ISO27k_Controls_cross_check.xls

ISO/IEC 27002 c Contrib(ted to the ISO27k Toolkit by arty Carter$ .ith )orma3ng mods and this page added by 4ary 5inson The 'control cross check' spreadsheet characterises or classifes t he controls recommended by ISO/IEC 27002 according to ty In this classifca!on$ controls are% & eterrent% the control red(ces the threat$ deterring hackers )rom a*acking a gi"en system system )or e+ample# & ,"oidance% the control red(ces the impact$ or a"oids the sit(a!on presen!ng a risk# & -re"en!on% the control red(ces the "(lnerability% most sec(rity controls act in this .ay# & etec!on% the control helps iden!)y an e"ent or incident as soon as possible$ generally triggering reac!"e meas(res# & eac!on% the control helps minimise the impact o) incidents by prompt reac!on# & eco"ery% the control helps minimise the impact o) incidents by aiding the restora!on restora!on o) normality$ or at least a )allback ser ### .hile the obec !"es are primarily to ens(re confden!ality$ confden!ality$ integrity or a"ailability o) in)orma!on assets$ oen more than o

Control Cross Check

IS#/I&C %(00%

Control

!ection 5 5.

Security policy Informat io ion !ecurity policy

5.1. 5.1.1 1

Info Inform rmat atio ion n Sec Secur urit ity y Pol Polic icy y doc docum umen entt

5.1. 5.1.2 2

Revi Review ew of the the info inform rmat atio ion n sec secur urit ity y pol polic icy y

" ".

#rgani$ation of of in information !e !ecurit rity Internal #rgani$ation

6.1. 6.1.1 1

Mana Manage geme ment nt comm commit itme ment nt to info inform rmat atio ion n sec secur urit ity y

6.1. 6.1.2 2

Info Inform rmat atio ion n secu securi rity ty coor coordi dina nati tion on

6.1. 6.1. 

!llo !lloca cati tion on of inf infor orma mati tion on secu securi rity ty res respo pons nsi" i"il ilit itie ies s

6.1.# 6.1.#

!utho !uthori$ ri$ati ation on proces process s for inform informati ation on proces processin sing g facili facilitie ties s

6.1.5 .1.5

%onfid nfide entia tiality lity agreem reeme ents nts

6.1. 6

%ontact wi with au authorities

6.1. 6.1.& &

%ont %ontac actt wit with h spec specia iall int inter eres estt gro group ups s

6.1. 6.1.' '

Inde Indepe pend nden entt revi review ew of info inform rmat atio ion n secu securi rity ty

".%

&'ternal Partie!

6.2. 6.2.1 1

Iden Identi tifi fica cati tion on of ris ris(s (s rel relat ated ed to e)te e)tern rnal al part partie ies s

6.2. 6.2.2 2

!ddr !ddres essi sing ng secu securi rity ty when when deal dealin ing g wit with h cus custo tome mers rs

6.2. 6.2. 

!ddr !ddres essi sing ng secu securi rity ty in thir third d part party y agr agree eeme ment nts s

( (. &.1.1

A!!et )anagement Re!pon!ibility fo for A!!et! Inventory of !ssets

&.1.2

*wnership of assets

&.1. 

!ccepta"le us e of assets

(.%

Information c la la!!ification

&.2.1 .2.1

%lass lassif ific ica atio tion guid uidelin lines

&.2. &.2.2 2

Info Inform rmat atio ion n la"e la"ell llin ing g and and hand handli ling ng

* *.

+uman Re!ource! Security Prior to employment

'.1.1 .1.1

Roles les and resp respo onsi"i si"ili liti ties es

'.1.2

Screening

'.1. '.1. 

+erm erms and and cond condit itio ions ns of empl employ oyme ment nt

*.%

During employment

'.2.1 .2.1

Management re respo sponsi" nsi"il ilit itie ies s

'.2. '.2.2 2

Info Inform rmat atio ion n secu securit rity y awar awaren enes ess, s, educ educat atio ion n and and train trainin ing g

'.2.

-isciplinary pr process

*.,

Termin mination tion or ch change nge of of em emplo ploymen ment

'..1 ..1

+ermin rmina atio tion resp respo onsi" si"ilit ilitie ies s

'..2

Return of as assets

'.. 

Removal of acces s rights

-. .1.1 .1.1

Phy!ical and &nvironmental Security Secure Area! Physic ysical al secu securi rity ty perim rimeter  ter 

.1. 2

Physical entry controls

.1. .1. 

Secu Securi ring ng offi office ces, s, room rooms s and and faci facili liti ties es

.1. .1.# #

Prot Protec ecti ting ng aga again inst st e)te e)tern rnal al and and env enviro ironm nmen enta tall attac attac(s (s

.1. 5

/or( in ing in secure areas

.1. .1.6 6

Pu"l Pu"lic ic acc acces ess, s, del deliv iver ery y and and load loadin ing g are areas as

-.%

&uipment !ecurity

.2.1 .2.1

0uipm uipmen entt siti sitin ng an and pro prote tect ctio ion n

.2.2

Supporting ut utilities

Type Deter

Avoid

Prevent

Detect

Primary objective React

Recover  

Confidentiality

Integrity

Availability

Control Cross Check

.2.

%a"ling Security

.2.#

0uipment m ai aintenance

.2.5 .2.5

Secu Securi rity ty of of eu euipm ipment ent off offpr prem emis ise es

.2. .2.6 6

Secu Secure re disp dispos osal al or reu reuse se of eui euipm pmen entt

.2.&

Removal of of pr property

0 0. 0.

Comm Commu unica nicati tio on! and #per #perat atio ion! n! )ana )anage gem ment ent #per #perat atio iona nall proc proced edur ure! e! and and re!p re!pon on!i !ibi bili liti tie! e!

13.1 13.1.1 .1

-ocu -ocume ment nted ed oper operat atin ing g proc proced edur ures es

13.1.2

%hange ma management

13. 1. 1.

Segregation of du duties

13.1.# 13.1.#

Separa Separatio tion n of develo developme pment, nt, test test and and operati operationa onall faci faciliti lities es

0.% 0.%

Thir Third d part party y !erv !ervic ice e deli delive very ry mana manage geme ment nt

13.2.1

Service delivery

13.2 13.2.2 .2

Moni Monito torin ring g and and revie review w of of thi third rd party party servi service ces s

13.2 13.2. .

Mana Managi ging ng cha chang nges es to to thir third d part party y serv servic ices es

0.,

Sy!tem pl planning an and ac accept an ance

13. . .1

%apac itity management

13..2

System acceptance

0.1 0.1

Prot Protec ecti tion on agai again! n!tt mal malic icio iou! u! and and mob mobil ile e cod code e

13.# 13.#.1 .1

%ont %ontro rols ls agai agains nstt mali malici ciou ous s code code

13.# 13.#.2 .2

%ont %ontro rols ls agai again nst mo"i mo"ile le cod code

0.5 13. 5. 5.1 0."

2ac34up Infor ma maiton "ac( up up et 6o 6or3 !e !ecurit y management

13.6.1

4etwor( controls

13.6 13.6.2 .2

Secu Securi rity ty of net netwo wor( r( serv servic ices es

0.( 13.& 13.&.1 .1

)edia ha handling Mana Manage geme ment nt of remo remove vea" a"le le medi media a

13.&.2

-isposal of media

13.& 13.&. .

Info Inform rmat atio ion n hand handli ling ng proc proced edur ures es

13.& 13.&.# .#

Secu Securi rity ty of syst system em docu docume ment ntat atio ion n

0.* 13.' 13.'.1 .1

&'change of information Info Inform rmat atio ion n e)ch e)chan ange ge poli policie cies s and and proc proced edur ures es

13. '. '.2

0)change agreements

13.' 13.'. .

Phys Physic ica al media dia in tra transit nsit

13. '. '.#

0lec tr tronic mes sa saging

13.' 13.'.5 .5

usi usin ness ess info inform rmat atio ion n syst system ems s

0.13. . .1

&4commerce !ervice! 0lec tr tronic c om ommerce

13. . .2

*nline trans ac ac titions

13. 13.. .

Pu"l Pu"lic icil ily y avai availa la"l "le e info inform rmat atio ion n

0. 13.13.1

)onitoring !udit logging

13.13 3.13.2 .2

Monit onito orin ring syst syste em use

13.1 13.13. 3. 

Prot Protec ecti tion on of log log inf infor orma mati tion on

13.1 13.13. 3.# #

!dmi !dmini nist stra rato torr and and ope opera rato torr logs logs

13.13.5

ault logging

13.13 3.13.6 .6

%lo %loc( sync synchr hron onis isat atio ion n

 . . 11.1.1 .%

Acce!! Control 2u!i 2u!ine ne!! !! reu reuir irem emen ent! t! for for acc acce! e!! ! con contr trol ol !ccess c on ontrol pol ic icy 7!er acce!! management

Control Cross Check

11.2.1

7ser re registration

11.2.2

Privilege ma management

11.2. 1.2. 

7ser 7ser pass passwo word rd manag anagem emen entt

11.2. 1.2.# #

Revi Review ew of user user acce acces ss rig righ hts

., 11..1

7!er re!pon!ibilitie! Password us use

11.. 1..2 2

7nat 7natte ten nded ded us user eui euipm pmen entt

11.. 1.. 

%lea %learr des des( ( and and clea clearr scr scree een n pol polic icy y

.1 11.#. 1.#.1 1

et6or3 acce!! control Poli Policy cy on use use netw networ or( ( serv servic ices es

11.#. 1.#.2 2

7ser 7ser aut authe hent ntic icat atio ion n for for e)te e)tern rnal al con conne nect ctio ions ns

11.#. 1.#. 

0ui 0uipm pmen entt iden identi tifi fica cati tion on in netw networ or(s (s

11.#. 1.#.# #

Remo Remote te diag diagno nost stic ic and and confi configu gura rati tion on port port prot protec ecti tion on

11.#. 1.#.5 5

Segr egregat egatio ion n in net networ( wor(s s

11.#. 1.#.6 6

4etw 4etwor or( ( con conne nec ction tion cont ontrol rol

11.#. 1.#.& &

4etw 4etwor or( ( rou routing ting cont ontrol rol

.5 .5 11.5. 1.5.1 1

#pe #perat rating ing !y! !y!tem tem acc acce!! e!! cont contro roll Secu ecure log logon on pro proced cedure ures

11.5. 1.5.2 2

7ser 7ser iden identi tifi fica cati tion on and and auth authen enti tica cati tion on

11.5. 1.5. 

Pass assword word ma manage nagem ment ent syst system em

11.5. 1.5.# #

7se 7se of syst ystem utili tiliti ties es

11.5.5

Session timeout

11.5. 1.5.6 6

8imi 8imita tati tion on of conn connec ecti tion on time time

." ."

Appl Applic icat atio ion n and and info inform rmat atio ion n acc acce! e!! ! con contr trol ol

11.6. 1.6.1 1

Info Inform rmat atio ion n acc acces ess s res restr tric icti tion on

11.6. 1.6.2 2

Sens ensitiv itive e sy system stem iso isolati lation on

.( .( 11.&. 1.&.1 1 11.&.2

%

)obi obile com compu puti ting ng and tele6 ele6or or3i 3ing ng Mo"i Mo"ile le com compu puti ting ng and and com commu muni nica cati tion ons s +elewor(ing

Info Inform rmat atio ion n !y!t !y!tem em! ! acu acui! i!it itio ion8 n8 dev devel elop opme ment nt and and mai maint nten enan ance ce

%. %.

Secu Securi rity ty re reui uire reme ment nt! ! of info inform rmat atio ion n !y!t !y!tem em! !

12.1 12.1.1 .1

Secu Securi rity ty re reui uire reme ment nts s anal analys ysis is and and spe speci cifi fica cati tion on

%.% %.% 12.2.1

Corr Correc ectt pro proce ce!! !!iing in appl applic icat atiion! on! Input da data va validati on on

12.2 12.2.2 .2

%ont %ontro roll of inte intern rnal al proc proces essi sing ng

12.2.

Message in integrity

12.2.#

*utput da data va val id idation

%.,

Cryptographic co control!

12. 12..1 .1

Polic Policy y on on the the use use of of crh crhpt ptog ogra raph phic ic cont contro rols ls

12..2

9ey ma management

%.1

Security of of !y!tem file!

12.# 12.#.1 .1

%ont %ontro roll of oper operat atio iona nall sof softw twar are e

12.# 12.#.2 .2

Prot Protec ecti tion on of syst system em test test data data

12.# 12.#. .

!cce !ccess ss con contr trol ol to to pro progr gram am sour source ce cod code e

%.5 %.5 12.5 12.5..1

Secu Securi rity ty in deve develo lopm pmen entt and and !up !uppo port rt proc proce! e!!e !e! ! %han %hange ge cont ontrol rol pr proce ocedur dures

12.5.2 12.5.2

+echnic echnical al revi review ew of of appli applicat cation ions s after after operat operating ing syst system em change changes s

12.5 12.5. .

Rest Restri rict ctio ions ns on chan change ges s to to sof softw twar are e pac pac(a (age ges s

12.5.#

Information lea(age

12.5 12.5.5 .5

*uts *utsou ourc rced ed soft softwa ware re deve develo lopm pmen entt

%." %." 12.6 12.6.1 .1

Techn echnic ical al 9ulne ulnera rabi bili lity ty )anag anagem emen entt %ont %ontro roll of tec techn hnic ical al vul vulne nera ra"i "ili liti ties es

Control Cross Check

, ,. ,.

Info Inform rmat atio ion n !ecu !ecuri rity ty inci incid dent ent mana manage geme ment nt Repo Report rtin ing g infor informa matio tion n !ecu !ecuri rity ty even event! t! and and 6ea3 6ea3ne ne!! !!e! e!

1.1 1.1.1 .1

Repo Report rtin ing g info inform rmat atio ion n secu securi rity ty even events ts

1.1.2

Reporting we wea(nesses

,.% ,.%

)ana )anage geme ment nt of of info inform rmat ation ion !ecu !ecuri rity ty inc incid iden ent! t! and and imp impro rove veme ment nt! !

1.2 1.2.1 .1

Resp Respon onsi si"i "ili liti ties es and and pro proce cedu dure res s

1.2 1.2.2 .2

8ear 8earni ning ng from from info inform rmat atio ion n sec secur urit ity y inci incide dent nts s

1.2.

1 1. 1.

%ollection of of ev evi de dence

2u!ine!! Co Continuity ma management Infor Informa matio tion n !ecu !ecuri rity ty a!p a!pec ect! t! of of bu!i bu!ine ne!! !! con contin tinui uity ty man manag agem emen entt

1#.1.1 1#.1.1

Includ Including ing infor informa matio tion n securi security ty in the the "usine "usiness ss conti continui nuity ty mana managem gement ent proc process ess

1#.1 1#.1.2 .2

usi usine ness ss cont contin inui uity ty and and ris( ris( asse assess ssme ment nt

1#.1. 1#.1.

-evelo -evelopin ping g and imple implemen mentin ting g contin continuit uity y plans plans includ including ing infor informat mation ion secu securit rity y

1#.1 1#.1.# .#

usi usine ness ss cont contin inui uity ty plan planni ning ng fram framew ewor or( (

1#.1.5 1#.1.5

5 5. 5.

+est maint maintain aining ing and reass reassess essing ing "usine "usiness ss contin continuit uity y plan plans s

Compliance Comp Compli lian ance ce 6ith 6ith leg legal reu reuir irem emen ent! t!

15.1 15.1.1 .1

Iden Identi tifi fica cati tion on of appl applic ica" a"le le legi legisl slat atio ion n

15.1 15.1.2 .2

Inte Intell llec ectu tual al Pro Prope pert rty y Righ Rights ts :IP :IPR; R;

15.1 15.1. .

Prot Protec ecti tion on of of orga organi nisa sati tion onal al rec recor ords ds

15.1 15.1.# .#

-ata -ata pro prote tect ctio ion n and and priv privac acy y of per perso sona nall infor informa mati tion on

15.1.5 15.1.5

Preven Preventio tion n of of misu misuse se of inform informati ation on proces processin sing g faci facilit lities ies

15.1 15.1.6 .6 5.% 5.%

Regu Regula lati tion on of of cryp crypto togr grap aphi hic c cont contro rols ls Comp Complia lianc nce e 6ith 6ith !ecur !ecurity ity pol polic icie ie! ! and !tan !tanda dard rd!8 !8 and and techn technic ical al comp complia lianc nce e

15.2 15.2.1 .1

%omp %omplia lianc nce e with with sec secur urit ity y poli polici cies es and and sta stand ndar ards ds

15.2 15.2.2 .2

+echn echnic ical al com complia plianc nce e chec chec(i (ing ng

5., 5.,

Info Inform rmat atio ion n !y!t !y!tem em! ! audi auditt con! con!id ider erat atio ion! n!

15. 15..1 .1

Info Inform rmat atio ion n syst system ems s audi auditt cont contro rols ls

15. 15..2 .2

Prot Protec ecti tion on of info inform rmat atio ion n sys syste tem m aud audit it tool tools s