-
10. Improvement
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
-
9. Performance Evaluation
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
-
8. Operation
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
-
7. Support
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
-
7.5 Documented information
- 7.5.1 General
- 7.5.2 Creating and updating
- 7.5.3 Control of documented information
-
6. Planning
-
6.1 Actions to address risks and opportunities
- 6.1.1 General
- 6.1.2 Information security risk assessment
- 6.1.3 Information security risk treatment
- 6.1.4 Information security objectives and plans to achieve them
-
5. Leadership
- 5.1 Leadership and commitment
- 5.2 Policy
- 5.3 Organizational roles, responsibilities and authorities
-
4. Context of the organization
- 4.1 Understanding the organization and its context
- 4.2 Understanding the needs and expectations of interested
parties
- 4.3 Determining the scope of the Information Security
Management System
- 4.4 Information Security Management System
- 3. The Plan-Do-Check-Act cycle
- 2. Process approach impact
- 1. Process and process approach
-
Annex A – Reference control objectives and controls
-
A.5. Information security policies
- The controls in this section aim to provide direction and support to the ISMS by the
implementation, communication, and controlled review of information security policies.
-
A.6. Organization of information security
- The controls in this section aim to provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the consideration of organizational aspects of information security, like project management, use of mobile devices, and teleworking.
-
A.7. Human resource security
- The controls in this section aim to ensure that those people who are under the organization’s control and can affect information security are fit for working and know their responsibilities, and that any changes in employment conditions will not affect information security.
-
A.8. Asset management
- The controls in this section aim to ensure information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
-
A.9. Access control
- The controls in this section aim to limit access to information and information assets considering business needs, by means of formal processes to grant or revoke access rights. The controls consider either physical or logical access, as well as access made by people and by information
systems.
-
A.10. Cryptography
- The controls in this section aim to provide the basis for proper use of cryptographic solutions to protect the confidentiality, authenticity, and/or integrity of information.
-
A.11. Physical and environmental security
- The controls in this section aim to prevent unauthorized access to physical areas, as well as to protect equipment and facilities that if compromised, by human or natural intervention, could affect information assets or business operations.
-
A.12. Operations security
- The controls in this section aim to ensure that the operation of information processing facilities, including operating systems, are secure and protected against malware and data loss.
Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and the establishment of precautions to prevent audit activities from affecting operations.
-
A.13. Communications security
- The controls in this section aim to protect the network infrastructure and services, as well as the information that travels on them.
-
A.14. System acquisition, development and maintenance
- The controls in this section aim to ensure that information security is considered in the system development life cycle.
-
A.15. Supplier relationships
- The controls in this section aim to ensure that outsourced activities performed by suppliers also consider information security controls, and that they are properly managed by the organization.
-
A.16. Information security incident management
- The controls in this section aim to provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner an consider the preservation of evidence as required, as well as the improvement of processes to avoid recurrence.
-
A.17. Information security aspects of business continuity management
- The controls in this section aim to ensure the continuity of information security management during adverse situations, as well as the availability of information systems.
-
A.18. Compliance
- The controls in this section aim to provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and to ensure independent confirmation that information security is implemented and is effective according to the defined policies, procedures, and requirements of
the ISO 27001 standard.