and adherence to procedures. Reviewing incident reports related to unauthorized or failed changes can highlight weaknesses. Periodic testing of rollback procedures and assessing the effectiveness of impact assessments provides assurance. Compliance with legal and regulatory requirements for change management should also be verified.
8.33 Test information
What it is (Purpose):
This control requires appropriately selecting, protecting, and managing test information. Its purpose is to ensure the security and privacy of sensitive data when used in testing environments, preventing unauthorized disclosure or misuse during development and testing activities.
How to do it (Implementation Guidance):
Implementation involves establishing a topic-specific policy on test information management. Real production data should not be used for testing unless absolutely necessary and with explicit authorization, and only after appropriate data masking (referencing 8.11) or anonymization techniques have been applied to protect sensitive information (e.g., PII). If production data must be used, it should be done in a secure, isolated test environment (referencing 8.31) with strict access controls (referencing 8.3). Synthetic or dummy data should be preferred for testing whenever possible. Test information should be protected with the same level of security controls as production data, commensurate with its classification (referencing 5.12). Access to test environments and test data should be restricted to authorized personnel (e.g., developers, testers) on a "need-to-use" basis, with privileged access rights (referencing 8.2) carefully managed. Procedures for the secure creation, storage, use, and disposal (referencing 8.10) of test information must be documented and followed. All activities involving test information should be logged (referencing 8.15) and monitored (referencing 8.16). Organizations should also ensure that test information does not inadvertently migrate to production environments.
How to check it (Verification):
To check this, organizations should regularly audit test environments for the presence of unmasked production data. Reviewing data masking implementations and their effectiveness is crucial. Auditing access logs for test environments provides oversight. Periodic checks of test data disposal procedures ensure sensitive information is not retained longer than necessary.
8.34 Protection of information systems during audit testing
What it is (Purpose):
This control requires planning and agreeing on audit tests and other assurance activities involving assessment of operational systems between the tester and appropriate management. Its purpose is to minimize the risk of disruption, damage, or compromise to operational information systems and data during security audit and testing activities.
How to do it (Implementation Guidance):
Implementation involves establishing a formal process for managing security audit tests on operational systems. This process should include: **clear scope definition** (what systems, networks, applications are in scope); **pre-test planning** (agreeing on timing, duration, methodology, and tools to be used); **risk assessment** (identifying potential impacts on system availability, integrity, and confidentiality); **authorization** (obtaining formal approval from relevant management and asset owners); **communication** (notifying relevant personnel, including system administrators and incident response teams); **monitoring** (closely observing systems during testing for any adverse effects, referencing 8.16); and **post-test review** (analyzing test results and any incidents that occurred). Testers should be competent and authorized, and their activities should be logged (referencing 8.15). Test accounts should be created with minimum necessary privileges and removed immediately after testing. Test information (referencing 8.33) should be appropriately protected. Organizations should consider conducting audit tests in isolated environments where feasible, or during off-peak hours to minimize disruption. Any identified vulnerabilities should be managed through the technical vulnerability management process (referencing 8.8) and change management (referencing 8.32).
How to check it (Verification):
To check this, organizations should regularly review audit test plans and authorization records. Auditing logs generated during testing for any unauthorized activities or system anomalies is crucial. Reviewing post-test reports and incident reports related to testing activities provides insight into potential risks. Verifying that test accounts are promptly removed and that identified vulnerabilities are remediated ensures ongoing security.
Comments
Post a Comment