ISO-Toolkit
ISO 27001/27002 Dependency Explorer
Click a control to view real-world implementation metrics and trace its security dependencies.
Select a control from the menu to view its matrix.
Click on any control tile in the periodic table below to explore its details.
ISO 27002 Dependency Web
Zoom, drag, and click on any node to explore its dependencies. Arrows indicate the "Domino Effect" (Control A feeds into Control B).
Organisational
People
Physical
Technological
Interact with the web above. Select a node to view its details.
The Ultimate ISO 27001 & 27002 Toolkit Guide
Building a robust Information Security Management System (ISMS) shouldn't mean drowning your organization in corporate bureaucracy. This comprehensive framework is optimized for modern, cloud-native environments—specifically tailored for G1454tech, a fast-growing UK tech company with 100 employees specializing in banking/insurance product development and information technology services.
Note on Document Mapping: This toolkit serves as an interactive blueprint. Organizations can directly map these real-world audit expectations against internal control registries, such as the INFOSEC-Docz master file, to verify policy compliance before an external assessment.
Part 1: Step-by-Step ISO 27001/2022 Implementation Roadmap
For a 100-person team operating under UK GDPR and stringent fintech/insurance delivery mandates, an agile implementation flow ensures security scales alongside production code lines.
Step 1: Secure Leadership & Define Scope
Obtain explicit governance and resource sign-off from executive leadership. For G1454tech, the operational scope must encompass the entire organization, covering cloud-native multi-tenant infrastructures (AWS/Azure/GCP), distributed SaaS integrations (Okta, GitHub, Jira), and a hybrid UK workforce.
Step 2: Establish the ISMS Governance Framework
Appoint an Information Security Officer (or delegate responsibility to a vCISO / Head of DevOps) and form a cross-functional Security Committee meeting quarterly. Auditors want to verify that security metrics are actively reviewed by management, rather than treated as a checklist asset.
Step 3: Asset Identification & Risk Assessment
Map core operational components: source code, customer financial ledgers, cloud data storage systems, and staff endpoints. Evaluate threats (such as API vulnerabilities, ransomware vectors, or configuration drifts) using a standardized Likelihood × Impact calculation aligned with financial risks.
Step 4: Formalize the Statement of Applicability (SoA)
Evaluate all 93 controls from Annex A of ISO 27001:2022. Explicitly document which provisions apply to the G1454tech environment, providing clear technical or operational rationale for any exclusions.
Step 5: Control Deployment & Policy Enforcement
Draft modern, clear operational policies that staff will actively read and follow. Simultaneously enforce technical guardrails: provision centralized single sign-on authentication, establish automated configuration testing, and deploy managed endpoint monitoring across all systems.
Step 6: Internal Audit & Management Review
Execute an objective, comprehensive internal evaluation. Have an independent, trained internal resource or external specialist cross-reference system states against your policies.
Part 2: Real-World Audit & Evidence Matrix (All 93 Controls)
External compliance inspectors do not merely accept verbal confirmations; they demand verifiable, objective data points. Below is the complete matrix mapped to the four core themes of the updated ISO 27001:2022 standard.
1. Organisational Controls (A.5.1 – A.5.37)
| Control ID & Name | What the Auditor Checks | Primary Evidence (Fintech Standard) | Alternative Evidence |
|---|---|---|---|
| A.5.1 Policies for InfoSec | Regular review and management approval of fintech security policies. | Git commit history or compliance platform showing annual board approval of ISMS policies. | Minutes from Executive Risk Committee meetings detailing policy reviews. |
| A.5.2 InfoSec Roles & Responsibilities | Clear allocation of security duties across the 100-person team. | Organizational chart detailing the AppSec, DevOps, and Compliance functions alongside RACI matrices. | Job descriptions signed by employees explicitly defining security responsibilities. |
| A.5.3 Segregation of Duties | Prevention of fraud (e.g., a developer cannot approve their own code). | CI/CD pipeline configuration files enforcing a minimum of two separate approvers. | Signed peer-review logs in Jira tickets or manual PR approvals. |
| A.5.4 Management Responsibilities | Executive leadership actively drives security culture. | Documented quarterly management reviews discussing internal audit results. | Emails or Slack announcements from the C-suite detailing company-wide security mandates. |
| A.5.5 Contact with Authorities | Established channels with UK authorities (FCA, ICO) in case of a breach. | A dedicated Incident Response Plan containing up-to-date contact information for the ICO. | Documented communications or registration confirmations with the Information Commissioner's Office. |
| A.5.6 Contact with Special Interest Groups | Engagement with security forums or financial threat intelligence. | Proof of corporate membership or active threat feed subscriptions (e.g., FS-ISAC, OWASP). | Event registration receipts for security briefings. |
| A.5.7 Threat Intelligence | Collection and analysis of threat data relevant to banking software. | Automated ingestion of threat feeds into a SIEM with configured alerting rules. | Weekly manual reviews of security advisories documented by the infrastructure team. |
| A.5.8 InfoSec in Project Management | Security is baked into software development and project planning. | Architecture design review checklists completed during the project kickoff phase in Jira. | Minutes from project planning sessions detailing security requirements. |
| A.5.9 Inventory of Information & Assets | Identification of all data assets, software components, and repositories. | An automated asset discovery tool or live inventory system tracking cloud infrastructure. | A manually maintained, version-controlled spreadsheet identifying asset owners. |
| A.5.10 Acceptable Use of Assets | Employees understand rules regarding company laptops and code use. | A signed Acceptable Use Policy (AUP) from all 100 employees during onboarding. | Digital read-receipts within an HR system verifying policy acknowledgment. |
| A.5.11 Return of Assets | Terminated employees return hardware and access tokens promptly. | Offboarding checklists demonstrating the return of laptops before final payroll. | Courier tracking receipts showing hardware return alongside signed offboarding confirmations. |
| A.5.12 Classification of Information | Financial data and PII are properly labeled (Restricted, Confidential). | Data tagging schemes implemented inside cloud databases and storage buckets. | Documented data handling guidelines mapped to specific data types with training logs. |
| A.5.13 Labelling of Information | Clear indicators on sensitive assets or systems. | Automated metadata tagging or physical watermarks applied to financial reports. | Manual classification headers included in document templates. |
| A.5.14 Information Transfer | Secure transmission of banking/insurance data to external parties. | Configuration logs of enforced TLS 1.3, SFTP, or encrypted API endpoints. | Documented manual encryption procedures (e.g., PGP keys) used for specific ad-hoc transfers. |
| A.5.15 Access Control | Enforced "least privilege" access to insurance/banking cores. | Live configurations in your Identity Provider (IdP) mapping roles to specific needs. | Signed access request forms manually reviewed and approved by system owners. |
| A.5.16 Identity Management | Unique identification of all 100 employees across systems. | User directories showing individual corporate identities with no shared accounts. | HR onboarding records tying specific, unique employee IDs to created system handles. |
| A.5.17 Authentication Information | Secure handling of passwords, secrets, and MFA. | Multi-Factor Authentication (MFA) enforcement policies enabled globally. | Configuration screenshots of password complexity settings and session timeout lengths. |
| A.5.18 Access Rights | Regular review of user permissions. | Quarterly access review logs demonstrating that revoked roles were reconciled against HR data. | Email verification chains from department heads confirming current user access lists. |
| A.5.19 InfoSec in Supplier Relationships | Security requirements for cloud providers, contractors, and SaaS vendors. | Signed Data Processing Agreements (DPAs) and vendor security questionnaires. | Publicly available security whitepapers and SOC 2 reports collected from suppliers. |
| A.5.20 Addressing Supplier Security | Enforcement of security standards throughout the contract lifecycle. | Standard security clauses embedded within Master Services Agreements (MSAs). | Addendums explicitly addressing data protection and incident reporting constraints. |
| A.5.21 ICT Supply Chain Security | Mitigating risks in open-source libraries or third-party code. | Automated Software Bill of Materials (SBOM) generation and vulnerability scanning. | Periodic manual reviews of open-source software licenses and security advisories. |
| A.5.22 Monitoring & Review of Supplier Services | Active tracking of critical vendor performance and compliance status. | Annual collection and formal review logs of critical suppliers' ISO 27001 certificates. | Documented performance reviews or SLA monitoring dashboards for hosted cloud environments. |
| A.5.23 Cloud Services Security | Secure management of cloud workloads and components. | Cloud Security Posture Management (CSPM) reports showing alignment with benchmarks. | Manual configuration review checklists executed monthly against the cloud console settings. |
| A.5.24 Incident Management Planning | Readiness to handle financial data breaches or downtime. | A formal Incident Response Plan detailing specific steps for ransomware and data leakage. | Step-by-step runbooks for high-probability incidents utilized by the engineering on-call. |
| A.5.25 Assessment of Security Incidents | Proper categorization and escalation of anomalies. | Triage logs within a ticketing system showing how alerts were investigated. | Post-mortem reports or incident logs documenting the initial discovery. |
| A.5.26 Response to Security Incidents | Swift containment and mitigation of breaches. | Completed incident timelines showing root cause analysis and containment actions. | Communication templates and internal logs from historic tabletop simulation exercises. |
| A.5.27 Learning from InfoSec Incidents | Corrective actions taken to prevent repeat events. | Action items assigned in project management tools tracking infrastructure changes post-incident. | Updated policies or modified architectural designs resulting directly from incident reviews. |
| A.5.28 Collection of Evidence | Forensic readiness during an investigation. | Immutable log storage configurations capturing audit logs. | Chain-of-custody documentation templates and standardized procedures for system imaging. |
| A.5.29 InfoSec during Disruption | Business Continuity (BC) and Disaster Recovery (DR) for software services. | Business Impact Analysis (BIA) documentation outlining Recovery Time Objectives (RTO). | Operational playbooks detailing manual fallback processes during provider outages. |
| A.5.30 ICT Readiness for Business Continuity | Redundancy and resilience of tech infrastructure. | Automated cross-region cloud backups and live failover configuration testing logs. | Manual database restoration drill logs performed and documented within the last calendar year. |
| A.5.31 Legal, Statutory, & Regulatory Requirements | Compliance with UK GDPR, DPA 2018, and relevant financial regulations. | A legal registry identifying compliance obligations alongside documentation of protection impacts. | Legal council verification letters addressing specific statutory frameworks. |
| A.5.32 Intellectual Property Rights | Protection of proprietary software code and algorithms. | Software licensing agreements, copyright notices, and signed invention assignments. | Code repository visibility settings restricting access to verified corporate identities. |
| A.5.33 Protection of Records | Secure retention of audit trails and corporate records. | Enforced retention policies adhering to financial regulatory timelines. | Backup configuration rules demonstrating archived records cannot be deleted prematurely. |
| A.5.34 Privacy & Protection of PII | Specific controls protecting customer banking/insurance information. | External-facing Privacy Policy matched with internal data mapping diagrams. | Appointment records of a Data Protection Officer (DPO) or designated privacy lead. |
| A.5.35 Independent Review of InfoSec | Third-party validation of the ISMS. | Formal report and action plan from an independent external ISO 27001 pre-assessment. | Comprehensive gap analysis report delivered by a qualified cyber security consultancy. |
| A.5.36 Compliance with Policies | Ensuring staff and systems follow internal rules. | Automated compliance scoring from endpoint tools demonstrating policy adherence. | Regular managerial review checklists confirming departmental compliance. |
| A.5.37 Documented Operating Procedures | Clear execution rules for IT and security tasks. | System documentation, infrastructure-as-code deployment playbooks, and user guides. | Inline code commenting and readmes within operational repositories. |
2. People Controls (A.6.1 – A.6.8)
| Control ID & Name | What the Auditor Checks | Primary Evidence (Fintech Standard) | Alternative Evidence |
|---|---|---|---|
| A.6.1 Screening | Verifying background authenticity before handling sensitive data. | Background check certificates (identity, right to work in the UK, criminal checks). | HR verification records documenting receipt of verified reference letters. |
| A.6.2 Terms & Conditions of Employment | Contractual obligations for information security. | Signed employment contracts containing explicit confidentiality clauses. | Signed standalone Non-Disclosure Agreements (NDAs) preserved in HR profiles. |
| A.6.3 InfoSec Awareness, Education, & Training | Continuous education on social engineering and data protection. | Automated training dashboard statistics showing complete course participation. | Attendance sheets and training materials from live-led security onboarding seminars. |
| A.6.4 Disciplinary Process | Clear consequences for policy violations. | An employee handbook detailing the formal disciplinary framework for infractions. | Documented HR processes outlining escalation tracks for internal policy breaches. |
| A.6.5 Responsibilities after Termination | Ongoing security obligations post-employment. | Signed exit interview forms reminding departing staff of active confidentiality obligations. | Termination notices containing clear callouts regarding ongoing legal data responsibilities. |
| A.6.6 Confidentiality or Non-Disclosure Agreements | Protecting proprietary designs and transactional flows. | Centralized repository tracking signed corporate NDAs for all active clients and vendors. | Master contract clauses establishing mutual confidentiality frameworks. |
| A.6.7 Remote Working | Safe execution of tasks across hybrid/distributed UK teams. | Enforced MDM profiles requiring full disk encryption and secure connection validation. | Signed Remote Work Agreements detailing home-network security criteria. |
| A.6.8 InfoSec Event Reporting | Channels for staff to call out suspected anomalies or phishes. | A functional phish-reporting mechanism with automated ticket generation. | Logged entries in an internal helpdesk platform tracking user-submitted observations. |
3. Physical Controls (A.7.1 – A.7.14)
| Control ID & Name | What the Auditor Checks | Primary Evidence (Fintech Standard) | Alternative Evidence |
|---|---|---|---|
| A.7.1 Physical Security Perimeters | Defined boundaries protecting corporate environments. | Architectural layouts isolating corporate suites from shared building spaces. | Property management lease agreements outlining landlord-managed physical barriers. |
| A.7.2 Physical Entry | Restricting access to authorized personnel only. | Digital access badge tracking reports showing precise entry details. | Physical visitor sign-in sheets verifying escorted visitor entries. |
| A.7.3 Securing Offices, Rooms, & Facilities | Deadbolts, locks, and internal protections for sensitive zones. | Electronic lock configurations or key control logs limiting entry. | Managerial inspections documenting physical integrity checks of doors and locks. |
| A.7.4 Physical Security Monitoring | Surveillance of access boundaries. | Active CCTV system operation logs and device placement charts. | Guard patrol logs and physical security inspection records. |
| A.7.5 Protecting against Physical & Environmental Threats | Fire, flood, and power disruption defenses. | Installed and maintained smoke detection and environmental monitoring equipment. | Landlord building certifications confirming infrastructure compliance. |
| A.7.6 Security for Working in Secured Areas | Rules for personnel operating in sensitive zones. | Operational policies prohibiting photography or unescorted third parties. | On-site signs and orientation briefings documenting internal behavioral rules. |
| A.7.7 Clear Desk & Clear Screen | Mitigating shoulder surfing and document exposure. | Enforced global configuration policies ensuring automated screen lock initiation. | Documented office sweep logs showing compliance audits executed outside hours. |
| A.7.8 Equipment Siting & Protection | Reducing visibility and exposure of screens and hardware. | Office floorplans showing employee workstation placement away from windows. | Privacy filter screens physically mounted to monitors in higher-traffic segments. |
| A.7.9 Security of Assets Off-Premises | Guarding laptops and hardware during travel or remote work. | Device inventory tracking coupled with strict policy requirements for supervision. | Signed asset custody receipts documenting employee responsibility. |
| A.7.10 Storage Media | Controlling USBs, external drives, and physical media. | MDM technical profiles completely disabling reading/writing access to unencrypted media. | Signed policy statements from engineering leadership restricting data preservation. |
| A.7.11 Supporting Utilities | Uninterrupted power and network connectivity for core offices. | Maintenance agreements and test records for backup power systems. | Building management service letters confirming secondary infrastructure support. |
| A.7.12 Cabling Security | Protecting network loops from interception or damage. | Physical conduits shielding critical infrastructure cables within corporate structures. | Locked access panels to telecommunications routing points verified via key controls. |
| A.7.13 Equipment Maintenance | Hardware is serviced to prevent downtime and vulnerability. | Maintenance schedules and manufacturer inspection receipts for core firewalls. | Internal ticket history tracking operational checks and routine replacements. |
| A.7.14 Secure Disposal or Reuse of Equipment | Sanitizing laptops before offboarding or recycling. | Cryptographic erasure logs or destruction certifications from certified vendors. | Automated disk sanitization script outputs verified by internal teams before recycling. |
4. Technological Controls (A.8.1 – A.8.34)
| Control ID & Name | What the Auditor Checks | Primary Evidence (Fintech Standard) | Alternative Evidence |
|---|---|---|---|
| A.8.1 User Endpoint Devices | Hardening and management of the 100 staff laptops. | MDM profile status pages verifying complete encryption enforcement and active EDR. | Live visual sampling of randomly selected endpoint configuration statuses. |
| A.8.2 Privileged Access Rights | Controlling high-level administrative system tokens. | IAM rule setups validating that admin rights require distinct approval flows. | Signed operational access logs detailing manual tracking of temporary privileges. |
| A.8.3 Information Access Restriction | Isolating source code and financial ledgers based on role. | Repository rule configurations limiting branch permissions exclusively to developers. | Active group management listings showing precise access parameters. |
| A.8.4 Access to Source Code | Protecting the core banking/insurance intellectual property. | Access control listings within git platforms demonstrating code access requires MFA. | Audit trails from version control systems tracking changes to visibility profiles. |
| A.8.5 Secure Authentication | Strong authentication mechanics across company services. | Enforced configurations establishing password length paired with mandatory MFA. | Platform policy profiles proving integration with corporate Single Sign-On (SSO). |
| A.8.6 Capacity Management | Infrastructure scales cleanly to prevent processing outages. | Automated monitoring suite alerts notifying engineering prior to resource exhaustion. | Quarterly performance review documentation analyzing infrastructure load projections. |
| A.8.7 Protection against Malware | Antivirus, EDR, and mail filtering systems. | Centralized dashboards showing active malware definitions on 100% of hardware. | Quarantine logs and automated warning notification configurations from mail providers. |
| A.8.8 Management of Technical Vulnerabilities | Patching schedules and security scanning. | Scans identifying vulnerabilities paired with records proving mitigation within SLAs. | Documented patch deployment tracking outputs pulled directly from orchestrators. |
| A.8.9 Configuration Management | Ensuring cloud infrastructure stays hardened and secure. | Infrastructure-as-Code version history tracking configuration changes. | Monthly baseline verification report outputs from automated scanning applications. |
| A.8.10 Information Deletion | Ensuring financial records or PII can be safely purged. | Database execution logs verifying the complete purging of consumer histories. | Software system logic models outlining automated database archiving and clean deletion. |
| A.8.11 Data Masking | Obscuring real customer cards/PII in non-production environments. | Automated obfuscation pipeline rules stripping authentic financial detail records. | Configuration properties showing development platforms call anonymized synthetic records. |
| A.8.12 Data Leakage Prevention | Stopping corporate data from leaving the boundary. | Operational rule profiles blocking bulk transfers of customer information lists. | Network log auditing patterns evaluating anomalous egress trends. |
| A.8.13 Information Backup | Resilience against loss or corruption. | Automated schedule configurations producing encrypted backups separated across accounts. | Documented execution outcomes from periodic, comprehensive snapshot recovery tests. |
| A.8.14 Redundancy of Info Processing Facilities | High availability for production apps. | Multi-availability zone architectural designs paired with active load balancing. | Live failover execution assessments verifying continuous application delivery. |
| A.8.15 Logging | Capturing user and system events for forensics. | Log aggregation architecture storing immutable application and access event records. | Configuration parameters validating target systems funnel events directly to central indexes. |
| A.8.16 Monitoring Activities | Active analysis of logs for malicious behavior. | SIEM configuration profiles utilizing automated alert profiles to parse event records. | Documented analyst triage reviews evaluating generated infrastructure alert indicators. |
| A.8.17 Clock Synchronization | Ensuring accurate timestamps across logs for audit trails. | Network Time Protocol (NTP) settings applied uniformly across cloud nodes. | System configuration verification tracking time synchronization metrics. |
| A.8.18 Use of Privileged Utility Programs | Restricting overrides or direct DB editors. | Access logs demonstrating that emergency system tools require distinct authorization. | Strict endpoint block rules preventing the unauthorized execution of diagnostic tools. |
| A.8.19 Installation of Software on Operational Systems | Staff can't download untrusted apps onto work laptops. | MDM restriction profiles completely blocking software outside white-listed applications. | Local account profile rules verifying that regular users lack admin setup permissions. |
| A.8.20 Network Security | Firewalls, VPCs, and network zoning. | Cloud network access control list (NACL) configurations isolating database nodes. | Architectural network maps proving isolation boundaries exist between public and private data. |
| A.8.21 Security of Network Services | Safe configuration of connections (VPNs, DNSSEC). | Service contracts and security setting outputs validating secure encrypted transit channels. | Configuration panels confirming the deployment of modern domain transport security. |
| A.8.22 Network Segregation | Splitting production from testing and internal corporate networks. | VPC route setups proving development and production spaces occupy separate networks. | IAM security policy bounds rendering cross-environment asset access structurally impossible. |
| A.8.23 Web Filtering | Guarding staff from malicious sites. | DNS-level filtration parameters or endpoint protective rules blocking dangerous domains. | Centralized monitoring summaries highlighting intercepted domain access attempts. |
| A.8.24 Use of Cryptography | Enforcing strong algorithms (AES-256, RSA). | Architectural documentation and code configurations proving data encryption in transit and at rest. | Database properties verifying key storage tables leverage cryptographic mechanisms. |
| A.8.25 Secure Development Lifecycle | Security checkpoints throughout coding. | Documented engineering procedures explicitly integrating threat assessment. | System design files verifying security requirements are tracked alongside functional targets. |
| A.8.26 Application Security Requirements | Front-end and back-end security specs. | Architectural scoping files mapping application defenses against OWASP Top 10 vulnerabilities. | Automated application layer test scripts verifying security functionality prior to release. |
| A.8.27 Secure System Architecture & Engineering Principles | Defense-in-depth design. | Technical blueprint records detailing tiered isolation models separating processing and data tiers. | Peer architectural validation records proving systemic evaluation of environment design. |
| A.8.28 Secure Coding | Developers use safe coding practices. | Static Application Security Testing (SAST) tool integrations inside pipelines. | Completed secure engineering code assessment training certificates achieved across staff. |
| A.8.29 Security Testing in Development | Code is tested before it hits customers. | Pipeline log outputs proving automated dynamic analysis execution. | Comprehensive third-party application penetration assessment report tracking. |
| A.8.30 Outsourced Development | Monitoring external contractors or agencies writing code. | Contractual code review requirements paired with mandatory pipeline validation scans. | Manual repository evaluation records documenting audit reviews of contributed code. |
| A.8.31 Separation of Dev, Test, & Production Environments | No testing in production. | Unique account access structures preventing testing configurations referencing production nodes. | Distinct deployment pipeline destinations proving physical partition of components. |
| A.8.32 Change Management | Reviewing changes before they break things or introduce bugs. | Documented change tickets requiring peer validation, safety assessment, and roll-back plans. | Automated repository merge tracking history validating multi-party authorization. |
| A.8.33 Test Information | Avoiding real banking data in QA/testing environments. | Automated obfuscation utility configurations rendering test profiles entirely free from valid consumer data. | Formal signed development declarations affirming compliance with test environment limits. |
| A.8.34 Protection of Information Systems during Audit Testing | Auditors don't disrupt live banking apps. | Scoping documents defining distinct audit testing bounds to prevent interference with live engines. | Scheduled execution matrices detailing system assessments occur outside core windows. |
Part 3: Real-World Metrics & KPIs Matrix (All 93 Controls)
An ISMS is only effective if it can be measured. External auditors look for evidence that you are continuously monitoring your security posture. Below are practical Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for all 93 controls of ISO 27001:2022, designed for a modern tech and fintech development environment.
Dashboard Integration Tip: To automate evidence gathering, map the "Target Thresholds" below into your live security visualization dashboards. Setting up automated alerts when a metric falls below the target saves hundreds of hours during the internal audit phase.
1. Organisational Controls Metrics (A.5.1 – A.5.37)
| Control ID & Name | Recommended Metric (KPI / KRI) | Frequency | Target Threshold |
|---|---|---|---|
| A.5.1 Policies for InfoSec | Percentage of ISMS policies reviewed and approved by management. | Annually | 100% |
| A.5.2 InfoSec Roles & Responsibilities | Percentage of employees with documented/signed security responsibilities. | Quarterly | 100% |
| A.5.3 Segregation of Duties | Number of unauthorized bypasses detected in CI/CD pipeline approvals. | Monthly | 0 Incidents |
| A.5.4 Management Responsibilities | Attendance rate of executive leadership at ISMS Management Review meetings. | Annually | 100% |
| A.5.5 Contact with Authorities | Time taken to notify the ICO/FCA following a verified reportable breach. | Per Incident | < 72 Hours |
| A.5.6 Contact with Special Interest Groups | Number of active engagements/subscriptions with threat intel groups (e.g., CISP). | Annually | ≥ 2 Sources |
| A.5.7 Threat Intelligence | Percentage of actionable threat alerts ingested into the SIEM successfully parsed. | Monthly | > 98% |
| A.5.8 InfoSec in Project Management | Percentage of new software projects completing a security architecture review. | Monthly | 100% |
| A.5.9 Inventory of Information & Assets | Discrepancy rate between automated cloud discovery tools and the manual asset register. | Quarterly | < 5% Variance |
| A.5.10 Acceptable Use of Assets | Percentage of active staff who have digitally signed the Acceptable Use Policy. | Quarterly | 100% |
| A.5.11 Return of Assets | Percentage of hardware assets successfully recovered within 14 days of termination. | Monthly | 100% |
| A.5.12 Classification of Information | Percentage of cloud storage buckets (S3/Azure) without classification metadata tags. | Weekly | 0% (None) |
| A.5.13 Labelling of Information | Number of internally audited documents missing mandatory classification headers. | Quarterly | < 2% |
| A.5.14 Information Transfer | Percentage of B2B data transfer endpoints successfully enforcing TLS 1.2+. | Monthly | 100% |
| A.5.15 Access Control | Number of access grants bypassing formal Jira/ITSM approval workflows. | Monthly | 0 Incidents |
| A.5.16 Identity Management | Number of active, generic, or shared administrative accounts detected. | Weekly | 0 Accounts |
| A.5.17 Authentication Information | Percentage of corporate accounts actively enforcing MFA across the identity provider. | Daily | 100% |
| A.5.18 Access Rights | Percentage of user access rights formally reviewed by department heads. | Quarterly | 100% |
| A.5.19 InfoSec in Supplier Relationships | Percentage of critical vendors with an active, valid SOC 2 or ISO 27001 certificate on file. | Annually | 100% |
| A.5.20 Addressing Supplier Security | Percentage of signed Master Services Agreements containing mandatory data protection clauses. | Quarterly | 100% |
| A.5.21 ICT Supply Chain Security | Number of critical vulnerabilities identified in third-party/open-source libraries post-deployment. | Monthly | 0 Criticals |
| A.5.22 Monitoring & Review of Supplier Services | Number of SLA breaches by Tier 1 cloud service providers impacting availability. | Monthly | 0 Breaches |
| A.5.23 Cloud Services Security | Cloud Security Posture Management (CSPM) compliance score against CIS benchmarks. | Weekly | > 95% Score |
| A.5.24 Incident Management Planning | Number of tabletop incident simulation exercises conducted per year. | Annually | ≥ 1 Exercise |
| A.5.25 Assessment of Security Incidents | Mean Time to Detect (MTTD) anomalous behavior via SIEM alerts. | Monthly | < 15 Minutes |
| A.5.26 Response to Security Incidents | Mean Time to Respond (MTTR) and contain critical security incidents. | Monthly | < 4 Hours |
| A.5.27 Learning from InfoSec Incidents | Percentage of post-incident action items implemented within the agreed timeframe. | Quarterly | 100% |
| A.5.28 Collection of Evidence | Percentage of immutable audit logs successfully retained for the 365-day statutory period. | Quarterly | 100% |
| A.5.29 InfoSec during Disruption | Time taken to restore core applications against the Recovery Time Objective (RTO). | Annually | Within RTO limit |
| A.5.30 ICT Readiness for Business Continuity | Success rate of automated disaster recovery (DR) failover tests. | Bi-Annually | 100% Success |
| A.5.31 Legal, Statutory, & Regulatory Requirements | Number of regulatory non-compliance fines or ICO reprimands received. | Annually | 0 |
| A.5.32 Intellectual Property Rights | Number of unauthorized external forks or clones of proprietary code repositories. | Monthly | 0 |
| A.5.33 Protection of Records | Percentage of financial database backups passing cryptographic integrity checks. | Weekly | 100% |
| A.5.34 Privacy & Protection of PII | Number of Data Subject Access Requests (DSARs) fulfilled within the 30-day legal window. | Monthly | 100% |
| A.5.35 Independent Review of InfoSec | Number of major non-conformities raised during the annual external ISO audit. | Annually | 0 Major NCs |
| A.5.36 Compliance with Policies | Percentage of endpoints compliant with baseline security configurations. | Weekly | > 98% |
| A.5.37 Documented Operating Procedures | Percentage of critical IT playbooks/runbooks updated within the last 12 months. | Annually | 100% |
2. People Controls Metrics (A.6.1 – A.6.8)
| Control ID & Name | Recommended Metric (KPI / KRI) | Frequency | Target Threshold |
|---|---|---|---|
| A.6.1 Screening | Percentage of new hires with completed background checks prior to system access. | Monthly | 100% |
| A.6.2 Terms & Conditions of Employment | Percentage of active personnel files containing a signed confidentiality agreement. | Quarterly | 100% |
| A.6.3 Awareness, Education, & Training | Failure/Click rate on internal phishing simulation campaigns. | Quarterly | < 4% |
| A.6.4 Disciplinary Process | Number of repeated security policy violations by the same employee. | Quarterly | 0 Incidents |
| A.6.5 Responsibilities after Termination | Percentage of departing staff completing the security offboarding sign-off. | Monthly | 100% |
| A.6.6 Confidentiality Agreements | Percentage of active third-party contractors with active NDAs on file. | Quarterly | 100% |
| A.6.7 Remote Working | Percentage of remote workforce connections authenticating via approved VPNs/Zero-Trust tunnels. | Daily | 100% |
| A.6.8 InfoSec Event Reporting | Volume of staff-reported suspicious emails vs. actual malicious emails detected. | Monthly | > 70% reporting rate |
3. Physical Controls Metrics (A.7.1 – A.7.14)
| Control ID & Name | Recommended Metric (KPI / KRI) | Frequency | Target Threshold |
|---|---|---|---|
| A.7.1 Physical Security Perimeters | Number of unauthorized physical boundary breaches detected. | Quarterly | 0 Breaches |
| A.7.2 Physical Entry | Percentage of visitors logged and assigned physical escort badges. | Monthly | 100% |
| A.7.3 Securing Offices, Rooms, & Facilities | Number of failed lock or access control mechanisms reported during maintenance sweeps. | Monthly | 0 (Immediate fix) |
| A.7.4 Physical Security Monitoring | CCTV/Camera system uptime percentage. | Monthly | > 99.9% |
| A.7.5 Physical & Environmental Threats | Number of successful test deployments of fire suppression/alerting systems. | Annually | 100% Pass |
| A.7.6 Security for Working in Secured Areas | Number of physical access violations recorded in restricted technical zones. | Quarterly | 0 Violations |
| A.7.7 Clear Desk & Clear Screen | Number of unlocked, unattended laptops observed during random office sweeps. | Quarterly | 0 Incidents |
| A.7.8 Equipment Siting & Protection | Percentage of public-facing monitors equipped with privacy screens. | Annually | 100% |
| A.7.9 Security of Assets Off-Premises | Number of corporate devices reported lost or stolen outside the office. | Quarterly | Trend downward |
| A.7.10 Storage Media | Number of unencrypted USB storage devices detected on the corporate network. | Weekly | 0 Devices |
| A.7.11 Supporting Utilities | Uptime percentage of Uninterruptible Power Supply (UPS) units during tests. | Bi-Annually | 100% |
| A.7.12 Cabling Security | Number of reported incidents of physical tampering with network conduits. | Annually | 0 Incidents |
| A.7.13 Equipment Maintenance | Percentage of core routing/firewall hardware operating within active warranty/support. | Quarterly | 100% |
| A.7.14 Secure Disposal of Equipment | Percentage of decommissioned hard drives with verified cryptographic wipe certificates. | Monthly | 100% |
4. Technological Controls Metrics (A.8.1 – A.8.34)
| Control ID & Name | Recommended Metric (KPI / KRI) | Frequency | Target Threshold |
|---|---|---|---|
| A.8.1 User Endpoint Devices | Percentage of endpoint laptops with full disk encryption (FileVault/BitLocker) enabled. | Daily | 100% |
| A.8.2 Privileged Access Rights | Percentage of cloud administrative accounts utilizing hardware security keys. | Monthly | 100% |
| A.8.3 Information Access Restriction | Number of unauthorized cross-departmental access attempts blocked by IAM. | Weekly | Track anomalies |
| A.8.4 Access to Source Code | Percentage of code repository access events originating from non-corporate IPs. | Monthly | 0% |
| A.8.5 Secure Authentication | Number of legacy basic authentication (non-MFA) logins detected on the network. | Weekly | 0 Logins |
| A.8.6 Capacity Management | Percentage of cloud compute instances operating above 90% CPU threshold for >1 hour. | Daily | < 5% of fleet |
| A.8.7 Protection against Malware | Percentage of endpoints with an active, communicating EDR/Antivirus agent. | Daily | > 98% |
| A.8.8 Technical Vulnerabilities | Average time taken to deploy patches for CVSS 9.0+ (Critical) vulnerabilities. | Monthly | < 7 Days |
| A.8.9 Configuration Management | Number of unauthorized manual changes detected in production cloud environments. | Weekly | 0 Changes |
| A.8.10 Information Deletion | Percentage of customer data erasure requests processed successfully via automation. | Monthly | 100% |
| A.8.11 Data Masking | Number of instances where unmasked PII was detected in staging/dev environments. | Weekly | 0 Instances |
| A.8.12 Data Leakage Prevention | Volume of sensitive data prevented from egress via cloud DLP rules. | Monthly | Track for trends |
| A.8.13 Information Backup | Success rate of daily automated, encrypted cloud database snapshots. | Daily | 100% |
| A.8.14 Redundancy of Processing | Percentage of core applications deployed across multiple Availability Zones. | Quarterly | 100% |
| A.8.15 Logging | Percentage of critical systems successfully forwarding logs to the central SIEM. | Daily | 100% |
| A.8.16 Monitoring Activities | False positive rate of SIEM alerting rules triggering analyst investigations. | Monthly | < 20% False Positives |
| A.8.17 Clock Synchronization | Maximum allowed time drift across production servers vs. NTP source. | Daily | < 100 milliseconds |
| A.8.18 Privileged Utility Programs | Number of direct database CLI executions overriding the standard application layer. | Weekly | 0 (unless emergency) |
| A.8.19 Installation of Software | Number of block events triggered by MDM preventing unauthorized software execution. | Monthly | Track for trends |
| A.8.20 Network Security | Number of unauthorized open ports (e.g., 22, 3389) detected on external perimeters. | Weekly | 0 Open Ports |
| A.8.21 Security of Network Services | Percentage of web services scoring an "A" rating on external TLS configuration scans. | Monthly | 100% |
| A.8.22 Network Segregation | Number of successful ping/connection tests from Dev VPCs to Production VPCs. | Quarterly | 0 (100% drop rate) |
| A.8.23 Web Filtering | Volume of malicious domain connection attempts blocked by DNS filtering. | Weekly | Track for trends |
| A.8.24 Use of Cryptography | Percentage of databases utilizing AES-256 (or higher) encryption at rest. | Monthly | 100% |
| A.8.25 Secure Development Lifecycle | Percentage of development sprints containing documented security/threat models. | Quarterly | 100% |
| A.8.26 Application Security Requirements | Number of critical OWASP Top 10 vulnerabilities discovered in production apps. | Quarterly | 0 Criticals |
| A.8.27 Secure System Architecture | Percentage of new cloud architectures passing internal peer security review. | Monthly | 100% |
| A.8.28 Secure Coding | Percentage of developers completing secure coding training within the last year. | Annually | 100% |
| A.8.29 Security Testing in Development | Percentage of code commits passing automated SAST/DAST pipeline scans. | Daily | 100% (Blocks on fail) |
| A.8.30 Outsourced Development | Percentage of agency-submitted code subjected to mandatory internal security review. | Monthly | 100% |
| A.8.31 Separation of Environments | Number of identical IAM roles shared between production and testing accounts. | Monthly | 0 Roles |
| A.8.32 Change Management | Percentage of production changes executed with an approved rollback plan. | Monthly | 100% |
| A.8.33 Test Information | Number of production data sets mistakenly loaded into quality assurance environments. | Quarterly | 0 Incidents |
| A.8.34 Protection during Audit Testing | Number of unplanned system outages caused by external penetration testing or auditing. | Annually | 0 Outages |
Part 4: The Complete Defense-in-Depth Traceability Matrix
In a mature Information Security Management System (ISMS), no single control operates in a vacuum. If a primary technical control fails, a compensating (backup) control must catch the anomaly before it escalates into a breach. This matrix maps all 93 controls of ISO 27001/27002:2022, demonstrating real-world failovers using modern tech stacks like Wazuh, Elasticsearch, AWS, and CI/CD pipelines.
1. Organisational Controls Traceability (A.5.1 – A.5.37)
| Control ID | Primary Measure (First Line) | Backup / Compensating Measure |
|---|---|---|
| A.5.1 Policies | Primary: ISMS policies hosted on a centralized intranet (Confluence) with mandatory digital read-receipts. | Backup: Annual compliance audits to manually verify policy awareness across random staff samples. |
| A.5.2 Roles | Primary: Okta/Azure AD group structures strictly defining access based on mapped HR job roles. | Backup: Quarterly manual access reviews comparing active system permissions against HR org charts. |
| A.5.3 Segregation of Duties | Primary: GitHub Actions branch protection rules requiring 2 independent PR approvals before merging to main. | Backup: Wazuh agent monitoring production deployment logs to detect unauthorized or forced direct commits. |
| A.5.4 Mgmt Responsibilities | Primary: Quarterly management review meetings documented via signed board minutes. | Backup: Automated compliance dashboard (Vanta/Drata) sending weekly posture reports directly to the C-suite. |
| A.5.5 Authorities Contact | Primary: Incident Response (IR) playbook contains up-to-date ICO/FCA emergency reporting contacts. | Backup: Retained external legal counsel on standby to handle regulatory notifications if internal teams are overwhelmed. |
| A.5.6 Special Interest Groups | Primary: Automated ingestion of FS-ISAC threat intelligence feeds directly into the Elasticsearch SIEM. | Backup: Security engineers attend quarterly regional cyber-security forums to gather localized human intelligence. |
| A.5.7 Threat Intelligence | Primary: Wazuh actively cross-referencing real-time system logs against updated MITRE ATT&CK IoC databases. | Backup: Manual weekly reviews of US-CERT/NCSC vulnerability bulletins by the SecOps team. |
| A.5.8 InfoSec in Projects | Primary: Jira templates force a mandatory "Security Architecture Review" gate before a sprint can begin. | Backup: Post-deployment DAST scanning catches security flaws missed during the project planning phase. |
| A.5.9 Asset Inventory | Primary: AWS Systems Manager and Intune MDM continuously auto-updating the dynamic asset registry. | Backup: Finance department reconciles cloud billing/hardware purchase ledgers against the IT asset list quarterly. |
| A.5.10 Acceptable Use | Primary: Staff sign the AUP via BambooHR/Workday during digital onboarding before receiving laptops. | Backup: MDM configuration enforces a persistent acceptable use banner on the OS login screen. |
| A.5.11 Return of Assets | Primary: Automated HR offboarding workflow triggers an IT ticket and revokes identity tokens simultaneously. | Backup: Remote MDM command cryptographically wipes the laptop if it connects to the internet post-termination. |
| A.5.12 Classification | Primary: AWS Macie automatically scans S3 buckets and tags objects containing PII/Financial data. | Backup: Data handlers follow documented manual classification matrices when creating new datasets. |
| A.5.13 Labelling | Primary: Microsoft Purview Information Protection auto-applies visual watermarks based on content detection. | Backup: Standardized corporate document templates with hardcoded "CONFIDENTIAL" headers. |
| A.5.14 Info Transfer | Primary: All external API and file transfer endpoints strictly enforce TLS 1.3 protocol connections. | Backup: Sensitive flat files are manually encrypted with PGP before transmission over lesser-trusted networks. |
| A.5.15 Access Control | Primary: AWS IAM policies grant access strictly via Role-Based Access Control (RBAC) tied to the IdP. | Backup: Elasticsearch alerts trigger if a user attempts to access a resource outside their standard operational baseline. |
| A.5.16 Identity Mgmt | Primary: SCIM provisioning automatically creates/destroys accounts based on the master HR database. | Backup: SIEM alerts configured to flag any login attempts using default, generic, or shared administrative accounts. |
| A.5.17 Authentication Info | Primary: Enforced SSO via Okta utilizing phishing-resistant FIDO2 hardware keys (YubiKeys). | Backup: Time-based One-Time Passwords (TOTP) authenticator apps permitted as a fallback if hardware keys are lost. |
| A.5.18 Access Rights | Primary: Automated quarterly access certification campaigns routed to managers via an Identity Governance tool. | Backup: IT Security executes a random manual audit of 10% of high-privilege accounts monthly. |
| A.5.19 Supplier Security | Primary: Vendor procurement requires a valid SOC 2 Type II or ISO 27001 certificate prior to contract signing. | Backup: Custom security questionnaires evaluated manually by the InfoSec team for bespoke/niche vendors. |
| A.5.20 Addressing Suppliers | Primary: Standardized Data Processing Agreements (DPAs) embedding 24-hour breach notification clauses. | Backup: Financial penalties and termination rights explicitly written into Master Service Agreements (MSAs). |
| A.5.21 Supply Chain Security | Primary: Snyk or Dependabot integrated into CI/CD pipelines to block builds containing known vulnerable libraries. | Backup: Web Application Firewall (WAF) blocks exploit attempts targeting newly discovered zero-days in vendor code. |
| A.5.22 Supplier Review | Primary: Annual automated calendar alerts to request and review updated compliance reports from Tier 1 vendors. | Backup: Continuous external attack surface monitoring tools tracking vendor domain reputations in real-time. |
| A.5.23 Cloud Services | Primary: Terraform Infrastructure-as-Code (IaC) ensures cloud environments are deployed with secure baselines. | Backup: Cloud Security Posture Management (CSPM) tools continuously scan AWS for configuration drifts. |
| A.5.24 IR Planning | Primary: Formally documented, step-by-step IR playbooks for Ransomware, Data Exfiltration, and DDoS. | Backup: Retained third-party Digital Forensics and Incident Response (DFIR) firm on a zero-hour SLA retainer. |
| A.5.25 Assessment of Incidents | Primary: Wazuh SIEM correlates logs and automatically categorizes alerts based on severity matrix thresholds. | Backup: On-call SOC analysts manually triage alerts utilizing standardized escalation trees. |
| A.5.26 Response to Incidents | Primary: Automated SOAR playbooks instantly isolate compromised EC2 instances or laptops from the network. | Backup: Network engineers execute manual port-shutdowns at the firewall level to stem lateral movement. |
| A.5.27 Learning from Incidents | Primary: Mandatory post-mortem meetings held within 72 hours of incident closure, creating tracked Jira tickets. | Backup: Annual review of incident trends to adjust security budgets and targeted staff training programs. |
| A.5.28 Evidence Collection | Primary: Wazuh agent logs stream directly to an immutable, Write-Once-Read-Many (WORM) AWS S3 bucket. | Backup: Forensic disk imaging protocols established to take bit-for-bit copies of physical drives before formatting. |
| A.5.29 BC during Disruption | Primary: Multi-region cloud architecture (e.g., AWS eu-west-1 & eu-west-2) providing active-active redundancy. | Backup: Documented manual fallback procedures allowing core business processes to run offline temporarily. |
| A.5.30 ICT Readiness for BC | Primary: Automated database failover mechanisms tested scriptedly every quarter without human intervention. | Backup: Annual full-scale disaster recovery tabletop exercises involving the entire engineering leadership. |
| A.5.31 Legal Requirements | Primary: Dedicated Data Protection Officer (DPO) maps data flows to ensure strict UK GDPR/FCA compliance. | Backup: External compliance audits performed annually by specialized fintech legal consultancies. |
| A.5.32 IP Rights | Primary: Source code repositories are strictly private, requiring corporate SSO and VPN to access. | Backup: Digital Rights Management (DRM) and Non-Disclosure Agreements (NDAs) protect leaked architectures legally. |
| A.5.33 Record Protection | Primary: Automated database lifecycle policies securely archive financial transaction logs for the statutory 7 years. | Backup: Tamper-evident, encrypted off-site tape backups maintained by a secure third-party vaulting service. |
| A.5.34 Privacy & PII | Primary: Customer PII is cryptographically tokenized before it is written to the primary operational databases. | Backup: Strict IAM boundaries ensure only authorized customer support apps can de-tokenize specific user rows. |
| A.5.35 Independent Review | Primary: Annual certification audit conducted by a UKAS-accredited external auditor. | Backup: Continuous internal audits conducted bi-annually by a dedicated internal QA/Compliance lead. |
| A.5.36 Policy Compliance | Primary: Compliance-as-Code tools check live infrastructure states against corporate security policies in real-time. | Backup: Managerial checklists completed monthly to confirm staff adherence to physical and logical rules. |
| A.5.37 Operating Procedures | Primary: Standard Operating Procedures (SOPs) are stored as "Docs-as-Code" alongside the infrastructure repositories. | Backup: Legacy wiki pages (Confluence) maintained with step-by-step screenshots for non-technical administrators. |
2. People Controls Traceability (A.6.1 – A.6.8)
| Control ID | Primary Measure (First Line) | Backup / Compensating Measure |
|---|---|---|
| A.6.1 Screening | Primary: Automated external background checks (identity, criminal, right-to-work) integrated into the HR platform. | Backup: HR conducts manual verification of references and academic qualifications via direct contact. |
| A.6.2 Terms of Employment | Primary: Binding employment contracts contain extensive IP and confidentiality clauses signed via DocuSign. | Backup: Annual re-acknowledgement of the employee handbook via the corporate training portal. |
| A.6.3 Awareness & Training | Primary: Monthly automated phishing simulations and interactive micro-learning modules (e.g., KnowBe4). | Backup: EDR (Wazuh/CrowdStrike) detects and blocks the malware execution if an employee falls for a real phish. |
| A.6.4 Disciplinary Process | Primary: Formal HR escalation matrix applied consistently for users who repeatedly fail phishing tests or violate policies. | Backup: Temporary suspension of high-privilege system access while HR investigates potential intentional breaches. |
| A.6.5 After Termination | Primary: Exit interviews explicitly remind departing staff of their enduring legal obligations regarding trade secrets. | Backup: DLP policies flag and block any bulk downloads or email forwards initiated in the 2 weeks prior to departure. |
| A.6.6 NDAs | Primary: Automated contract management systems prevent vendor onboarding without a countersigned NDA. | Backup: Project managers verify NDA status manually before sharing architecture diagrams with external consultants. |
| A.6.7 Remote Working | Primary: MDM enforces Always-On VPN (Zero Trust Network Access) before allowing connection to corporate resources. | Backup: Geolocation blocking at the IdP level prevents logins from high-risk countries outside the UK operations zone. |
| A.6.8 Event Reporting | Primary: "Report Phish" button integrated directly into Outlook/Gmail, routing automatically to the SOC ticketing system. | Backup: A dedicated `#security-reports` Slack channel allowing staff to flag anomalous behaviors or lost devices. |
3. Physical Controls Traceability (A.7.1 – A.7.14)
| Control ID | Primary Measure (First Line) | Backup / Compensating Measure |
|---|---|---|
| A.7.1 Physical Perimeters | Primary: Secure building envelope with blast-resistant glass and structural barriers separating the street from the lobby. | Backup: Secondary interior walls and reinforced doors separating the main office floor from the public reception area. |
| A.7.2 Physical Entry | Primary: RFID badge readers controlling all internal doors, logging access times to a centralized security server. | Backup: Receptionist visually verifies ID and manages a physical visitor sign-in/escort logbook during business hours. |
| A.7.3 Securing Offices | Primary: Server/Networking closets are secured with biometric (fingerprint) locks restricted to IT staff only. | Backup: Heavy-duty deadbolts utilized as physical fail-safes during electronic locking system power failures. |
| A.7.4 Security Monitoring | Primary: 24/7 CCTV system covering all entry/exit points, storing footage locally for 30 days. | Backup: Roving physical security patrols provided by building management during after-hours and weekends. |
| A.7.5 Physical Threats | Primary: Automated FM200 gas fire suppression systems and environmental (temperature/leak) sensors in server rooms. | Backup: Standard handheld fire extinguishers and documented evacuation plans tested via bi-annual fire drills. |
| A.7.6 Working in Secure Areas | Primary: Policy strictly prohibiting mobile phones, cameras, or unescorted guests in the data center/comms rooms. | Backup: CCTV actively monitored by security personnel to identify policy violations in restricted zones. |
| A.7.7 Clear Desk/Screen | Primary: Group Policy / MDM enforces an automatic password-protected screen lock after 5 minutes of inactivity. | Backup: Nightly sweeps by office management to secure sensitive printed documents left on desks. |
| A.7.8 Equipment Siting | Primary: Workstations positioned so screens cannot be viewed from ground-floor windows or public walkways. | Backup: 3M privacy filters physically applied to monitors of staff handling HR, finance, or customer PII. |
| A.7.9 Off-Premises Assets | Primary: Strict remote work policy requiring laptops to remain supervised or locked out of sight during travel. | Backup: Full Disk Encryption (BitLocker) renders the data inaccessible if a laptop is stolen from a car or coffee shop. |
| A.7.10 Storage Media | Primary: Endpoint protection (EDR) agents actively block USB mass storage devices from mounting on corporate laptops. | Backup: If authorized by exception, the endpoint software forces hardware-level AES-256 encryption on the USB drive. |
| A.7.11 Supporting Utilities | Primary: Uninterruptible Power Supply (UPS) units bridging the gap for core network switches during power blips. | Backup: Diesel generators maintained by the landlord providing sustained power during prolonged municipal outages. |
| A.7.12 Cabling Security | Primary: Network cables routed through locked conduits and dropped ceilings to prevent wiretapping or accidental cuts. | Backup: Network Access Control (802.1X) ensures that even if a cable is intercepted, unauthorized devices cannot connect. |
| A.7.13 Equipment Maintenance | Primary: Active OEM support contracts ensuring immediate hardware replacement for failing firewalls or switches. | Backup: High-Availability (HA) clustered deployment allows seamless failover to secondary hardware during maintenance. |
| A.7.14 Disposal of Equipment | Primary: NIST 800-88 compliant cryptographic wiping performed internally before hardware leaves the premises. | Backup: Certified physical destruction (shredding) of hard drives by a verified third-party waste vendor with certificates. |
4. Technological Controls Traceability (A.8.1 – A.8.34)
| Control ID | Primary Measure (First Line) | Backup / Compensating Measure |
|---|---|---|
| A.8.1 Endpoint Devices | Primary: Centralized MDM (Jamf/Intune) enforcing OS updates, encryption, and baseline security profiles. | Backup: Conditional Access policies block IdP login attempts from endpoints failing compliance checks. |
| A.8.2 Privileged Access | Primary: Cloud infrastructure access requires Just-In-Time (JIT) provisioning that auto-expires after a set duration. | Backup: Wazuh SIEM alerts immediately if root/admin actions are taken outside of an approved change window. |
| A.8.3 Info Access Restriction | Primary: Zero Trust Network Access (ZTNA) policies micro-segmenting access to internal apps based on user context. | Backup: Traditional internal network firewalls blocking lateral movement between discrete business unit subnets. |
| A.8.4 Access to Source Code | Primary: GitHub Enterprise configured to require SSO, MFA, and membership in specific developer teams. | Backup: Regular audits of git clone logs and API access tokens to detect unauthorized repository duplication. |
| A.8.5 Secure Auth | Primary: Modern Authentication protocols (SAML/OIDC) with enforced FIDO2 hardware MFA. | Backup: IdP behavioral analytics blocking logins originating from impossible travel vectors or anonymous proxies. |
| A.8.6 Capacity Mgmt | Primary: Cloud Auto-Scaling Groups automatically spin up new compute instances when CPU utilization hits 80%. | Backup: Datadog/Grafana alerting on-call engineers to intervene manually if scaling limits are unexpectedly reached. |
| A.8.7 Malware Protection | Primary: Next-Gen Antivirus (NGAV) / EDR utilizing behavioral heuristics rather than just signature matching. | Backup: Network-layer Intrusion Prevention Systems (IPS) blocking known malware command-and-control (C2) traffic. |
| A.8.8 Vulnerability Mgmt | Primary: Automated patch orchestration systems pushing OS and third-party software updates within defined SLAs. | Backup: Weekly authenticated vulnerability scans (Tenable/Qualys) identifying assets that the patch manager missed. |
| A.8.9 Configuration Mgmt | Primary: All AWS infrastructure deployed strictly via Terraform (IaC) to ensure immutable, standardized configurations. | Backup: AWS Config continuously monitors live environments and reverts unauthorized manual changes back to baseline. |
| A.8.10 Info Deletion | Primary: Automated "Right to be Forgotten" scripts executing cascading deletes across active databases. | Backup: Cryptographic erasure (destroying the encryption key) for data stored in immutable backups to render it unreadable. |
| A.8.11 Data Masking | Primary: CI/CD pipeline step utilizes synthetic data generators to populate Dev/QA databases with fake PII. | Backup: Strict database constraints preventing unauthorized execution of raw table dumps from the production environment. |
| A.8.12 DLP | Primary: Cloud DLP solutions (CASB) detecting and blocking the external transmission of credit card patterns or source code. | Backup: Elasticsearch alerts triggered by sudden, massive spikes in outbound data transfer volumes (potential exfiltration). |
| A.8.13 Information Backup | Primary: Automated, daily snapshots of all databases stored in a separate, isolated AWS account. | Backup: Quarterly manual disaster recovery drills to verify that backup images can actually be restored and booted. |
| A.8.14 Redundancy | Primary: Microservices architecture deployed across 3 separate AWS Availability Zones with active Load Balancing. | Backup: Cross-region replication ensuring a cold-standby environment can be spun up if an entire region fails. |
| A.8.15 Logging | Primary: Fluentd/Filebeat shipping OS, application, and firewall logs directly into the centralized Elasticsearch cluster. | Backup: Local log rotation on individual servers configured to retain at least 14 days of data if the SIEM pipe breaks. |
| A.8.16 Monitoring | Primary: Wazuh analyzing incoming logs against custom rulesets, identifying brute force attacks and generating Jira tickets. | Backup: Dedicated SOC analysts conducting daily proactive threat-hunting queries within Elasticsearch. |
| A.8.17 Clock Sync | Primary: Group Policy and Cloud configurations enforcing strict synchronization with an internal NTP cluster. | Backup: The internal NTP cluster syncs outbound to multiple reliable public sources (e.g., pool.ntp.org) to prevent drift. |
| A.8.18 Utility Programs | Primary: EDR software blocking the execution of powerful network diagnostic tools (like Wireshark) on standard user laptops. | Backup: System auditing rules tracking and alerting on the execution of legitimate administrative binaries (Living off the Land). |
| A.8.19 Software Installation | Primary: OS-level restriction removing Local Administrator rights, preventing users from installing unapproved software. | Backup: Application Whitelisting (AppLocker) ensuring only binaries signed by trusted publishers can execute. |
| A.8.20 Network Security | Primary: AWS Security Groups acting as strict stateful firewalls, dropping all inbound traffic not originating from the Load Balancer. | Backup: CloudTrail logging captures any unauthorized attempts to modify Security Group rules, triggering immediate alerts. |
| A.8.21 Network Services | Primary: VPN gateways configured with strong cipher suites (AES-256-GCM) and disabling legacy protocols (TLS 1.1/1.0). | Backup: Periodic external penetration testing to validate the cryptographic strength of internet-facing services. |
| A.8.22 Network Segregation | Primary: Complete VPC isolation between Development, Staging, and Production environments (no peering connections). | Backup: Security groups blocking lateral SSH/RDP traffic between individual servers even within the same subnet. |
| A.8.23 Web Filtering | Primary: DNS-level filtering (e.g., Cisco Umbrella) blocking resolution requests to known malware/phishing domains. | Backup: Corporate proxy servers performing SSL inspection to block malicious file downloads hidden in HTTPS traffic. |
| A.8.24 Cryptography | Primary: Centralized Key Management System (AWS KMS) handling encryption keys for data at rest and in transit. | Backup: Strict IAM policies preventing developers from exporting or directly accessing the raw cryptographic keys. |
| A.8.25 Secure Dev Lifecycle | Primary: "Shift-Left" security approach embedding threat modeling and security requirements directly into Jira user stories. | Backup: Pre-release QA gating requiring formal InfoSec sign-off before major architectural changes hit production. |
| A.8.26 App Security Reqs | Primary: Engineering standards mandating input validation and parameterized queries to mitigate OWASP Top 10 risks. | Backup: Web Application Firewall (WAF) actively intercepting and dropping SQL injection payload attempts at the edge. |
| A.8.27 Secure Architecture | Primary: Defense-in-depth design utilizing a three-tier architecture separating web, application, and database layers. | Backup: Micro-segmentation ensuring that if the web tier is compromised, the attacker has no routing access to the DB. |
| A.8.28 Secure Coding | Primary: IDE plugins (e.g., SonarLint) providing real-time feedback to developers on insecure coding patterns as they type. | Backup: Mandatory peer code reviews requiring secondary human validation of sensitive logic before merging. |
| A.8.29 Security Testing | Primary: GitHub Actions executing SAST/DAST scans automatically on every pull request, blocking merges on failure. | Backup: Annual manual penetration testing performed by an external CREST-certified red team. |
| A.8.30 Outsourced Dev | Primary: Contractual obligations requiring offshore development agencies to use corporate-managed VDI environments. | Backup: All agency-submitted code undergoes strict manual security review by an internal senior engineer prior to acceptance. |
| A.8.31 Environment Separation | Primary: Production environments exist in dedicated AWS Organizations accounts isolated entirely from QA/Dev accounts. | Backup: Different IdP role mappings ensure a developer logged into Dev physically cannot authenticate to the Prod AWS console. |
| A.8.32 Change Management | Primary: Formal Change Advisory Board (CAB) review for major infrastructure updates, requiring documented rollback plans. | Backup: Blue/Green deployment methodology allowing traffic to be instantly routed back to the old environment if the new one fails. |
| A.8.33 Test Information | Primary: Automated data obfuscation pipelines generating anonymized datasets for QA testing. | Backup: Development policies and container constraints completely blocking live database connection strings from the test environment. |
| A.8.34 Protection during Audit | Primary: Explicit scoping documents defining Rules of Engagement (RoE) to prevent DoS attacks during pen tests. | Backup: Live monitoring by the internal SOC team during audit windows to immediately halt the test if production stability is threatened. |
Comments
Post a Comment