graphgrc

ISO 27002 - A.5 - Information security policies

A.5.1

Policies for information security

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Mapped SCF controls

A.5.2

Information security roles and responsibilities

Information security roles and responsibilities shall be defined and allocated according to the organization needs.

Mapped SCF controls

A.5.3

Segregation of duties

Conflicting duties and conflicting areas of responsibility shall be segregated.

Mapped SCF controls

A.5.4

Management responsibilities

Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Mapped SCF controls

A.5.5

** Contact with authorities**

The organization shall establish and maintain contact with relevant authorities.

Mapped SCF controls

A.5.6

** Contact with special interest groups**

The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Mapped SCF controls

A.5.7

Threat intelligence

Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Mapped SCF controls

A.5.8

Information security in project management

Information security shall be integrated into project management.

Mapped SCF controls

A.5.9

Information security in project management

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Mapped SCF controls

A.5.10

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

Mapped SCF controls

A.5.11

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

Mapped SCF controls

A.5.12

Classification of information

Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Mapped SCF controls

A.5.13

Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Mapped SCF controls

A.5.14

Information transfer

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

Mapped SCF controls

A.5.15

Access control

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

Mapped SCF controls

A.5.16

Identity management

The full life cycle of identities shall be managed.

Mapped SCF controls

A.5.17

Authentication information

Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

Mapped SCF controls

A.5.18

Access rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Mapped SCF controls

A.5.19

Information security in supplier relationships

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Mapped SCF controls

A.5.20

Addressing information security within supplier agreements

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

Mapped SCF controls

A.5.21

Managing information security in the information and communication technology (ICT) supply chain

Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Mapped SCF controls

A.5.22

Monitoring, review and change management of supplier services

The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Mapped SCF controls

A.5.23

Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

Mapped SCF controls

A.5.24

Information security incident management planning and preparation

The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Mapped SCF controls

A.5.25

Assessment and decision on information security events

The organization shall assess information security events and decide if they are to be categorized as information security incidents.

Mapped SCF controls

A.5.26

Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures.

Mapped SCF controls

A.5.27

Learning from information security incidents

Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

Mapped SCF controls

A.5.28

Collection of evidence

The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

Mapped SCF controls

A.5.29

Information security during disruption

The organization shall plan how to maintain information security at an appropriate level during disruption.

Mapped SCF controls

A.5.30

ICT readiness for business continuity

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Mapped SCF controls

A.5.31

Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

Mapped SCF controls

A.5.32

Intellectual property rights

The organization shall implement appropriate procedures to protect intellectual property rights.

Mapped SCF controls

A.5.33

Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Mapped SCF controls

A.5.34

Privacy and protection of personal identifiable information (PII)

The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

Mapped SCF controls

A.5.35

Independent review of information security

The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur

Mapped SCF controls

A.5.36

Compliance with policies, rules and standards for information security

Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

Mapped SCF controls

A.5.37

Documented operating procedures

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

Mapped SCF controls