1. Main Sections
    1. 1 Scope
      1. Organisation Scope
      2. Physical Scope
      3. Information Systems Scope
    2. 2 Normative references
    3. 3 Terms & definitions
    4. 4 Context of the Organisation
    5. 5 Leadership (Top Mgt)
    6. 6 Planning
      1. Information security objectives and planning to achieve them
      2. Actions to address risks and opportunities
    7. 7 Support
      1. Resources
      2. Competence, Determine competence of people working
      3. Awareness, Security awareness for people working
      4. Communication, Determine need for internal and external communications
      5. Documented information, Documented and publish necessary information
    8. 8 Operation
      1. Operational planning and control, Plan, implement and control the required processes
      2. Information security risk assessment, Perform risk assessments at planned intervals or after significant changes
      3. Information security risk treatment, Implement risk treatment plan
    9. 9 Performance evaluation
      1. Monitoring, measurement, analysis and evaluation, Evaluate performance and effectiveness of ISMS
      2. Internal audit, Conduct internal audits at planned intervals
      3. Management review, Review of ISMS by management at regular intervals
    10. 10 Improvement
      1. Nonconformity and corrective action, Actions for nonconformity
      2. Continual improvement, Continually improve ISMS
  2. Annex A Controls
    1. 14 Domains
      1. A5 Information security policies
      2. A6 Organization of information security
      3. A7 Human resource security
      4. A8 Asset management
      5. A9 Access control
      6. A10 Cryptography
      7. A11 Physical and environmental security
      8. A12 Operations security
      9. A13 Communications security
      10. A14 System acquisition, development and maintenance
      11. A15 Supplier relationships
      12. A16 Incident management
      13. A17 Business continuity management
      14. A18 Compliance
    2. 114 Controls
      1. A5.1 Management direction for information security
      2. A6.1 Internal organization
      3. A6.2 Mobile devices and teleworking
      4. A7.1 Prior to employment
      5. A7.2 During employment
      6. A7.3 Termination and change of employment
      7. A8.2 Information classification
      8. A8.1 Responsibility of assets
      9. A8.3 Media handling
      10. A9.1 Business requirements of access control
      11. A9.4 System and application access control
      12. A9.2 User access management
      13. A9.3 User responsibilities
      14. A10.1 Cryptographic controls
      15. A11.1 Secure areas
      16. A11.2 Equipment
      17. A12.1 Operational procedures and responsibilities
      18. A12.2 Protection from malware
      19. A12.4 Logging and monitoring
      20. A12.3 Backup
      21. A12.5 Control of operational software
      22. A12.6 Technical vulnerability management
      23. A12.7 Information systems audit considerations
      24. A13.1 Network security management
      25. A13.2 Information transfer
      26. A14.1 Security requirements of information systems
      27. A14.2 Security in development and support processes
      28. A14.3 Test data
      29. A15.1 Information security in supplier relationships
      30. A15.2 Supplier service delivery management
      31. A16.1 Management of security incidents and improvements
      32. A17.1 Information security continuity
      33. A17.2 Redundancies
      34. A18.1 Compliance with legal and contractual requirements
      35. A18.2 Information security reviews