1. 4 Risk Assessment and Treatment
1.1. 4.1 Assessing security risks
1.2. 4.2 Treating security risks
2. 6 Organization of Information Security
2.1. 6.1 Internal organization
2.1.1. 6.1.1 Management commitment to information security
2.1.2. 6.1.2 Information security co-ordination
2.1.3. 6.1.3 Allocation of information security responsibilities
2.1.4. 6.1.4 Authorization process for information processing facilities
2.1.5. 6.1.5 Confidentiality agreements
2.1.6. 6.1.6 Contact with authorities
2.1.7. 6.1.7 Contact with special interest groups
2.1.8. 6.1.8 Independent review of information security
2.2. 6.2 External parties
2.2.1. 6.2.1 Identification of risks related to external parties
2.2.2. 6.2.2 Addressing security when dealing with customers
2.2.3. 6.2.3 Addressing security in third party agreements
3. 8 Human Resources Security
3.1. 8.1 Prior to employment
3.1.1. 8.1.1 Roles and responsibilities
3.1.2. 8.1.2 Screening
3.1.3. 8.1.3 Terms and conditions of employment
3.2. 8.2 During employment
3.2.1. 8.2.1 Management responsibilities
3.2.2. 8.2.2 Information security awareness, education, and training
3.2.3. 8.2.3 Disciplinary process
3.3. 8.3 Termination or change of employment
3.3.1. 8.3.1 Termination responsibilities
3.3.2. 8.3.2 Return of assets
3.3.3. 8.3.3 Removal of access rights
4. 10 Communications and Operations Management
4.1. 10.1 Operational procedures and responsibilities
4.1.1. 10.1.1 Documented operating procedures
4.1.2. 10.1.2 Change management
4.1.3. 10.1.3 Segregation of duties
4.1.4. 10.1.4 Separation of development, test, and operational facilities
4.2. 10.2 Third party service delivery management
4.2.1. 10.2.1 Service delivery
4.2.2. 10.2.2 Monitoring and review of third party services
4.2.3. 10.2.3 Managing changes to third party services
4.3. 10.3 System planning and acceptance
4.3.1. 10.3.1 Capacity management
4.3.2. 10.3.2 System acceptance
4.4. 10.4 Protection against malicious and mobile code
4.4.1. 10.4.1 Controls against malicious code
4.4.2. 10.4.2 Controls against mobile code
4.5. 10.5 Back-up
4.5.1. 10.5.1 Information back-up
4.6. 10.6 Network security management
4.6.1. 10.6.1 Network controls
4.6.2. 10.6.2 Security of network services
4.7. 10.7 Media handling
4.7.1. 10.7.1 Management of removable media
4.7.2. 10.7.2 Disposal of media
4.7.3. 10.7.3 Information handling procedures
4.7.4. 10.7.4 Security of system documentation
4.8. 10.8 Exchange of information
4.8.1. 10.8.1 Information exchange policies and procedures
4.8.2. 10.8.2 Exchange agreements
4.8.3. 10.8.3 Physical media in transit
4.8.4. 10.8.4 Electronic messaging
4.8.5. 10.8.5 Business information systems
4.9. 10.9 Electronic commerce services
4.9.1. 10.9.1 Electronic commerce
4.9.2. 10.9.2 On-line transactions
4.9.3. 10.9.3 Publicly available information
4.10. 10.10 Monitoring
4.10.1. 10.10.1 Audit logging
4.10.2. 10.10.2 Monitoring system use
4.10.3. 10.10.3 Protection of log information
4.10.4. 10.10.4 Administrator and operator logs
4.10.5. 10.10.5 Fault logging
4.10.6. 10.10.6 Clock synchronization
5. 12 Information Systems Acquisition, Development and Maintenance
5.1. 12.1 Security requirements of information systems
5.1.1. 12.1.1 Security requirements analysis and specification
5.2. 12.2 Correct processing in applications
5.2.1. 12.2.1 Input data validation
5.2.2. 12.2.2 Control of internal processing
5.2.3. 12.2.3 Message integrity
5.2.4. 12.2.4 Output data validation
5.3. 12.3 Cryptographic Controls
5.3.1. 12.3.1 Policy on the use of cryptographic controls
5.3.2. 12.3.2 Key management
5.4. 12.4 Security of system files
5.4.1. 12.4.1 Control of operational software
5.4.2. 12.4.2 Protection of system test data
5.4.3. 12.4.3 Access control to program source code
5.5. 12.5 Security in development and support processes
5.5.1. 12.5.1 Change control procedures
5.5.2. 12.5.2 Technical review of applications after operating system change
5.5.3. 12.5.3 Restrictions on changes to software packages
5.5.4. 12.5.4 Information leakage
5.5.5. 12.5.5 Outsourced software development
5.6. 12.6 Technical Vulnerability Management
5.6.1. 12.6.1 Control of technical vulnerabilities
6. 14 Business Continuity Management
6.1. 14.1 Information security aspects of business continuity management
6.1.1. 14.1.1 Including information security in the business continuity management process.
6.1.2. 14.1.2 Business continuity and risk assessment
6.1.3. 14.1.3 Developing and implementing continuity plans including information security
6.1.4. 14.1.4 Business continuity planning framework
6.1.5. 14.1.5 Testing, maintaining and re-assessing business continuity plans
7. 5 Security Policy
7.1. 5.1 Information security policy
7.1.1. 5.1.1 Information security policy document
7.1.2. 5.1.2 Review of the information security policy
8. 7 Asset Management
8.1. 7.1 Responsibility for assets
8.1.1. 7.1.1 Inventory of assets
8.1.2. 7.1.2 Ownership of assets
8.1.3. 7.1.3 Acceptable use of assets
8.2. 7.2 Information Classification
8.2.1. 7.2.1 Classification guidelines
8.2.2. 7.2.2 Information labeling and handling
9. 9 Physical and Environmental Security
9.1. 9.1 Secure areas
9.1.1. 9.1.1 Physical security perimeter
9.1.2. 9.1.2 Physical entry controls
9.1.3. 9.1.3 Securing offices, rooms, and facilities
9.1.4. 9.1.4 Protecting against external and environmental threats
9.1.5. 9.1.5 Working in secure areas
9.1.6. 9.1.6 Public access, delivery, and loading areas
9.2. 9.2 Equipment security
9.2.1. 9.2.1 Equipment siting and protection
9.2.2. 9.2.2 Supporting utilities
9.2.3. 9.2.3 Cabling security
9.2.4. 9.2.4 Equipment maintenance
9.2.5. 9.2.5 Security of equipment off-premises
9.2.6. 9.2.6 Secure disposal or re-use of equipment
9.2.7. 9.2.7 Removal of property
10. 11 Access Control
10.1. 11.1 Business requirement for access control
10.1.1. 11.1.1 Access control policy
10.2. 11.2 User access management
10.2.1. 11.2.1 User registration
10.2.2. 11.2.2 Privilege management
10.2.3. 11.2.3 User password management
10.2.4. 11.2.4 Review of user access rights
10.3. 11.3 User responsibilities
10.3.1. 11.3.1 Password use
10.3.2. 11.3.2 Unattended user equipment
10.3.3. 11.3.3 Clear desk and clear screen policy
10.4. 11.4 Network access control
10.4.1. 11.4.1 Policy on use of network services
10.4.2. 11.4.2 User authentication for external connections
10.4.3. 11.4.3 Equipment identification in networks
10.4.4. 11.4.4 Remote diagnostic and configuration port protection
10.4.5. 11.4.5 Segregation in networks
10.4.6. 11.4.6 Network connection control
10.4.7. 11.4.7 Network routing control
10.5. 11.5 Operating system access control
10.5.1. 11.5.1 Secure log-on procedures
10.5.2. 11.5.2 User identification and authentication
10.5.3. 11.5.3 Password management system
10.5.4. 11.5.4 Use of system utilities
10.5.5. 11.5.5 Session time-out
10.5.6. 11.5.6 Limitation of connection time
10.6. 11.6 Application and information access control
10.6.1. 11.6.1 Information access restriction
10.6.2. 11.6.2 Sensitive system isolation
10.7. 11.7 Mobile computing and teleworking
10.7.1. 11.7.1 Mobile computing and communications
10.7.2. 11.7.2 Teleworking
11. 13 Information Security Incident Management
11.1. 13.1 Reporting information security events and weaknesses
11.1.1. 13.1.1 Reporting information security events
11.1.2. 13.1.2 Reporting security weaknesses
11.2. 13.2 Management of information security incidents and improvements
11.2.1. 13.2.1 Responsibilities and procedures
11.2.2. 13.2.2 Learning from information security incidents
11.2.3. 13.2.3 Collection of evidence
12. 15 Compliance
12.1. 15.1 Compliance with legal requirements
12.1.1. 15.1.1 Identification of applicable legislation
12.1.2. 15.1.2 Intellectual property rights (IPR)
12.1.3. 15.1.3 Protection of organizational records
12.1.4. 15.1.4 Data protection and privacy of personal information
12.1.5. 15.1.5 Prevention of misuse of information processing facilities
12.1.6. 15.1.6 Regulation of cryptographic controls
12.2. 15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE
12.2.1. 15.2.1 Compliance with security policies and standards
12.2.2. 15.2.2 Technical compliance checking
12.3. 15.3 INFORMATION SYSTEMS AUDIT CONSIDERATIONS
12.3.1. 15.3.1 Information systems audit controls
12.3.2. 15.3.2 Protection of information systems audit tools