graphgrc

ISO 27002 - A.5 - Information security policies

A.5.1

Policies for information security

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Mapped SCF controls

• GOV-01 - Cybersecurity & Data Protection Governance Program
• GOV-02 - Publishing Cybersecurity & Data Protection Documentation
• GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
• PRI-01 - Data Privacy Program
• PRI-01.3 - Dissemination of Data Privacy Program Information

A.5.2

Information security roles and responsibilities

Information security roles and responsibilities shall be defined and allocated according to the organization needs.

Mapped SCF controls

• GOV-04 - Assigned Cybersecurity & Data Protection Responsibilities
• HRS-03 - Roles & Responsibilities
• HRS-04.1 - Roles With Special Protection Measures
• TPM-06 - Third-Party Personnel Security

A.5.3

Segregation of duties

Conflicting duties and conflicting areas of responsibility shall be segregated.

Mapped SCF controls

• HRS-11 - Separation of Duties (SoD)
• HRS-12 - Incompatible Roles

A.5.4

Management responsibilities

Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Mapped SCF controls

• GOV-01 - Cybersecurity & Data Protection Governance Program
• HRS-01 - Human Resources Security Management
• HRS-04.2 - Formal Indoctrination
• HRS-05 - Terms of Employment
• HRS-05.1 - Rules of Behavior
• HRS-05.2 - Social Media & Social Networking Restrictions
• HRS-05.3 - Use of Communications Technology
• PRM-01 - Cybersecurity & Data Privacy Portfolio Management
• PRM-02 - Cybersecurity & Data Privacy Resource Management
• SAT-03 - Role-Based Cybersecurity & Data Privacy Training

A.5.5

** Contact with authorities**

The organization shall establish and maintain contact with relevant authorities.

Mapped SCF controls

• GOV-06 - Contacts With Authorities

A.5.6

** Contact with special interest groups**

The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Mapped SCF controls

• GOV-07 - Contacts With Groups & Associations

A.5.7

Threat intelligence

Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Mapped SCF controls

• MON-11 - Monitoring For Information Disclosure
• MON-11.3 - Monitoring for Indicators of Compromise (IOC)
• THR-01 - Threat Intelligence Program
• THR-02 - Indicators of Exposure (IOE)
• THR-03 - Threat Intelligence Feeds

A.5.8

Information security in project management

Information security shall be integrated into project management.

Mapped SCF controls

• PRM-01 - Cybersecurity & Data Privacy Portfolio Management
• PRM-04 - Cybersecurity & Data Privacy In Project Management
• PRM-05 - Cybersecurity & Data Privacy Requirements Definition
• PRM-07 - Secure Development Life Cycle (SDLC) Management
• RSK-01.1 - Risk Framing
• RSK-03 - Risk Identification
• RSK-04 - Risk Assessment
• RSK-06 - Risk Remediation
• RSK-06.1 - Risk Response
• SEA-02 - Alignment With Enterprise Architecture

A.5.9

Information security in project management

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Mapped SCF controls

• AST-01.1 - Asset-Service Dependencies
• AST-01.2 - Stakeholder Identification & Involvement
• AST-02 - Asset Inventories
• AST-02.8 - Data Action Mapping
• AST-03 - Asset Ownership Assignment
• AST-03.1 - Accountability Information
• AST-04 - Network Diagrams & Data Flow Diagrams (DFDs)
• DCH-01 - Data Protection
• DCH-02 - Data & Asset Classification
• PRM-05 - Cybersecurity & Data Privacy Requirements Definition

A.5.10

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

Mapped SCF controls

• DCH-01 - Data Protection
• DCH-04 - Media Marking
• DCH-07.1 - Custodians
• HRS-05.1 - Rules of Behavior
• HRS-05.2 - Social Media & Social Networking Restrictions
• HRS-05.3 - Use of Communications Technology
• HRS-06 - Access Agreements

A.5.11

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

Mapped SCF controls

• AST-10 - Return of Assets

A.5.12

Classification of information

Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Mapped SCF controls

• DCH-01 - Data Protection
• DCH-02 - Data & Asset Classification

A.5.13

Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Mapped SCF controls

• DCH-04 - Media Marking

A.5.14

Information transfer

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

Mapped SCF controls

• CRY-03 - Transmission Confidentiality
• DCH-07 - Media Transportation
• DCH-07.1 - Custodians
• DCH-14 - Information Sharing
• DCH-17 - Ad-Hoc Transfers
• HRS-05 - Terms of Employment
• HRS-05.1 - Rules of Behavior
• HRS-06 - Access Agreements
• HRS-06.1 - Confidentiality Agreements
• NET-01 - Network Security Controls (NSC)
• NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)
• NET-04.1 - Deny Traffic by Default & Allow Traffic by Exception
• NET-13 - Electronic Messaging
• NET-18 - DNS & Content Filtering
• PES-01 - Physical & Environmental Protections

A.5.15

Access control

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

Mapped SCF controls

• IAC-01 - Identity & Access Management (IAM)
• IAC-02 - Identification & Authentication for Organizational Users
• IAC-08 - Role-Based Access Control (RBAC)
• IAC-15 - Account Management
• IAC-16 - Privileged Account Management (PAM)
• IAC-17 - Periodic Review of Account Privileges
• IAC-21 - Least Privilege
• PES-01 - Physical & Environmental Protections
• PES-02 - Physical Access Authorizations
• PES-02.1 - Role-Based Physical Access
• PES-03 - Physical Access Control
• PES-04 - Physical Security of Offices, Rooms & Facilities
• PES-04.1 - Working in Secure Areas

A.5.16

Identity management

The full life cycle of identities shall be managed.

Mapped SCF controls

• IAC-03 - Identification & Authentication for Non-Organizational Users
• IAC-04 - Identification & Authentication for Devices
• IAC-05 - Identification & Authentication for Third Party Systems & Services
• IAC-07 - User Provisioning & De-Provisioning
• IAC-09 - Identifier Management (User Names)
• IAC-09.1 - User Identity (ID) Management
• IAC-09.4 - Cross-Organization Management
• IAC-15 - Account Management
• IAC-15.3 - Disable Inactive Accounts
• IAC-15.5 - Restrictions on Shared Groups / Accounts

A.5.17

Authentication information

Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

Mapped SCF controls

• IAC-10 - Authenticator Management
• IAC-10.1 - Password-Based Authentication
• IAC-10.11 - Password Managers
• IAC-10.5 - Protection of Authenticators
• IAC-10.8 - Vendor-Supplied Defaults
• IAC-18 - User Responsibilities for Account Management

A.5.18

Access rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Mapped SCF controls

• CFG-03.1 - Periodic Review
• HRS-11 - Separation of Duties (SoD)
• IAC-01 - Identity & Access Management (IAM)
• IAC-07 - User Provisioning & De-Provisioning
• IAC-07.1 - Change of Roles & Duties
• IAC-07.2 - Termination of Employment
• IAC-10 - Authenticator Management
• IAC-10.11 - Password Managers
• IAC-15 - Account Management
• IAC-15.1 - Automated System Account Management (Directory Services)
• IAC-15.2 - Removal of Temporary / Emergency Accounts
• IAC-16 - Privileged Account Management (PAM)
• IAC-16.1 - Privileged Account Inventories
• IAC-17 - Periodic Review of Account Privileges
• IAC-19 - Credential Sharing
• IAC-20 - Access Enforcement
• IAC-20.1 - Access To Sensitive / Regulated Data
• IAC-20.2 - Database Access
• IAC-20.3 - Use of Privileged Utility Programs
• IAC-21 - Least Privilege
• IAC-21.3 - Privileged Accounts
• PES-01 - Physical & Environmental Protections
• PES-02 - Physical Access Authorizations
• PES-02.1 - Role-Based Physical Access
• PES-03 - Physical Access Control

A.5.19

Information security in supplier relationships

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Mapped SCF controls

• TPM-01 - Third-Party Management
• TPM-01.1 - Third-Party Inventories
• TPM-02 - Third-Party Criticality Assessments
• TPM-03 - Supply Chain Protection
• TPM-03.2 - Limit Potential Harm
• TPM-03.3 - Processes To Address Weaknesses or Deficiencies
• TPM-04 - Third-Party Services
• TPM-04.1 - Third-Party Risk Assessments & Approvals
• TPM-04.3 - Conflict of Interests
• TPM-05 - Third-Party Contract Requirements
• TPM-06 - Third-Party Personnel Security
• TPM-08 - Review of Third-Party Services
• TPM-09 - Third-Party Deficiency Remediation
• TPM-11 - Third-Party Incident Response & Recovery Capabilities

A.5.20

Addressing information security within supplier agreements

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

Mapped SCF controls

• IRO-10.4 - Supply Chain Coordination
• TPM-01 - Third-Party Management
• TPM-03.2 - Limit Potential Harm
• TPM-05 - Third-Party Contract Requirements
• TPM-08 - Review of Third-Party Services
• TPM-10 - Managing Changes To Third-Party Services

A.5.21

Managing information security in the information and communication technology (ICT) supply chain

Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Mapped SCF controls

• AST-03.2 - Provenance
• IAO-01 - Information Assurance (IA) Operations
• IAO-02 - Assessments
• IAO-02.2 - Specialized Assessments
• RSK-09 - Supply Chain Risk Management (SCRM) Plan
• TPM-03 - Supply Chain Protection
• TPM-03.1 - Acquisition Strategies, Tools & Methods
• TPM-04.4 - Third-Party Processing, Storage and Service Locations
• TPM-05 - Third-Party Contract Requirements
• TPM-05.1 - Security Compromise Notification Agreements

A.5.22

Monitoring, review and change management of supplier services

The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Mapped SCF controls

• TPM-03 - Supply Chain Protection
• TPM-03.1 - Acquisition Strategies, Tools & Methods
• TPM-03.3 - Processes To Address Weaknesses or Deficiencies
• TPM-08 - Review of Third-Party Services
• TPM-10 - Managing Changes To Third-Party Services

A.5.23

Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

Mapped SCF controls

• CLD-01 - Cloud Services
• CLD-02 - Cloud Security Architecture
• CLD-04 - Application & Program Interface (API) Security
• CLD-06 - Multi-Tenant Environments
• CLD-06.1 - Customer Responsibility Matrix (CRM)
• CLD-09 - Geolocation Requirements for Processing, Storage and Service Locations
• IAO-02 - Assessments
• IAO-02.2 - Specialized Assessments
• TPM-05.4 - Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix

A.5.24

Information security incident management planning and preparation

The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Mapped SCF controls

• IRO-01 - Incident Response Operations
• IRO-02 - Incident Handling
• IRO-04 - Incident Response Plan (IRP)
• IRO-13 - Root Cause Analysis (RCA) & Lessons Learned

A.5.25

Assessment and decision on information security events

The organization shall assess information security events and decide if they are to be categorized as information security incidents.

Mapped SCF controls

• IRO-02 - Incident Handling
• IRO-04.1 - Data Breach
• IRO-07 - Integrated Security Incident Response Team (ISIRT)
• IRO-09 - Situational Awareness For Incidents

A.5.26

Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures.

Mapped SCF controls

• IRO-02 - Incident Handling
• IRO-04 - Incident Response Plan (IRP)
• IRO-07 - Integrated Security Incident Response Team (ISIRT)
• IRO-08 - Chain of Custody & Forensics

A.5.27

Learning from information security incidents

Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

Mapped SCF controls

• IRO-13 - Root Cause Analysis (RCA) & Lessons Learned

A.5.28

Collection of evidence

The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

Mapped SCF controls

• IRO-08 - Chain of Custody & Forensics

A.5.29

Information security during disruption

The organization shall plan how to maintain information security at an appropriate level during disruption.

Mapped SCF controls

• BCD-01 - Business Continuity Management System (BCMS)
• BCD-01.1 - Coordinate with Related Plans
• BCD-01.2 - Coordinate With External Service Providers
• BCD-04 - Contingency Plan Testing & Exercises
• IRO-05 - Incident Response Training
• IRO-06.1 - Coordination with Related Plans
• IRO-11.2 - Coordination With External Providers

A.5.30

ICT readiness for business continuity

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Mapped SCF controls

• AST-01 - Asset Governance
• AST-01.1 - Asset-Service Dependencies
• BCD-01 - Business Continuity Management System (BCMS)
• BCD-01.1 - Coordinate with Related Plans
• BCD-01.2 - Coordinate With External Service Providers
• BCD-04 - Contingency Plan Testing & Exercises
• IRO-06 - Incident Response Testing
• RSK-08 - Business Impact Analysis (BIA)

A.5.31

Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

Mapped SCF controls

• AST-01 - Asset Governance
• CPL-01 - Statutory, Regulatory & Contractual Compliance
• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CRY-01.2 - Export-Controlled Technology
• PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
• TPM-05 - Third-Party Contract Requirements

A.5.32

Intellectual property rights

The organization shall implement appropriate procedures to protect intellectual property rights.

Mapped SCF controls

• AST-02.7 - Software Licensing Restrictions

A.5.33

Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Mapped SCF controls

• DCH-01 - Data Protection
• DCH-18 - Media & Data Retention
• PRI-03 - Choice & Consent
• PRI-04 - Restrict Collection To Identified Purpose
• PRI-05 - Personal Data Retention & Disposal
• PRI-05.1 - Internal Use of Personal Data For Testing, Training and Research
• PRI-05.4 - Usage Restrictions of Sensitive Personal Data
• PRI-07 - Information Sharing With Third Parties
• PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
• RSK-10 - Data Protection Impact Assessment (DPIA)

A.5.34

Privacy and protection of personal identifiable information (PII)

The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

Mapped SCF controls

• PRI-01 - Data Privacy Program
• PRI-01.6 - Security of Personal Data
• PRI-02 - Data Privacy Notice
• PRI-02.1 - Purpose Specification

A.5.35

Independent review of information security

The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur

Mapped SCF controls

• CPL-02.1 - Internal Audit Function
• CPL-03 - Cybersecurity & Data Protection Assessments
• CPL-03.1 - Independent Assessors
• CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
• CPL-04 - Audit Activities

A.5.36

Compliance with policies, rules and standards for information security

Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

Mapped SCF controls

• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CPL-03 - Cybersecurity & Data Protection Assessments
• CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
• PRI-08 - Testing, Training & Monitoring

A.5.37

Documented operating procedures

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

Mapped SCF controls

• GOV-01 - Cybersecurity & Data Protection Governance Program
• GOV-02 - Publishing Cybersecurity & Data Protection Documentation
• GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
• OPS-01 - Operations Security
• OPS-01.1 - Standardized Operating Procedures (SOP)
• OPS-03 - Service Delivery (Business Process Support)

This site is open source. Improve this page.