| ISO 27001 Annex A Controls
|
Status
|
| 5
|
Organizational
|
|
| 5.1
|
Policies for information security
|
unchecked
|
| 5.2
|
Information security roles and responsibilities
|
unchecked
|
| 5.3
|
Segregation of duties
|
unchecked
|
| 5.4
|
Management responsibilities
|
unchecked
|
| 5.5
|
Contact with authorities
|
unchecked
|
| 5.6
|
Contact with special interest groups
|
unchecked
|
| 5.7
|
Threat intelligence
|
unchecked
|
| 5.8
|
Information security in project management
|
unchecked
|
| 5.9
|
Inventory of information and other associated assets
|
unchecked
|
| 5.10
|
Acceptable use of information and other associated assets
|
unchecked
|
| 5.11
|
Return of assets
|
unchecked
|
| 5.12
|
Classification of information
|
unchecked
|
| 5.13
|
Labelling of information
|
unchecked
|
| 5.14
|
Information transfer
|
unchecked
|
| 5.15
|
Access control
|
unchecked
|
| 5.16
|
Identity management
|
unchecked
|
| 5.17
|
Authentication information
|
unchecked
|
| 5.18
|
Access rights
|
unchecked
|
| 5.19
|
Information security in supplier relationships
|
unchecked
|
| 5.20
|
Addressing information security within supplier agreements
|
unchecked
|
| 5.21
|
Managing information security in the ICT supply chain
|
unchecked
|
| 5.22
|
Monitoring, review and change management of supplier services
|
unchecked
|
| 5.23
|
Information security for use of cloud services Neu
|
unchecked
|
| 5.24
|
Information security incident management planning and preparation
|
unchecked
|
| 5.25
|
Assessment and decision on information security events
|
unchecked
|
| 5.26
|
Response to information security incidents
|
unchecked
|
| 5.27
|
Learning from information security incidents
|
unchecked
|
| 5.28
|
Collection of evidence
|
unchecked
|
| 5.29
|
Information security during disruption
|
unchecked
|
| 5.30
|
ICT readiness for business continuity
|
unchecked
|
| 5.31
|
Identification of legal, statutory, regulatory, and contractual requirements
|
unchecked
|
| 5.32
|
Intellectual property rights
|
unchecked
|
| 5.33
|
Protection of records
|
unchecked
|
| 5.34
|
Privacy and protection of PII
|
unchecked
|
| 5.35
|
Independent review of information security
|
unchecked
|
| 5.36
|
Compliance with policies and standards for information security
|
unchecked
|
| 5.37
|
Documented operating procedures
|
unchecked
|
| 6
|
People controls
|
|
| 6.1
|
Screening
|
unchecked
|
| 6.2
|
Terms and conditions of employment
|
unchecked
|
| 6.3
|
Information security awareness, education and training
|
unchecked
|
| 6.4
|
Disciplinary process
|
unchecked
|
| 6.5
|
Responsibilities after termination or change of employment
|
unchecked
|
| 6.6
|
Confidentiality or non-disclosure agreements
|
unchecked
|
| 6.7
|
Remote working
|
unchecked
|
| 6.8
|
Information security event reporting
|
unchecked
|
| 7
|
Physical controls
|
|
| 7.1
|
Physical security perimeter
|
unchecked
|
| 7.2
|
Physical entry controls
|
unchecked
|
| 7.3
|
Securing offices, rooms and facilities
|
unchecked
|
| 7.4
|
Physical security monitoring
|
unchecked
|
| 7.5
|
Protecting against physical and environmental threats
|
unchecked
|
| 7.6
|
Working in secure areas
|
unchecked
|
| 7.7
|
Clear desk and clear screen
|
unchecked
|
| 7.8
|
Equipment siting and protection
|
unchecked
|
| 7.9
|
Security of assets off-premises
|
unchecked
|
| 7.10
|
Storage media
|
unchecked
|
| 7.11
|
Supporting utilities
|
unchecked
|
| 7.12
|
Cabling security
|
unchecked
|
| 7.13
|
Equipment maintenance
|
unchecked
|
| 7.14
|
Secure disposal or re-use of equipment
|
unchecked
|
| 8
|
Technological controls
|
|
| 8.1
|
User endpoint devices
|
unchecked
|
| 8.2
|
Privileged access rights
|
unchecked
|
| 8.3
|
Information access restriction
|
unchecked
|
| 8.4
|
Access to source code
|
unchecked
|
| 8.5
|
Secure authentication
|
unchecked
|
| 8.6
|
Capacity management
|
unchecked
|
| 8.7
|
Protection against malware
|
unchecked
|
| 8.8
|
Management of technical vulnerabilities
|
unchecked
|
| 8.9
|
Configuration management
|
unchecked
|
| 8.10
|
Information deletion
|
unchecked
|
| 8.11
|
Data masking
|
unchecked
|
| 8.12
|
Data leakage prevention
|
unchecked
|
| 8.13
|
Information backup
|
unchecked
|
| 8.14
|
Redundancy of information processing facilities
|
unchecked
|
| 8.15
|
Logging
|
unchecked
|
| 8.16
|
Monitoring activities
|
unchecked
|
| 8.17
|
Clock synchronization
|
unchecked
|
| 8.18
|
Use of privileged utility programs
|
unchecked
|
| 8.19
|
Installation of software on operational systems
|
unchecked
|
| 8.20
|
Network controls
|
unchecked
|
| 8.21
|
Security of network services
|
unchecked
|
| 8.22
|
Segregation in networks
|
unchecked
|
| 8.23
|
Web filtering
|
unchecked
|
| 8.24
|
Use of cryptography
|
unchecked
|
| 8.25
|
Secure development lifecycle
|
unchecked
|
| 8.26
|
Application security requirements
|
unchecked
|
| 8.27
|
Secure system architecture and engineering principles
|
unchecked
|
| 8.28
|
Secure coding
|
unchecked
|
| 8.29
|
Security testing in development and acceptance
|
unchecked
|
| 8.30
|
Outsourced development
|
unchecked
|
| 8.31
|
Separation of development, test and production environments
|
unchecked
|
| 8.32
|
Change management
|
unchecked
|
| 8.33
|
Test information
|
unchecked
|
| 8.34
|
Protection of information systems during audit and testing
|
unchecked
|
