ISO IEC 27002 (17799)

5. Security Policy Management

5.1 Establish a comprehensive information security policy

5.1.1 Develop an information security policy document

5.1.2 Review your information security policy

ISO IEC 27002 (17799)

6. Corporate Security Management

6.1 Establish an internal
security organization

6.1.1 Make an active commitment to information security

6.1.2 Coordinate information security implementation

6.1.3 Allocate information security responsibilities

6.1.4 Establish an authorization process for new facilities

6.1.5 Use confidentiality agreements to protect information

6.1.6 Maintain relationships with other organizations

6.1.7 Maintain relationships with special interest groups

6.1.8 Perform independent information system reviews

6.2 Control external party
use of your information

6.2.1 Identify risks related to the use of external parties

6.2.2 Address security before customers are given access

6.2.3 Address security using third party agreements

ISO IEC 27002 (17799)

7. Organizational Asset Management

7.1 Establish responsibility for
your organization’s assets

7.1.1 Compile an inventory of organizational assets

7.1.2 Select owners for your information and assets

7.1.3 Establish acceptable use rules for information and assets

7.2 Use an information
classification system

7.2.1 Develop information classification guidelines

7.2.2 Use information handling and labeling procedures

ISO IEC 27002 (17799)

8. Human Resource Security Management

8.1 Emphasize security
prior to employment

8.1.1 Define your security roles and responsibilities

8.1.2 Verify the backgrounds of all new personnel

8.1.3 Use contracts to protect your organization’s information

8.2 Emphasize security
during employment

8.2.1 Expect your managers to emphasize security

8.2.2 Deliver information security training programs

8.2.3 Set up a disciplinary process for security breaches

8.3 Emphasize security at termination of employment

8.3.1 Assign responsibility for termination or reassignment

8.3.2 Make sure that assets are returned at termination

8.3.3 Remove information access rights at termination

ISO IEC 27002 (17799)

9. Physical and Environmental Security Management

9.1 Use security areas
to protect facilities

9.1.1 Use physical security perimeters to protect areas

9.1.2 Use physical entry controls to protect secure areas

9.1.3 Secure your organization’s offices, rooms, and facilities

9.1.4 Protect your facilities from natural and human threats

9.1.5 Use work guidelines to protect secure areas

9.1.6 Isolate and control public access points

9.2 Protect your equipment

9.2.1 Use equipment siting and protection strategies

9.2.2 Make sure that supporting utilities are reliable

9.2.3 Secure power and telecommunications cables

9.2.4 Maintain your organization’s equipment

9.2.5 Protect your organization’s off‑site equipment

9.2.6 Control equipment disposal and re‑use

9.2.7 Control the use of assets off‑site

ISO IEC 27002 (17799)

10. Communications and Operations Management

10.1 Establish procedures
and responsibilities

10.1.1 Document your operating procedures

10.1.2 Control changes to facilities and systems

10.1.3 Segregate duties and responsibilities

10.1.4 Separate development and operations

10.2 Control third
party service delivery

10.2.1 Manage third party service agreements

10.2.2 Monitor third party service delivery

10.2.3 Control changes to third party services

10.3 Carry out future
system planning activities

10.3.1 Monitor usage and carry out capacity planning

10.3.2 Use acceptance criteria to test your systems

10.4 Protect against
malicious & mobile code

10.4.1 Establish controls to handle malicious code

10.4.2 Control the use of mobile code

10.5 Establish
backup procedures

10.5.1 Backup your information and software

10.6 Protect
computer networks

10.6.1 Establish network security controls

10.6.2 Control network service providers

10.7 Control how
media are handled

10.7.1 Manage your organization’s removable media

10.7.2 Manage the disposal of your organization’s media

10.7.3 Control information handling and storage

10.7.4 Protect your system documentation

10.8 Protect exchange
of information

10.8.1 Establish information exchange policies and procedures

10.8.2 Establish information and software exchange agreements

10.8.3 Safeguard the transportation of physical media

10.8.4 Protect electronic messaging and messages

10.8.5 Protect interconnected business information systems

10.9 Protect electronic
commerce services

10.9.1 Protect information involved in ecommerce

10.9.2 Protect on‑line transaction information

10.9.3 Protect information available on public systems

10.10 Monitor information processing facilities

10.10.1 Establish and maintain audit logs

10.10.2 Monitor information processing facilities

10.10.3 Protect logging facilities and log information

10.10.4 Log system administrator and operator activities

10.10.5 Log information processing and communication faults

10.10.6 Synchronize your system clocks

ISO IEC 27002 (17799)

11. Information Access Control Management

11.1 Control access
to information

11.1.1 Develop a policy to control access to information

11.2 Manage user
access rights

11.2.1 Establish a user access control procedure

11.2.2 Control the management of system privileges

11.2.3 Establish a process to manage passwords

11.2.4 Review user access rights and privileges

11.3 Encourage good
access practices

11.3.1 Expect users to protect their passwords

11.3.2 Expect users to protect their equipment

11.3.3 Establish a clear‑desk and clear‑screen policy

11.4 Control access
to networked services

11.4.1 Formulate a policy on the use of networks

11.4.2 Authenticate remote user connections

11.4.3 Use automatic equipment identification methods

11.4.4 Control access to diagnostic and configuration ports

11.4.5 Use segregation methods to protect your networks

11.4.6 Restrict connection to shared networks

11.4.7 Establish network routing controls

11.5 Control access
to operating systems

11.5.1 Establish secure log‑on procedures

11.5.2 Identify and authenticate all users

11.5.3 Establish a password management system

11.5.4 Control the use of all system utilities

11.5.5 Use session time‑outs to protect information

11.5.6 Restrict connection times in high‑risk areas

11.6 Control access to
applications and information

11.6.1 Restrict access by users and support personnel

11.6.2 Isolate sensitive application systems

11.7 Protect mobile and teleworking facilities

11.7.1 Protect mobile computing and communications

11.7.2 Protect and control teleworking activities

ISO IEC 27002 (17799)

12. Information Systems Security Management

12.1 Identify information
system security requirements

12.1.1 Identify security controls and requirements

12.2 Make sure applications
process information correctly

12.2.1 Validate data input into your applications

12.2.2 Use validation checks to control processing

12.2.3 Protect message integrity and authenticity

12.2.4 Validate your applications’ output data

12.3 Use cryptographic controls
to protect your information

12.3.1 Implement a policy on the use of cryptographic controls

12.3.2 Establish a secure key management system

12.4 Protect and control your organization’s system files

12.4.1 Control the installation of operational software

12.4.2 Control the use of system data for testing

12.4.3 Control access to program source code

12.5 Control development
and support processes

12.5.1 Establish formal change control procedures

12.5.2 Review applications after operating system changes

12.5.3 Restrict changes to software packages

12.5.4 Prevent information leakage opportunities

12.5.5 Control outsourced software development

12.6 Establish technical vulnerability management

12.6.1 Control your technical system vulnerabilities

ISO IEC 27002 (17799)

13. Information Security Incident Management <<< SAMPLE pdf

13.1 Report information security events and weaknesses

13.1.1 Report information security events as quickly as possible

13.1.2 Report security weaknesses in systems and services

13.2 Manage information security incidents and improvements

13.2.1 Establish incident response responsibilities and procedures

13.2.2 Learn from your information security incidents

13.2.3 Collect evidence to support your actions

ISO IEC 27002 (17799)

14. Business Continuity Management

14.1 Use continuity management
to protect your information

14.1.1 Establish a business continuity process for information

14.1.2 Identify the events that could interrupt your business

14.1.3 Develop and implement your business continuity plans

14.1.4 Establish a business continuity planning framework

14.1.5 Test and update your business continuity plans

ISO IEC 27002 (17799)

15. Compliance Management

15.1 Comply with
legal requirements

15.1.1 Identify all relevant legal requirements

15.1.2 Respect intellectual property rights (IPR)

15.1.3 Protect your organization’s records

15.1.4 Protect the privacy of personal information

15.1.5 Prevent misuse of data processing facilities

15.1.6 Control the use of cryptographic controls

15.2 Perform security
compliance reviews

15.2.1 Review compliance with security policies and standards

15.2.2 Review technical security compliance

15.3 Carry out controlled information system audits

15.3.1 Control the audit of information systems

15.3.2 Protect information system audit tools

ISO IEC 27002 (17799)