SlideShare a Scribd company logo

Guide on ISO 27001 Controls

VISTA InfoSec
VISTA InfoSec

ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS.

Business
1 of 5
Download to read offline
Guide on ISO 27001 Controls ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS. This framework facilitates the Confidentiality, Integrity and Availability of all essential corporate data through its secure and streamlined management processes. ISO 27001 is one of the most recognized and internationally certified Information Security Standards. We have already discussed everything you need to know about the ISO 27001 standard, in our previous blog that you can refer to for more details. However, today’s article aims to take a closer look at ISO 27001 Audit Controls. The article explains in detail the ISO27001 Audit Controls are and how they help strengthen the Cyber Security systems of your organization. What are ISO 27001 Audit controls? . The ISO 27001 Audit Control Standards can be divided into two parts. The first part, which is the mandatory part, consisting 11 clauses, ranging from 0 to 10. The second part which is termed Annex A, provides a guideline for 114 control objectives and controls. Clause 0 to 3 cover the Introduction, Scope, Normative references and the Terms and Definitions of the ISO 27001 standard. Clauses 4 to 10 provide ISO 27001 requirements that are mandatory for any organization that wishes to be compliant with the Standard. Annex A is a part of the Standard which exists to support these clauses and their requirements with a list of controls that are not mandatory, but are selected as part of the Risk Management process. The 114 ISO 27001 Annex A controls can be divided into 14 categories which we will be covering below. ISO 27001 Information Security Management Standard – Clauses 0 – 10 1. Clause 0.1: Introduction – The ISO 27001 Standard gives you the information required to set up an efficient Information Security Management System. This system summarizes how the standard implementation protects your data from unauthorized users, follows various domestic and international compliance standards and also gives confidence to stakeholders and customers as a trusted company.
2. Clause 1: Scope – This Clause states that the requirements specified in the ISO 27001 standard are to be within the context of your organization. Therefore, determining your organizational context is very important. This is so that you don’t overdo your system and start trying to meet something you don’t need to achieve. The clause repeats that you need to use Risk Management processes for your ISMS. It also shows how this standard organizations of all sizes. 3. Clause 2: Normative references – This Clause exists to signify that ISO 27000 is indispensable to the application of ISO 27001. Therefore, you must read, understand and apply ISO 27000 requirements and use them while building your ISMS. 4. Clause 3: Terms and Conditions – This Clause is another important reason for you to first understand ISO 27000 as all the terms and conditions given in this Standard also apply to ISO 27001. 5. Clause 4: Context of the organization – This Clause requires the organization to determine all internal and external issues that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself. 6. Clause 5: Leadership – This Clause requires that top management responsibilities be defined, setting the roles and responsibilities, and contents of the top-level Information Security Policy to facilitate the smooth setup of the ISMS. 7. Clause 6: Planning – Clause no. 6 seeks to cover the “preventive action” stated in the old ISO 27001:2005. It clearly defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and how these integrate with and facilitate setting up the ISMS. 8. Clause 7: Support – The next Clause states that resources required by the ISMS to achieve the stated objectives and show continual improvement must be defined and made available by the organization to the team implementing the system. It seeks to define the requirements for the availability of resources, competencies, awareness, communication, and control of documents and records. 9. Clause 8: Operation – This Clause seeks to ensure that risks and opportunities are treated properly, security objectives are achieved, and information security requirements are met. It defines the implementation of risk assessment as well as other processes needed to achieve information security objectives. 10. Clause 9: Performance evaluation – This Clause deals with the constant monitoring, measurement, analysis and performance evaluation of the ISMS. Therefore, this Clause seeks to define requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review of the organization, thus establishing clear measurement metrics. 11. Clause 10: Improvement – This clause defines the requirements for nonconformities, corrections, corrective actions, and continual improvement. What are the 14 domains of ISO 27001? There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following: 1. Annex A.5. Information Security Policies: Annex A.5 is about providing management with the right direction for information security policies. The objective in this Annex is to manage direction and support for information security in accordance with the organization’s requirements and in line with the relevant laws and regulations. The Annex includes two controls –  A.5.1.1 Policies for Information Security – Annex A.5.1.1 states that a set of policies for information security must be defined, approved by management, published and communicated to employees and relevant external parties.  A.5.1.2 Review of the Policies for Information Security – Annex A.5.1.2 states that the policies for information security need to be reviewed at planned intervals, or if significant changes occur, so that their continuing functionality remains stable, adequate and effective. 2.Annex A.6. Organization of Information Security: 1. Annex A.6.1 is about the internal organization of information security. The objective of this Annex is to establish a management framework that initiates and controls the implementation and operation of information security. It contains 7 controls. 2. Annex A.6.1.1 Information Security Roles & Responsibilities states that all information security responsibilities must be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). 3.Annex A.7. Human Resource Security:
a. Annex A.7.1 is about employment and is concerned directly with human resources. The objective here is to ensure that employees understand their responsibilities and are properly trained and suited for their roles. This Annex also covers what happens when people leave or change roles. The Annex is made up of 6 controls. This covers background verification and competence checks on all candidates for employment. The contractual agreement signed by employees and contractors must explicitly state the responsibilities the employee and the company will both undertake for proper information security hygiene. The objective is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment. 4.Annex A.8. Asset management: Annex A.8.1 is about responsibility for assets. The objective of this Annex is to identify and define information assets in scope for the management system. Appropriate protection responsibilities must also be assigned to them. The Annex consists of 10 controls. All assets associated with information processing facilities must be identified and managed under this Annex. There should be a compiled inventory of assets that shows how the assets are managed and controlled in detail. 5.Annex A.9. Access Control: a.Annex A.9.1 is about the business requirements of access control. The objective of this Annex control is to limit access to information and information processing facilities. This Annex is made up of 14 controls. Under this Annex an access control policy must be established, documented and reviewed regularly while keeping the business requirements for the assets in scope. Users should only get access to the network and network services they need to use or know about for their job. A process must be implemented to assign or revoke access rights for all user types to all systems and services. 6.Annex A.10. Cryptography: a. Annex A.10.1 is about Cryptographic controls. The objective here is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. This Annex contains 2 controls. Under the requirements of this Annex a policy should be established on the use and protection of Cryptographic Keys. This policy should be implemented throughout the lifecycle of the keys. There should also be a process in place for the creation, distribution, changes, backup and storage of cryptographic key material through to its end of life and destruction. 7.Annex A.11. Physical and environmental Security: a. Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. It consists of 15 internal controls. This Annex should contain a detailed description of the security perimeters and boundaries for areas that contain either sensitive or critical information. This also includes areas with information processing facilities such as computers, laptops etc. Secure areas need to be secured with appropriate entry controls to ensure only authorized personnel are allowed access. This Annex also covers loss, damage, theft or compromise of assets and interruption to the organization’s operations. 8.Annex A.12. Operations security: a. Annex A.12.1 is about Operational Procedures and Responsibilities. The objective of this Annex is to ensure correct and secure operations of information processing facilities. It is made up of 14 controls. Under this Annex operating procedures must be documented and then made available to all users who need them. Operating procedures that have been documented in such a manner ensures consistent operation of systems even in the case of new staff or changing resources, and can often be critical for disaster recovery, business continuity and for when staff availability is compromised. This Annex also covers protection from malware. The objective is to ensure that information and information processing facilities are protected against malware from entering. 9.Annex A.13. Communications security: a. Annex A.13.1 is about Network Security Management. The objective of this Annex is to ensure the protection of information in networks and its supporting information processing facilities. This Annex is made up of 7 controls. Networks must be managed and controlled to protect information within systems and applications. This means that the organization should use methods that ensure that the information within its systems and applications is protected. b.Annex A.13.2 is about information transfer. The objective of this Annex is to maintain the security of information transferred within the organization and with any external entity e.g. a customer, supplier or other interested parties.
10. Annex A.14. System Acquisition, Development and Maintenance: a. Annex A.14.1 is about security requirements of information systems. The objective is to ensure that healthy information security practices remain an integral part of information systems across their entire lifecycle. This includes requirements for information systems that provide services over public networks. This Annex consists of 13 controls. Information security-related requirements must be included in any requirements for new information systems or enhancements to the existing information systems. b. Annex A.14.2 is about security in development and support processes. The objective of this Annex is to ensure that information security is designed and implemented within the development lifecycle of information systems. 11.Annex A.15. Supplier Relationships: a. Annex A.15.1 is about Information Security in supplier relationships. The objective is to protect the organization’s valuable assets that are accessible to or affected by suppliers. Other key relationships such as business partners should also be covered here. This Annex contains 5 controls. b. Annex A.15.2 is about Supplier Service Development management. The objective of this Annex is to ensure that an agreed level of Information Security and service delivery is maintained in line with supplier agreements. 12.Annex A.16. Information Security Incident Management: a. Annex A.16.1 is about management of Information Security Incidents, events and weaknesses. The objective is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. This Annex is made up of 7 controls. These controls describe how management must establish responsibilities and procedures to ensure a quick, effective and orderly response to weaknesses, events and security incidents. 13.Annex A.17. Information Security Aspects of Business Continuity Management: a. Annex A.17.1 is about Information Security Continuity. The objective is to embed Information Security Continuity into the organization’s Business Continuity Management Systems. This Annex contains 4 controls. The organization must determine its unique requirements for Information Security and take into account the continuity of Information Security Management in adverse situations, e.g. during a crisis or disaster. 14.Annex A.18. Compliance: Annex a. A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. This Annex contains 8 controls. b. Annex A.18.2 is about Information Security reviews. The objective is to ensure that Information Security is implemented and operated in accordance with the organizational policies and procedures. Also Read:- Benefits Of ISO 27001 Certification Using the 14 domains of ISO 27001 All of this might seem like too much information, which is where experienced cyber security firms such as VISTA InfoSec can step in and help make the process easier. As we discussed earlier, organizations are not required to implement all 114 of ISO 27001’s controls. It is simply a list of requirements that is required to be done based on your organization’s risk assessment. The standard works as a guide for you and your management team for establishing, implementing, maintaining and continually improving an efficient Information Security Management System. With all of the above-mentioned necessary controls in place you will establish a seamless process that will help your organization identify and mitigate potential risks in time. facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC Dowritetousyourfeedback,commentsandqueriesor,ifyouhaveanyrequirements: info@vistainfosec.com You can reach us on: USA +1-415-513 5261 INDIA +91 73045 57744
© VISTA InfoSec ® © VISTA InfoSec ® © VISTA InfoSec ® SINGAPORE +65-3129- 0397

Recommended

27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)Carlos Ayil
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005Fuangwith Sopharath
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist QuestionsISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questionshimalya sharma
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001qualitysummit
 

Recommended

27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)Carlos Ayil
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005Fuangwith Sopharath
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist QuestionsISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questionshimalya sharma
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001qualitysummit
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideVerde Ventures Pvt. Ltd.
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Khawar Nehal khawar.nehal@atrc.net.pk
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementationhimalya sharma
 
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...himalya sharma
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedJisc
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)AHM Pervej Kabir
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...PECB
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012Hakem Filiz
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changesn|u - The Open Security Community
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

More Related Content

What's hot

Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementationhimalya sharma
 
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...himalya sharma
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedJisc
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)AHM Pervej Kabir
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...PECB
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012Hakem Filiz
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 

What's hot (20)

Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementation
 
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)Reporting about Overview Summery of ISO-27000 Se.(ISMS)
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICS
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex A
 

Similar to Guide on ISO 27001 Controls

ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxSIS Certifications Pvt Ltd
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1sharing notes123
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...ITIL Indonesia
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014DQS India
 

Similar to Guide on ISO 27001 Controls (20)

ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
Key features of ISO 27001
Key features of ISO 27001Key features of ISO 27001
Key features of ISO 27001
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
ISO27001
ISO27001ISO27001
ISO27001
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
 

More from VISTA InfoSec

Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...VISTA InfoSec
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfVISTA InfoSec
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022VISTA InfoSec
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and AttestationVISTA InfoSec
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementVISTA InfoSec
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy ActVISTA InfoSec
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow MappingVISTA InfoSec
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?VISTA InfoSec
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAVISTA InfoSec
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksVISTA InfoSec
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 

More from VISTA InfoSec (20)

Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and Attestation
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with links
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 

Recently uploaded

Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 

Recently uploaded (20)

Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 

Guide on ISO 27001 Controls

  • 1. Guide on ISO 27001 Controls ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS. This framework facilitates the Confidentiality, Integrity and Availability of all essential corporate data through its secure and streamlined management processes. ISO 27001 is one of the most recognized and internationally certified Information Security Standards. We have already discussed everything you need to know about the ISO 27001 standard, in our previous blog that you can refer to for more details. However, today’s article aims to take a closer look at ISO 27001 Audit Controls. The article explains in detail the ISO27001 Audit Controls are and how they help strengthen the Cyber Security systems of your organization. What are ISO 27001 Audit controls? . The ISO 27001 Audit Control Standards can be divided into two parts. The first part, which is the mandatory part, consisting 11 clauses, ranging from 0 to 10. The second part which is termed Annex A, provides a guideline for 114 control objectives and controls. Clause 0 to 3 cover the Introduction, Scope, Normative references and the Terms and Definitions of the ISO 27001 standard. Clauses 4 to 10 provide ISO 27001 requirements that are mandatory for any organization that wishes to be compliant with the Standard. Annex A is a part of the Standard which exists to support these clauses and their requirements with a list of controls that are not mandatory, but are selected as part of the Risk Management process. The 114 ISO 27001 Annex A controls can be divided into 14 categories which we will be covering below. ISO 27001 Information Security Management Standard – Clauses 0 – 10 1. Clause 0.1: Introduction – The ISO 27001 Standard gives you the information required to set up an efficient Information Security Management System. This system summarizes how the standard implementation protects your data from unauthorized users, follows various domestic and international compliance standards and also gives confidence to stakeholders and customers as a trusted company.
  • 2. 2. Clause 1: Scope – This Clause states that the requirements specified in the ISO 27001 standard are to be within the context of your organization. Therefore, determining your organizational context is very important. This is so that you don’t overdo your system and start trying to meet something you don’t need to achieve. The clause repeats that you need to use Risk Management processes for your ISMS. It also shows how this standard organizations of all sizes. 3. Clause 2: Normative references – This Clause exists to signify that ISO 27000 is indispensable to the application of ISO 27001. Therefore, you must read, understand and apply ISO 27000 requirements and use them while building your ISMS. 4. Clause 3: Terms and Conditions – This Clause is another important reason for you to first understand ISO 27000 as all the terms and conditions given in this Standard also apply to ISO 27001. 5. Clause 4: Context of the organization – This Clause requires the organization to determine all internal and external issues that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself. 6. Clause 5: Leadership – This Clause requires that top management responsibilities be defined, setting the roles and responsibilities, and contents of the top-level Information Security Policy to facilitate the smooth setup of the ISMS. 7. Clause 6: Planning – Clause no. 6 seeks to cover the “preventive action” stated in the old ISO 27001:2005. It clearly defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and how these integrate with and facilitate setting up the ISMS. 8. Clause 7: Support – The next Clause states that resources required by the ISMS to achieve the stated objectives and show continual improvement must be defined and made available by the organization to the team implementing the system. It seeks to define the requirements for the availability of resources, competencies, awareness, communication, and control of documents and records. 9. Clause 8: Operation – This Clause seeks to ensure that risks and opportunities are treated properly, security objectives are achieved, and information security requirements are met. It defines the implementation of risk assessment as well as other processes needed to achieve information security objectives. 10. Clause 9: Performance evaluation – This Clause deals with the constant monitoring, measurement, analysis and performance evaluation of the ISMS. Therefore, this Clause seeks to define requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review of the organization, thus establishing clear measurement metrics. 11. Clause 10: Improvement – This clause defines the requirements for nonconformities, corrections, corrective actions, and continual improvement. What are the 14 domains of ISO 27001? There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following: 1. Annex A.5. Information Security Policies: Annex A.5 is about providing management with the right direction for information security policies. The objective in this Annex is to manage direction and support for information security in accordance with the organization’s requirements and in line with the relevant laws and regulations. The Annex includes two controls –  A.5.1.1 Policies for Information Security – Annex A.5.1.1 states that a set of policies for information security must be defined, approved by management, published and communicated to employees and relevant external parties.  A.5.1.2 Review of the Policies for Information Security – Annex A.5.1.2 states that the policies for information security need to be reviewed at planned intervals, or if significant changes occur, so that their continuing functionality remains stable, adequate and effective. 2.Annex A.6. Organization of Information Security: 1. Annex A.6.1 is about the internal organization of information security. The objective of this Annex is to establish a management framework that initiates and controls the implementation and operation of information security. It contains 7 controls. 2. Annex A.6.1.1 Information Security Roles & Responsibilities states that all information security responsibilities must be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). 3.Annex A.7. Human Resource Security:
  • 3. a. Annex A.7.1 is about employment and is concerned directly with human resources. The objective here is to ensure that employees understand their responsibilities and are properly trained and suited for their roles. This Annex also covers what happens when people leave or change roles. The Annex is made up of 6 controls. This covers background verification and competence checks on all candidates for employment. The contractual agreement signed by employees and contractors must explicitly state the responsibilities the employee and the company will both undertake for proper information security hygiene. The objective is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment. 4.Annex A.8. Asset management: Annex A.8.1 is about responsibility for assets. The objective of this Annex is to identify and define information assets in scope for the management system. Appropriate protection responsibilities must also be assigned to them. The Annex consists of 10 controls. All assets associated with information processing facilities must be identified and managed under this Annex. There should be a compiled inventory of assets that shows how the assets are managed and controlled in detail. 5.Annex A.9. Access Control: a.Annex A.9.1 is about the business requirements of access control. The objective of this Annex control is to limit access to information and information processing facilities. This Annex is made up of 14 controls. Under this Annex an access control policy must be established, documented and reviewed regularly while keeping the business requirements for the assets in scope. Users should only get access to the network and network services they need to use or know about for their job. A process must be implemented to assign or revoke access rights for all user types to all systems and services. 6.Annex A.10. Cryptography: a. Annex A.10.1 is about Cryptographic controls. The objective here is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. This Annex contains 2 controls. Under the requirements of this Annex a policy should be established on the use and protection of Cryptographic Keys. This policy should be implemented throughout the lifecycle of the keys. There should also be a process in place for the creation, distribution, changes, backup and storage of cryptographic key material through to its end of life and destruction. 7.Annex A.11. Physical and environmental Security: a. Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. It consists of 15 internal controls. This Annex should contain a detailed description of the security perimeters and boundaries for areas that contain either sensitive or critical information. This also includes areas with information processing facilities such as computers, laptops etc. Secure areas need to be secured with appropriate entry controls to ensure only authorized personnel are allowed access. This Annex also covers loss, damage, theft or compromise of assets and interruption to the organization’s operations. 8.Annex A.12. Operations security: a. Annex A.12.1 is about Operational Procedures and Responsibilities. The objective of this Annex is to ensure correct and secure operations of information processing facilities. It is made up of 14 controls. Under this Annex operating procedures must be documented and then made available to all users who need them. Operating procedures that have been documented in such a manner ensures consistent operation of systems even in the case of new staff or changing resources, and can often be critical for disaster recovery, business continuity and for when staff availability is compromised. This Annex also covers protection from malware. The objective is to ensure that information and information processing facilities are protected against malware from entering. 9.Annex A.13. Communications security: a. Annex A.13.1 is about Network Security Management. The objective of this Annex is to ensure the protection of information in networks and its supporting information processing facilities. This Annex is made up of 7 controls. Networks must be managed and controlled to protect information within systems and applications. This means that the organization should use methods that ensure that the information within its systems and applications is protected. b.Annex A.13.2 is about information transfer. The objective of this Annex is to maintain the security of information transferred within the organization and with any external entity e.g. a customer, supplier or other interested parties.
  • 4. 10. Annex A.14. System Acquisition, Development and Maintenance: a. Annex A.14.1 is about security requirements of information systems. The objective is to ensure that healthy information security practices remain an integral part of information systems across their entire lifecycle. This includes requirements for information systems that provide services over public networks. This Annex consists of 13 controls. Information security-related requirements must be included in any requirements for new information systems or enhancements to the existing information systems. b. Annex A.14.2 is about security in development and support processes. The objective of this Annex is to ensure that information security is designed and implemented within the development lifecycle of information systems. 11.Annex A.15. Supplier Relationships: a. Annex A.15.1 is about Information Security in supplier relationships. The objective is to protect the organization’s valuable assets that are accessible to or affected by suppliers. Other key relationships such as business partners should also be covered here. This Annex contains 5 controls. b. Annex A.15.2 is about Supplier Service Development management. The objective of this Annex is to ensure that an agreed level of Information Security and service delivery is maintained in line with supplier agreements. 12.Annex A.16. Information Security Incident Management: a. Annex A.16.1 is about management of Information Security Incidents, events and weaknesses. The objective is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. This Annex is made up of 7 controls. These controls describe how management must establish responsibilities and procedures to ensure a quick, effective and orderly response to weaknesses, events and security incidents. 13.Annex A.17. Information Security Aspects of Business Continuity Management: a. Annex A.17.1 is about Information Security Continuity. The objective is to embed Information Security Continuity into the organization’s Business Continuity Management Systems. This Annex contains 4 controls. The organization must determine its unique requirements for Information Security and take into account the continuity of Information Security Management in adverse situations, e.g. during a crisis or disaster. 14.Annex A.18. Compliance: Annex a. A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. This Annex contains 8 controls. b. Annex A.18.2 is about Information Security reviews. The objective is to ensure that Information Security is implemented and operated in accordance with the organizational policies and procedures. Also Read:- Benefits Of ISO 27001 Certification Using the 14 domains of ISO 27001 All of this might seem like too much information, which is where experienced cyber security firms such as VISTA InfoSec can step in and help make the process easier. As we discussed earlier, organizations are not required to implement all 114 of ISO 27001’s controls. It is simply a list of requirements that is required to be done based on your organization’s risk assessment. The standard works as a guide for you and your management team for establishing, implementing, maintaining and continually improving an efficient Information Security Management System. With all of the above-mentioned necessary controls in place you will establish a seamless process that will help your organization identify and mitigate potential risks in time. facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC Dowritetousyourfeedback,commentsandqueriesor,ifyouhaveanyrequirements: info@vistainfosec.com You can reach us on: USA +1-415-513 5261 INDIA +91 73045 57744
  • 5. © VISTA InfoSec ® © VISTA InfoSec ® © VISTA InfoSec ® SINGAPORE +65-3129- 0397