You are on page 1of 45

Warning

This document is in draft form and is released as a "Public Beta" to solicit feedback from security
practitioners and managers.
There may be errors and ommissions within this document that are awaiting correction.
Any use of this document must be done with the acknowledgement that these errors may exist and
that the data this contains will not be viewed as final or definititive.

Security Controls info@halkynconsulting.co.uk

ISO 27001 Controls Mapped to SPF
Mandatory Requirements

Outline
This document provides an outline mapping between the controls outlined in Annexe A to I
27001 and the Mandatory Requirements of the UK Government Security Policy Framework.
It is suggested that this be used to review existing, documented, security controls to asses
cross-standard compliance.
Where there are no existing controls this document can be used to determine the level of d
required to cover both ISO27001 controls and meet UK Government regulations.

NOTICE

This document does not, and can not, replace the advice given by a security professional w
detailed knowledge of your circumstance and is only provided to assist with determining
compliance requirements.
The relationship between SPF Mandatory Requirements and ISO27001 controls is presente
as a guideline only and may be modified by either the scope of applicability given under
ISO27001 and the completeness of controls developed to comply with the SPF.

Document Control

Version 0.8 Reference DocumentsISO:IEC 27001:2005 Information technology — Securit
techniques — Information security management syste
Requirements
Status Draft HMG Security Policy Framework Version 7 (October 20
Author T Wake Modified 25-Jan-12

Halkyn Consulting is an independent security consultancy with experience in delivering a w
range of security solutions to clients across the globe. We are experienced in assisting in th
development of cost-effective, timely security controls with organisations of all sizes from
multinationals and government agencies to small businesses and not-for-profit organisatio
As a fully independent consultancy, we are free to offer our clients the best possible advice
a range of vendors and will always strive to deliver the highest value possible.
If you want to find out more about how we can help you achieve your security goals, then
at http://www.halkynconsulting.co.uk/ or email info@halkynconsulting.co.uk.

Page 2 of 45 www.halkynconsulting.co.uk

Security Controls info@halkynconsulting.co.uk

to SPF
nts

ls outlined in Annexe A to ISO
Security Policy Framework.
, security controls to assess

to determine the level of detail
ment regulations.

by a security professional with
o assist with determining

27001 controls is presented here
applicability given under
y with the SPF.

nformation technology — Security
tion security management systems —

amework Version 7 (October 2011)

experience in delivering a wide
xperienced in assisting in the
anisations of all sizes from large
d not-for-profit organisations.
nts the best possible advice from
value possible.
your security goals, then visit us
ulting.co.uk.

Page 3 of 45 www.halkynconsulting.co.uk

Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk

Control Count 133

ISO27001 Ref Section/ Title ISO27001 Control
5.1 Information security policy
5.1.1 Information security An information security policy document shall be approved by management and
policy document published and communicated to all employees and relevant external parties

5.1.2 Review of the The information security policy shall be reviewed at planned intervals or if
information security significant changes occur to ensure its continuing suitability, adequacy, and
policy effectiveness

6.1 Internal organization
6.1.1 Management Management shall actively support security within the organization through clear
commitment to direction, demonstrated commitment, explicit assignment, and acknowledgment of
information security information security responsibilities.

6.1.2 Information security Information security activities shall be co-ordinated by representatives from
co-ordination different parts of the organization with relevant roles and job functions.

6.1.3 Allocation of All information security responsibilities shall be clearly defined
information security
responsibilities

6.1.4 Authorization process A management authorization process for new information processing facilities shall
for information be defined and implemented.
processing facilities
6.1.5 Confidentiality Requirements for confidentiality or non-disclosure agreements reflecting the
agreements organization's needs for the protection of information shall be identified and
regularly reviewed.

6.1.6 Contact with Appropriate contacts with relevant authorities shall be maintained.
authorities

Page 4 of 45 www.halkynconsulting.co.uk

controls. and security procedures for information security) shall be reviewed independently at planned intervals. customers 6.1.co.2.1 Identification of risks The risks to the organization's information and information processing facilities related to external from business processes involving external parties shall be identified and parties appropriate controls implemented before granting access. 6. processing.1 Classification Information shall be classified in terms of its value.2 Information classification 7. 7. policies.Halkyn Consulting SPF . or when significant changes to the security implementation occur.co.8 Independent review The organization's approach to managing information security and its of information implementation (i.7 Contact with special Appropriate contacts with special interest groups or other specialist security forums interest groups and professional associations shall be maintained. or agreements adding products or services to information processing facilities shall cover all relevant security requirements. processes. 6. 7. 6.e. control objectives.2 External parties 6.1.1 Responsibility for assets 7.2.3 Addressing security in Agreements with third parties involving accessing. and implemented. 7.1.2.uk . Page 5 of 45 www.1 Inventory of assets All assets shall be clearly identified and an inventory of all important assets drawn up and maintained.2. documented.2 Ownership of assets All information and assets associated with information processing facilities shall be 'owned' by a designated part of the organization 7.2 Addressing security All identified security requirements shall be addressed before giving customers when dealing with access to the organization's information or assets.1.3 Acceptable use of Rules for the acceptable use of information and assets associated with information assets processing facilities shall be identified.2 Information labeling An appropriate set of procedures for information labeling and handling shall be and handling developed and implemented in accordance with the classification scheme adopted by the organization. 7.1. sensitivity guidelines and criticality to the organization. legal requirements.2.ISO 27001 Control Mapping info@halkynconsulting.uk ISO27001 Ref Section/ Title ISO27001 Control 6. communicating or third party managing the organization's information or information processing facilities.halkynconsulting.

which shall state their and the organization's responsibilities for information security.ISO 27001 Control Mapping info@halkynconsulting.3.1 Management Management shall require employees.1 Secure areas Page 6 of 45 www.3. 8.2 Information security All employees of the organization and.3 Termination or change of employment 8. where relevant.2 During employment 8. and third party users shall be carried out in accordance with relevant laws. and proportional to the business requirements. employees. 8.uk ISO27001 Ref Section/ Title ISO27001 Control 8.1 Roles and Security roles and responsibilities of employees.2.uk .Halkyn Consulting SPF .halkynconsulting. contractors and third party users to apply responsibilities security in accordance with established policies and procedures of the organization. and the perceived risks.2.1 Termination Responsibilities for performing employment termination or change of employment responsibilities shall be clearly defined and assigned.2 Screening Background verification checks on all candidates for employment. contractors.co. 8. contractors and third party users of employment shall agree and sign the terms and conditions of their employment contract. contract or agreement.3 Terms and conditions As part of their contractual obligation.3 Disciplinary processThere shall be a formal disciplinary process for employees who have committed a security breach. education users shall receive appropriate awareness training and regular updates in and training organizational policies and procedures.1. contractors and third party users shall return all of the organization's assets in their possession upon termination of their employment.2.1 Prior to employment 8. contractors and third party users responsibilities shall be defined and documented in accordance with the organization's information security policy. contractors and third party users to information rights and information processing facilities shall be removed upon termination of their employment. 8. contract or agreement. or adjusted upon change 9. 8.3 Removal of access The access rights of all employees.1. 8. the classification of the information to be accessed.2 Return of assets All employees.1.3. 8. 8. regulations and ethics. as relevant for their job function.co. contractors and third party awareness.

2 Equipment security 9.1.3 Securing offices.5 Working in secure Physical protection and guidelines for working in secure areas shall be designed areas and applied.2. flood.2.3 Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.4 Protecting against Physical protection against damage from fire. card controlled entry gates or manned perimeter reception desks) shall be used to protect areas that contain information and information processing facilities.2. 9. and opportunities for unauthorized access. information or software shall not be taken off-site without prior authorization. explosion. 9.co. 9. rooms and facilities 9. and facilities shall be designed and applied.2.halkynconsulting.1.1.5 Security of equipment Security shall be applied to off-site equipment taking into account the different off-premises risks of working outside the organization's premises.1 Physical security Security perimeters (barriers such as walls. 9.6 Public access. 9. areas isolated from information processing facilities to avoid unauthorized access.ISO 27001 Control Mapping info@halkynconsulting.1.2. 9. Access points such as delivery and loading areas and other points where delivery and loading unauthorized persons may enter the premises shall be controlled and. 9.co. Page 7 of 45 www. 9.2 Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.2 Physical entry Secure areas shall be protected by appropriate entry controls to ensure that only controls authorized personnel are allowed access.2. and other forms of natural or man-made disaster shall be designed and environmental threats applied. Physical security for offices.1 Equipment siting and Equipment shall be sited or protected to reduce the risks from environmental protection threats and hazards.1.4 Equipment Equipment shall be correctly maintained to ensure its continued availability and maintenance integrity. if possible. civil external and unrest. earthquake.All items of equipment containing storage media shall be checked to ensure that use of equipment any sensitive data and licensed software has been removed or securely overwritten prior to disposal.uk ISO27001 Ref Section/ Title ISO27001 Control 9. 9.Halkyn Consulting SPF .uk .2.1.7 Removal of property Equipment. 9.6 Secure disposal or re. rooms. 9.

test of unauthorised access or changes to the operational system.1 Documented Operating procedures shall be documented.uk ISO27001 Ref Section/ Title ISO27001 Control 10. procedures and controls. and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance.4 Separation of Development.co. test and operational facilities shall be separated to reduce the risks development.uk . maintained. and audits shall be carried out regularly.2 System acceptance Acceptance criteria for new information systems. taking account of the criticality of business systems and processes involved and re- assessment of risks. 10.3 Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. reports and records provided by the third party shall be regularly of third party services monitored and reviewed. 10. prevention. and operational facilities 10. and recovery controls to protect against malicious code and malicious code appropriate user awareness procedures shall be implemented. 10. and made available to all operating procedures users who need them.3 Managing changes to Changes to the provision of services.4. 10. and projections made of future management capacity requirements to ensure the required system performance.2.3.1.ISO 27001 Control Mapping info@halkynconsulting. tuned.2 Change management Changes to information processing facilities and systems shall be controlled.Halkyn Consulting SPF .2. 10.2 Monitoring and review The services.2 Third party service delivery management 10.1 Controls against Detection.1 Capacity The use of resources shall be monitored. 10. 10. shall be managed.3.co.1.halkynconsulting.1.2.1 Service delivery 10. upgrades.4 Protection against malicious and mobile code 10.1. including maintaining and improving existing third party services information security policies. Page 8 of 45 www.3 System planning and acceptance 10.1 Operational procedures and responsibilities 10.

1 Information back-up Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy. the configuration shall ensure that the mobile code authorized mobile code operates according to a clearly defined security policy. in order to be protected from threats.2 Disposal of media Media shall be disposed of securely and safely when no longer required.7.3 Physical media in Media containing information should be protected against unauthorized access. 10. removable computer media 10. procedures. Page 9 of 45 www. whether these services are provided in-house or outsourced. and management requirements of all network services services shall be identified and included in any network services agreement.4.5.1 Information exchange Formal exchange policies. and controls shall be in place to protect the policies and exchange of information through the use of all types of communication facilities.6 Network security management 10.2 Exchange agreements Agreements shall be established for the exchange of information and software between the organization and external parties. procedures 10.7. 10.5 Back-up 10.2 Controls against Where the use of mobile code is authorized. including information in transit.3 Information handling Procedures for the handling and storage of information shall be established to procedures protect this information from unauthorized disclosure or misuse.halkynconsulting.uk .co. 10.6. 10.Halkyn Consulting SPF . 10.ISO 27001 Control Mapping info@halkynconsulting.1 Network controls Networks shall be adequately managed and controlled.1 Management of There shall be procedures in place for the management of removable media.2 Security of network Security features. 10.7. documentation 10.4 Electronic messaging Information involved in electronic messaging shall be appropriately protected.8 Exchanges of information 10. and unauthorized mobile code shall be prevented from executing.7 Media handling 10.4 Security of system System documentation shall be protected against unauthorized access.co. using formal procedures. service levels.8.7.8. and to maintain security for the systems and applications using the network.uk ISO27001 Ref Section/ Title ISO27001 Control 10. 10.8.6.8. transit misuse or corruption during transportation beyond an organization’s physical boundaries 10.

contract dispute.9.2.2 Monitoring system Procedures for monitoring use of information processing facilities shall be use established and the results of the monitoring activities reviewed regularly.6 Clock synchronization The clocks of all relevant information processing systems within an organization or security domain shall be synchronized with an agreed accurate time source.10.5 Fault logging Faults shall be logged.uk . and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 11.ISO 27001 Control Mapping info@halkynconsulting. exceptions.2 User access management 11.9.1.2.10.10. management Page 10 of 45 www.Halkyn Consulting SPF .5 Business information Policies and procedures shall be developed and implemented to protect information systems associated with the interconnection of business information systems. 11.10. unauthorized message alteration.co. and unauthorized disclosure and modification.1 Monitoring 10.3 Publicly available The integrity of information being made available on a publicly available system systems shall be protected to prevent unauthorized modification. and reviewed based on business and security requirements for access. 10.3 Protection of log Logging facilities and log information shall be protected against tampering and information unauthorized access. operator logs 10. mis-routing.1 Access control policy An access control policy shall be established. unauthorized disclosure.2 Privilege The allocation and use of privileges shall be restricted and controlled. 10.10.8.2 On-line transactions Information involved in on-line transactions shall be protected to prevent incomplete transmission.4 Administrator and System administrator and system operator activities shall be logged. documented.1 Audit logging Audit logs recording user activities. analyzed.10.9. 10.uk ISO27001 Ref Section/ Title ISO27001 Control 10. 10.9 Electronic commerce services 10. 10. 10.co. unauthorized message duplication or replay.1 Business requirement for access control 11.1 Electronic commerce Information involved in electronic commerce passing over public networks shall be protected from fraudulent activity. 10. 10.halkynconsulting.1 User registration There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. and appropriate action taken. 11.

3.4.uk ISO27001 Ref Section/ Title ISO27001 Control 11.3. 11.3.uk . and configuration port protection 11. and information systems shall be segregated networks on networks.2. the capability of users to connect to the network shall be restricted.6 Network connection For shared networks. in line with the access control policy and requirements of the business applications (see 11.3 Equipment Automatic equipment identification shall be considered as a means to authenticate identification in the connections from specific locations and equipment.4.Halkyn Consulting SPF .co.4 Remote diagnostic Physical and logical access to diagnostic and configuration ports shall be controlled.1 Password use Users shall be required to follow good security practices in the selection and use of passwords. 11.halkynconsulting. Page 11 of 45 www.3 User password The allocation of passwords shall be controlled through a formal management management process. 11. equipment Applicable Standards 11. 11. network 11.3 User responsibilities 11.4.1 Policy on use of Users shall only be provided with access to the services that they have been network services specifically authorized to use. 11. users.4 Network access control 11. connections 11. especially those extending across the organisations control boundaries.1). 11.2 Unattended user Users shall ensure that unattended equipment has appropriate protection.2.5 Segregation in Groups of information services.ISO 27001 Control Mapping info@halkynconsulting.co.4.3 Clear desk and clear A clear desk policy for papers and removable storage media and a clear screen screen policy policy for information processing facilities shall be adopted.4.2 User authentication Appropriate authentication methods shall be used to control access by remote for external users.4 Review of user access Management shall review users' access rights at regular intervals using a formal rights process.4.

5. 11.5. operational plans and procedures shall be developed and implemented for teleworking activities. 11.7 Mobile computing and teleworking 11.5 Operating system access control 11.7.6. 11. 11.1 Information access Access to information and application system functions by users and support restriction personnel shall be restricted in accordance with the defined access control policy.uk .4 Use of system utilities The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.ISO 27001 Control Mapping info@halkynconsulting.3 Password Systems for managing passwords shall be interactive and shall ensure quality management system passwords. Applicable Standards 11.4. and appropriate security measures shall be communications adopted to protect against the risks of using mobile computing and communication facilities.7. 11.1 Security requirements of information systems Page 12 of 45 www.6 Application and information access control 11. 12.uk ISO27001 Ref Section/ Title ISO27001 Control 11.5. 11. 11.1 Secure log-on Access to operating systems shall be controlled by a secure log-on procedure. isolation 11.5.6 Limitation of Restrictions on connection times shall be used to provide additional security for connection time high-risk applications.halkynconsulting.2 User identification All users shall have a unique identifier (user ID) for their personal use only.co.co.2 Sensitive system Sensitive systems shall have a dedicated (isolated) computing environment.6.Halkyn Consulting SPF .7 Network routing Routing controls shall be implemented for networks to ensure that computer control connections and information flows do not breach the access control policy of the business applications.5 Session time-out Inactive sessions shall shut down after a defined period of inactivity.1 Mobile computing and A formal policy shall be in place. procedure 11. and a and authentication suitable authentication technique shall be chosen to substantiate the claimed identity of a user.5.2 Teleworking A policy.5.

2 Control on internal Validation checks shall be incorporated into applications to detect any corruption of processing information through processing errors or deliberate acts.5. and appropriate controls identified and implemented. or analysis and enhancements to existing information systems shall specify the requirements for specification security controls.2.1 Change control The implementation of changes shall be controlled by the use of formal change procedures control procedures.2 Correct processing in applications 12.5 Security in development and support processes 12. 12.3 Cryptographic controls 12.Halkyn Consulting SPF .1 Input data validation Data input to applications shall be validated to ensure that this data is correct and appropriate.3.1 Policy on the use of Departments must produce cryptographic controls and implement a policy on the deployment and management of cryptographic controls in accordance with IS4.3.4.4 Output data Data output from an application shall be validated to ensure that the processing of validation stored information is correct and appropriate to the circumstances. 12. 12.4. and protected and controlled.1 Control of operational There shall be procedures in place to control the installation of software on software operational systems.halkynconsulting. Applicable 12.2 Technical review of When operating systems are changed.3 test data Access control to Standards Access to program source code shall be restricted. 12.1 Security requirements Statements of business requirements for new information systems.2.ISO 27001 Control Mapping info@halkynconsulting. 12. 12.4.3 Message integrity Requirements for ensuring authenticity and protecting message integrity in applications shall be identified. 12. changes Page 13 of 45 www. program source code 12. business critical applications shall be applications after reviewed and tested to ensure there is no adverse impact on organizational operating system operations or security.co.2. 12.co.4 Security of system files 12.1.uk .5.2 Key management Key management shall be in place to support the organisations use of cryptographic techniques.uk ISO27001 Ref Section/ Title ISO27001 Control 12. 12.2.2 Protection of system Test data shall be selected carefully.

1.1 Responsibilities and Management responsibilities and procedures shall be established to ensure a quick. 14.5 Outsourced software Outsourced software development shall be supervised and monitored by the development organization.1 Control of technical Timely information about technical vulnerabilities of information systems being vulnerabilities used shall be obtained.3 Collection of evidence Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal).1 Reporting information Information security events shall be reported through appropriate management security events channels as quickly as possible.6. volumes.2. procedures effective.5. 13.co. 13. management process Page 14 of 45 www.1 Including information A managed process shall be developed and maintained for business continuity security in the throughout the organization that addresses the information security requirements business continuity needed for the organisations business continuity. evidence shall be collected.2 Management of information security incidents and improvements 13. 13.2. 12.1.1.6 Technical vulnerability management 12.4 Information leakage Opportunities for information leakage shall be prevented. retained.ISO 27001 Control Mapping info@halkynconsulting. and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).1 Information security aspects of business continuity management 14. and costs of information security information security incidents to be quantified and monitored.Halkyn Consulting SPF . and orderly response to information security incidents. contractors and third party users of information systems and weaknesses services shall be required to note and report any observed or suspected security weaknesses in systems or services. incidents 13.co.3 Restrictions on Modifications to software packages shall be discouraged.2. and all changes shall be strictly controlled.halkynconsulting. 12.2 Reporting security All employees. the organization's exposure to such vulnerabilities evaluated. and appropriate measures taken to address the associated risk. packages 12. limited to necessary changes to software changes.1 Reporting information security events and weaknesses 13.uk .5.2 Learning from There shall be mechanisms in place to enable the types.5. 13.uk ISO27001 Ref Section/ Title ISO27001 Control 12.

uk . and regulations.1 Compliance with legal requirements 15.halkynconsulting.4 Data protection and Data protection and privacy shall be ensured as required in relevant legislation.4 Business continuity A single framework of business continuity plans shall be maintained to ensure all planning framework plans are consistent. destruction and falsification. 15.2 Intellectual property Appropriate procedures shall be implemented to ensure compliance with rights (IPR) legislative.1.Halkyn Consulting SPF . cryptographic controls laws. including information security 14. 15.1.1. regulatory and contractual requirements and the applicable legislation organisations approach to meet these requirements shall be explicitly defined. Page 15 of 45 www. and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.1. to consistently address information security requirements.ISO 27001 Control Mapping info@halkynconsulting. contractual.1. contractual clauses. information 15. and business requirements.1.5 Prevention of misuse Users shall be deterred from using information processing facilities for unauthorized of information purposes.3 Protection of Important records shall be protected from loss.1 Identification of All relevant statutory.co. privacy of personal regulations.uk ISO27001 Ref Section/ Title ISO27001 Control 14. 15.1. critical business processes. or failure of. regulatory. and kept up to date for each information system and the organization.2 Business continuity Events that can cause interruptions to business processes shall be identified.1.co.6 Regulation of Cryptographic controls shall be used in compliance with all relevant agreements. along and risk assessment with the probability and impact of such interruptions and their consequences for information security. and to identify priorities for testing and maintenance. maintaining Business continuity plans shall be tested and updated regularly to ensure that they and re-assessing are up to date and effective. regulatory. business continuity plans 15.5 Testing. 14. if applicable. documented.3 Developing and Plans shall be developed and implemented to maintain or restore operations and implementing ensure availability of information at the required level and in the required time continuity plans scales following interruption to. and. 14. in organizational records accordance with statutory.1. processing facilities 15.1.

2.uk .2 Compliance with security policies and standards and technical compliance 15. 15.co. 15.2. 15.3 Information systems audit considerations 15.Halkyn Consulting SPF .3.halkynconsulting.2 Protection of Access to information systems audit tools shall be protected to prevent any information systems possible misuse or compromise.1 Information systems Audit requirements and activities involving checks on operational systems shall be audit controls carefully planned and agreed to minimize the risk of disruptions to business processes.ISO 27001 Control Mapping info@halkynconsulting.co.3.2 Technical compliance Information systems shall be regularly checked for compliance with security checking implementation standards.uk ISO27001 Ref Section/ Title ISO27001 Control 15. audit tools Page 16 of 45 www.1 Compliance with Managers shall ensure that all security procedures within their area of responsibility security policy and are carried out correctly to achieve compliance with security policies and standards standards.

uk SPF v7 Reference Remarks Mandatory Requirement 4 Mandatory Requirement 6 Mandatory Requirement 4 Mandatory Requirement 6 Mandatory Requirement 1 Mandatory Requirement 2 Mandatory Requirement 3 Mandatory Requirement 1 Mandatory Requirement 1 Mandatory Requirement 6 Mandatory Requirement 8 Mandatory Requirement 9 Mandatory Requirement 10 Mandatory Requirement 11 Mandatory Requirement 12 Mandatory Requirement 13 Page 17 of 45 www.halkynconsulting.Halkyn Consulting SPF .ISO 27001 Control Mapping info@halkynconsulting.uk .co.co.

Halkyn Consulting SPF .co.co.uk .halkynconsulting.ISO 27001 Control Mapping info@halkynconsulting.uk SPF v7 Reference Remarks Mandatory Requirement 8 Mandatory Requirement 11 Mandatory Requirement 6 Mandatory Requirement 10 Mandatory Requirement 11 Mandatory Requirement 7 Mandatory Requirement 2 Mandatory Requirement 3 Mandatory Requirement 7 Mandatory Requirement 7 Page 18 of 45 www.

co.ISO 27001 Control Mapping info@halkynconsulting.co.uk .uk SPF v7 Reference Remarks Mandatory Requirement 1 Mandatory Requirement 13 Mandatory Requirement 14 Mandatory Requirement 11 Mandatory Requirement 2 Mandatory Requirement 3 Mandatory Requirement 12 Page 19 of 45 www.Halkyn Consulting SPF .halkynconsulting.

co.uk .uk SPF v7 Reference Remarks Mandatory Requirement 18 Mandatory Requirement 18 Mandatory Requirement 17 Mandatory Requirement 18 Mandatory Requirement 18 Mandatory Requirement 18 Mandatory Requirement 17 May be included in RMADS May be included in RMADS May be included in RMADS Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Page 20 of 45 www.co.halkynconsulting.Halkyn Consulting SPF .ISO 27001 Control Mapping info@halkynconsulting.

uk SPF v7 Reference Remarks Mandatory Requirement 10 Mandatory Requirement 8 Part of RMADS Mandatory Requirement 8 Part of RMADS Mandatory Requirement 8 Part of RMADS Mandatory Requirement 11 Mandatory Requirement 11 Mandatory Requirement 11 Mandatory Requirement 8 Part of RMADS Mandatory Requirement 8 Part of RMADS Possibly covered by MR 9 if in scope.uk .ISO 27001 Control Mapping info@halkynconsulting.co. Page 21 of 45 www. GPG 7 refers.co.halkynconsulting.Halkyn Consulting SPF .

uk .co.uk SPF v7 Reference Remarks Possibly covered by MR 9 if in scope. Mandatory Requirement 9 Mandatory Requirement 8 Mandatory Requirement 9 Mandatory Requirement 8 Mandatory Requirement 7 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 7 Mandatory Requirement 7 Page 22 of 45 www. Mandatory Requirement 4 Mandatory Requirement 8 Part of RMADS.halkynconsulting.co.Halkyn Consulting SPF . GPG 7 refers.ISO 27001 Control Mapping info@halkynconsulting.

co.ISO 27001 Control Mapping info@halkynconsulting.Halkyn Consulting SPF .uk .uk SPF v7 Reference Remarks Mandatory Requirement 9 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 9 Also GPG 13 Mandatory Requirement 10 Mandatory Requirement 9 Mandatory Requirement 10 Mandatory Requirement 9 Mandatory Requirement 10 Page 23 of 45 www.halkynconsulting.co.

co.ISO 27001 Control Mapping info@halkynconsulting.Halkyn Consulting SPF .uk SPF v7 Reference Remarks Mandatory Requirement 9 Mandatory Requirement 10 Mandatory Requirement 9 Mandatory Requirement 10 Mandatory Requirement 10 Mandatory Requirement 10 Mandatory Requirement 7 Mandatory Requirement 10 Mandatory Requirement 7 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Page 24 of 45 www.uk .co.halkynconsulting.

co.halkynconsulting.uk .ISO 27001 Control Mapping info@halkynconsulting.Halkyn Consulting SPF .uk SPF v7 Reference Remarks Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 7 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Page 25 of 45 www.co.

ISO 27001 Control Mapping info@halkynconsulting.uk .halkynconsulting.uk SPF v7 Reference Remarks Mandatory Requirement 16 Mandatory Requirement 9 HMG IA Standard 4 Mandatory Requirement 9 HMG IA Standard 4 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 9 Mandatory Requirement 8 Documented in RMADS Mandatory Requirement 8 Page 26 of 45 www.co.Halkyn Consulting SPF .co.

co.uk .halkynconsulting.co.uk SPF v7 Reference Remarks Mandatory Requirement 8 Mandatory Requirement 7 Mandatory Requirement 9 Mandatory Requirement 8 Mandatory Requirement 12 Mandatory Requirement 12 Mandatory Requirement 12 Mandatory Requirement 12 Mandatory Requirement 12 Mandatory Requirement 4 Page 27 of 45 www.Halkyn Consulting SPF .ISO 27001 Control Mapping info@halkynconsulting.

halkynconsulting.Halkyn Consulting SPF .ISO 27001 Control Mapping info@halkynconsulting.uk .co.co.uk SPF v7 Reference Remarks Mandatory Requirement 4 Mandatory Requirement 4 Mandatory Requirement 4 Mandatory Requirement 4 Mandatory Requirement 6 Also HMG IA Standard 5 Mandatory Requirement 6 Also HMG IA Standard 5 Mandatory Requirement 6 Also HMG IA Standard 5 Mandatory Requirement 6 Also HMG IA Standard 5 Mandatory Requirement 6 Also HMG IA Standard 5 Mandatory Requirement 6 Also HMG IA Standard 5 Page 28 of 45 www.

Halkyn Consulting SPF .halkynconsulting.uk SPF v7 Reference Remarks Mandatory Requirement 5 Mandatory Requirement 5 Mandatory Requirement 5 Mandatory Requirement 5 Page 29 of 45 www.ISO 27001 Control Mapping info@halkynconsulting.co.co.uk .

Halkyn Consulting Ltd SPF . This must include a Board-level lead with authority to influence investment decisions and agree the organisation's overall approach to security. that information risks are appropriately managed.ISO 27001 Control Mapping info@halkynconsulting. MR 3 Departments and Agencies must ensure that all staff are aware of Departmental security policies and understand their personal responsibilities for safeguarding assets and the potential consequences of breaching security rules. Page 30 of 45 www. threat profile and risk appetite of their organisation and its delivery partners. procedures and management arrangements in place to respond to. disclosure or loss. store or process (including electronic and paper formats and online services) to prevent unauthorised access.uk . MR 4 Departments and Agencies must have robust and well tested policies. and that any significant control weaknesses are explicitly acknowledged and regularly reviewed. * Develop their own security policies. MR 7 Departments and Agencies must ensure that information assets are valued.uk SPF Reference Mandatory Requirements MR 1 Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with clear lines of responsibility and accountability at all levels of the organisation. The policies and procedures must be regularly reviewed to ensure currency.halkynconsulting.co. investigate and recover from security incidents or other disruptions to core business. MR 6 Departments and Agencies must have an information security policy setting out how they and any delivery partners and suppliers will protect any information assets they hold. MR 2 Departments and Agencies must: * Adopt a holistic risk management approach covering all areas of protective security across their organisation. handled.co. tailoring the standards and guidelines set out in this framework to the particular business needs. MR 5 Departments and Agencies must have an effective system of assurance in place to satisfy their Accounting Officer / Head of Department and Management Board that the organisation's security arrangements are fit for purpose. shared and protected in line with the standards and procedures set out in the Government Protective Marking System (including any special handling arrangements) and the associated technical guidance supporting this framework.

co. Page 31 of 45 www. MR 8 All ICT systems that handle. or that are interconnected to cross-government networks or services (e.uk .Halkyn Consulting Ltd SPF .ISO 27001 Control Mapping info@halkynconsulting. shared and protected in line SPF Reference with the standards and procedures set out in Mandatory the Government Protective Marking System (including any special Requirements handling arrangements) and the associated technical guidance supporting this framework. must undergo a formal risk assessment to identify and understand relevant technical risks. importance and sensitivity of the information held and the requirements of any interconnected systems. proportionate to the value.uk MR 7 Departments and Agencies must ensure that information assets are valued. MR 9 Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems. handled.co.g. GSI). integrity and availability of the data. the Government Secure Intranet. and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality. system and/or service are properly managed.halkynconsulting. store and process protectively marked information or business critical data.

halkynconsulting.Halkyn Consulting Ltd SPF . Page 32 of 45 www.ISO 27001 Control Mapping info@halkynconsulting.co.uk SPF Reference Mandatory Requirements MR 10 Departments and Agencies must implement appropriate procedural controls for all ICT (or paper-based) systems or services to prevent unauthorised access and modification. or misuse by authorised users.co.uk .

uk .g. monitor compliance and respond effectively to any incidents. sensitive or protectively marked assets are protected against both surreptitious and forced attack. MR 16 Departments and Agencies must undertake regular security risk assessments for all sites in their estate and put in place appropriate physical security controls to prevent. detect and respond to security incidents. integrated with other protective security controls. and a proportionate and robust personnel security regime that determines what other checks (e. and arrangements for vetted staff to report changes in circumstances that might be relevant to their suitability to hold a security clearance. Physical security measures must be proportionate to level of threat. appropriate to the needs of the business and based on the "defence in depth" principle.uk SPF Reference Mandatory Requirements MR 11 Departments and Agencies must ensure that the security arrangements among their wider family of delivery partners and third party suppliers are appropriate to the information concerned and the level of risk to the parent organisation. Page 33 of 45 www. and facilitate a quick and effective response to security incidents. and applied on the basis of the "defence in depth" principle. and are only available to those with a genuine "need to know".Halkyn Consulting Ltd SPF . national security vetting) and ongoing personnel security controls should be applied.co. MR 14 Departments and Agencies must have in place an appropriate level of ongoing personnel security management. Selected controls must be proportionate to the level of threat. managing and resolving Information Security Breaches and ICT security incidents. MR 17 Departments and Agencies must implement appropriate internal security controls to ensure that critical. Any site where third party suppliers manage assets at CONFIDENTIAL or above must be accredited to List X standards. including formal reviews of national security vetting clearances. MR 12 Departments and Agencies must have clear policies and processes for reporting.co. MR 15 Departments must make provision for an internal appeals process for existing employees wishing to challenge National Security Vetting decisions and inform Cabinet Office Government Security Secretariat should an individual initiate a legal challenge against a National Security Vetting decision.halkynconsulting. reduce the vulnerability of establishments to terrorism or other physical attacks. This must include appropriate governance and management arrangements to manage risk. MR 13 Departments must ensure that personnel security risks are effectively managed by applying rigorous recruitment controls.ISO 27001 Control Mapping info@halkynconsulting. MR 18 Departments and Agencies must put in place appropriate physical security controls to prevent unauthorised access to their estate.

applying identified security measures. including terrorist attacks.Halkyn Consulting Ltd SPF . Page 34 of 45 www. including appropriate contingency plans and the ability to immediately implement additional security controls following a rise in the Government Response Level.co. and implementing incident management contingency arrangements and plans with immediate effect following a change to the Government Response Level.halkynconsulting.uk .ISO 27001 Control Mapping info@halkynconsulting.co. MR 20 Departments and Agencies must be resilient in the face of physical security incidents.uk SPF Reference Mandatory Requirements MR 19 Departments and Agencies must ensure that all establishments in their estate put in place effective and well tested arrangements to respond to physical security incidents.

1.1.5.10.4 A.uk .3 A.1.1.15.ISO 27001 Control Mapping info@halkynconsulting.1 A.2 A.8.Halkyn Consulting Ltd SPF .2 A.2 A.1 A.4 A.2.2 A.3.co.2.3 A.halkynconsulting.15.7.2.1.5.1.1.3 A.3.2 A.15.2 A.1.1 A.15.1 A.1 A.1.14.6.1.2 A.1 A.14.uk ISO 27001 Control Area Remarks A.6.6.2 A.1 A.1.6.2.2 A.1 A.5.1 A.8.5 A.1.5 A.1.14.1 A.6.1.6 A.3 A.15.co.1.1 A.1.6.1.6.5.1.14.1.15.15.15.14.2.1 A.1 Page 35 of 45 www.1.2.7.1.7.7.15.1.2 A.8.1.3 A.15.5.1 A.1.1.

1.8 A.5.6 A.3 A.1.5 A.5.1 A.10.1 A.4 A.10.9.3.1.1 A.3.10.10.10.10.1 A.3 A.7.10.ISO 27001 Control Mapping info@halkynconsulting.3 A.10.1 A.12.5 A.10.6.uk .8.7.10.4 A.Halkyn Consulting Ltd SPF .12.2.10.10.10.10.6.5 Page 36 of 45 www.co.1 A.2 A.1 A.10.11.2 A.10.9.6.5 A.4 A.2 A.10.10.2 A.10.2 A.3 A.5.3.4 A.2.co.4.7.6.12.11.7.2.1.1.8.2 A.10.10.3 A.2 A.2 A.12.10.1.7 A.uk ISO 27001 Control Area Remarks A.5.8.6.12.6.7.10.10.6.10.9.2 A.4 A.8.10.2.4 A.1 A.11.3 A.halkynconsulting.8.

11.12.5 A.11.11.co.2.11.1 A.5.uk .1 A.1.11.2.11.11.3 A.7.2.5.4.2.2.12.12.7.4.2 A.11.4 A.2 A.4.4.2 Page 37 of 45 www.2 A.10.3.11.4 A.11.1 A.2.4 A.1 A.5 A.11.5.11.3.4.11.2 A.3 A.Halkyn Consulting Ltd SPF .11.4.2.2 A.11.1 A.11.11.7 A.11.3 A.6 A.1 A.10.5 A.5.5.1 A.6 A.6 A.11.6.2 A.1.1.11.11.4.4 A.11.12.co.5 A.2 A.3.11.11.2 A.12.10.ISO 27001 Control Mapping info@halkynconsulting.1 A.5.4.3.halkynconsulting.6.1 A.1 A.11.11.3 A.6.12.2.3 A.2.4.uk ISO 27001 Control Area Remarks A.5.

1.1.1.2.1.2 A.11.8.co.13.1.6 A.2 A.2.1 A.13.13.13.2.2 A.2.5 9.6.2.1.3 A.5 A.uk .3 A.6 Page 38 of 45 www.1.1 A.2.1.3 A.10.10.12.1 A.8.1 A.1.3 A.1 9.2.13.3 A.ISO 27001 Control Mapping info@halkynconsulting.1.2.4 9.2 A.Halkyn Consulting Ltd SPF .halkynconsulting.6.uk ISO 27001 Control Area Remarks A.1 A.2 9.8.1.1 9.3 A.2.1.6 A.1.9.3.1.2 A.8.2 A.co.6.9.1.2.6.6.10.

co.Halkyn Consulting Ltd SPF .co.ISO 27001 Control Mapping info@halkynconsulting.uk ISO 27001 Control Area Remarks Page 39 of 45 www.uk .halkynconsulting.

co.uk HMG SPF v7 (October 2011) Mandatory Requirements Policy 1 .Security of Information 6 7 8 9 10 11 12 Page 40 of 45 www.halkynconsulting.Governance and Security Approaches 1 2 3 4 5 Policy 2 .SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.uk .co.

halkynconsulting.co.uk .SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.Physical Security and Counter Terrorism 16 17 18 19 20 Page 41 of 45 www.Personnel Security 13 14 15 Policy 4 .uk Policy 3 .

Departments and Agencies must ensure that the security arrangements among their wider family of delivery partners and third party suppliers are appropriate to the information concerned and the level of risk to the parent organisation. and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality.co.co. Departments and Agencies must ensure that all staff are aware of Departmental security policies and understand their personal responsibilities for safeguarding assets and the potential consequences of breaching security rules. that information risks are appropriately managed.halkynconsulting. store and process protectively marked information or business critical data. Page 42 of 45 www. All ICT systems that handle. and that any significant control weaknesses are explicitly acknowledged and regularly reviewed. * Develop their own security policies. Departments and Agencies must have clear policies and processes for reporting. Any site where third party suppliers manage assets at CONFIDENTIAL or above must be accredited to List X standards. This must include appropriate governance and management arrangements to manage risk. handled. monitor compliance and respond effectively to any incidents. managing and resolving Information Security Breaches and ICT security incidents. threat profile and risk appetite of their organisation and its delivery partners. Departments and Agencies must have robust and well tested policies. shared and protected in line with the standards and procedures set out in the Government Protective Marking System (including any special handling arrangements) and the associated technical guidance supporting this framework.g. SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.Governance and Security Approaches Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with clear lines of responsibility and accountability at all levels of the organisation. GSI). system and/or service are properly managed. Policy 2 . integrity and availability of the data.uk . proportionate to the value. must undergo a formal risk assessment to identify and understand relevant technical risks. tailoring the standards and guidelines set out in this framework to the particular business needs. disclosure or loss. This must include a Board-level lead with authority to influence investment decisions and agree the organisation's overall approach to security. Departments and Agencies must: * Adopt a holistic risk management approach covering all areas of protective security across their organisation. or misuse by authorised users. Departments and Agencies must implement appropriate procedural controls for all ICT (or paper-based) systems or services to prevent unauthorised access and modification. The policies and procedures must be regularly reviewed to ensure currency. or that are interconnected to cross-government networks or services (e.Security of Information Departments and Agencies must have an information security policy setting out how they and any delivery partners and suppliers will protect any information assets they hold. Departments and Agencies must have an effective system of assurance in place to satisfy their Accounting Officer / Head of Department and Management Board that the organisation's security arrangements are fit for purpose. procedures and management arrangements in place to respond to. importance and sensitivity of the information held and the requirements of any interconnected systems. the Government Secure Intranet. store or process (including electronic and paper formats and online services) to prevent unauthorised access. Departments and Agencies must ensure that information assets are valued. Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems. investigate and recover from security incidents or other disruptions to core business.uk HMG SPF v7 (October 2011) Mandatory Requirements Policy 1 .

and applied on the basis of the "defence in depth" principle. integrated with other protective security controls. and arrangements for vetted staff to report changes in circumstances that might be relevant to their suitability to hold a security clearance. including formal reviews of national security vetting clearances. national security vetting) and ongoing personnel security controls should be applied.co. Departments and Agencies must implement appropriate internal security controls to ensure that critical. and implementing incident management contingency arrangements and plans with immediate effect following a change to the Government Response Level. and facilitate a quick and effective response to security incidents. Physical security measures must be proportionate to level of threat.SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.uk . Policy 4 . including terrorist attacks. Departments and Agencies must have in place an appropriate level of ongoing personnel security management. Selected controls must be proportionate to the level of threat. reduce the vulnerability of establishments to terrorism or other physical attacks. and a proportionate and robust personnel security regime that determines what other checks (e.Physical Security and Counter Terrorism Departments and Agencies must undertake regular security risk assessments for all sites in their estate and put in place appropriate physical security controls to prevent. Departments and Agencies must be resilient in the face of physical security incidents. Page 43 of 45 www. sensitive or protectively marked assets are protected against both surreptitious and forced attack. appropriate to the needs of the business and based on the "defence in depth" principle.Personnel Security Departments must ensure that personnel security risks are effectively managed by applying rigorous recruitment controls. and are only available to those with a genuine "need to know". detect and respond to security incidents.g.uk Policy 3 . Departments and Agencies must ensure that all establishments in their estate put in place effective and well tested arrangements to respond to physical security incidents. applying identified security measures.co. including appropriate contingency plans and the ability to immediately implement additional security controls following a rise in the Government Response Level. Departments and Agencies must put in place appropriate physical security controls to prevent unauthorised access to their estate. Departments must make provision for an internal appeals process for existing employees wishing to challenge National Security Vetting decisions and inform Cabinet Office Government Security Secretariat should an individual initiate a legal challenge against a National Security Vetting decision.halkynconsulting.

uk uirements Page 44 of 45 www.co.co. SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.halkynconsulting.uk .

uk Page 45 of 45 www.co.halkynconsulting.SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk .