Professional Documents
Culture Documents
B6.1
A.5.1.1 Policies for information security B6.3
B6.6 - B6.20
A.5 Information security policies A.5.1 Management direction for information security policies 7.1 Policy realisation
B6.2
A.5.1.2 Review of the policies for information security B6.4
B6.5
A2.10
B1.1
B1.3
B2.3
A.6.1.1 roles and responsibilities B5.3
B5.5
B5.6
A7.5
B12.7
A7.4
B8.5
6.1 Planning
A.6.1.3 Contact with authorities 6.2 Organisation
A.6.1 Internal organisation B6.21 - B6.24 6.5 Legal and regulatory landscape
B12.5 7.3 Secure business operations
9.2 Incident management
Contact with authorities is not the subject of
specific questions. However, Sections 6.5
Legal and regulatory landscape and 9.2
Incident management, of the IASME
A.6.1.4 Contact with special interest groups Governance Standard include reference to
A.6 Organization of information security
the business's relationship with authorities.
B1.1 - B1.4
B8.2 - B8.4
B2.5
A.6.2.1 Mobile device policy B6.16
A5.1 - A5.3
A8.1
B12.2
A.7.2.3 Disciplinary process
A disciplinary process is implied by the
question.
A.7.3 Termination and change of employment A.7.3.1 Termination or change of employment responsibilities B5.8
B2.6
A.8.2.3 Handling of assets B2.8
A7.1
A7.2
A.9.2.1 User registration and de-registration A7.3
A7.4
B6.9
A7.5
A.9.2.3 Management of privileged access rights
A7.4
A.9.2.5 Review of user access rights A7.9
B6.9 6.2 Organisation
6.6 People
A.9 Access control 7.1 Policy realisation
7.3 Secure business operations
7.4 Access control
B6.9
A5.9
A7.1
A.9.4 System and application access control A.9.4.3 Password management system A7.2
B7.1
B7.5
A.11.2 Equipment
B6.10
B8.2
A.12.2 Protection from malware A.12.2.1 Controls against malware A8.1 - A8.6
A.12 Operations security 7.3 Secure business operations
A.12.3 Backup A.12.3.1 Information backup B11.1 - B11.3
A7.4
A7.6
A.12.5 Control of operational software A.12.5.1 Installation of software on operational systems B8.3
B8.4
A.14 System acquisition, development and A.14.2.4 Restrictions on changes to software packages B8.4 6.3 Assets
maintenance 7.1 Policy realisation
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2 Security in development and support processes
A.14.2.7 Outsourced development
A.14.2.8 System security testing Information security aspects of software
development are not covered specifically by
IASME questions.
B12.3
A.16.1.1 Responsibilities and procedures B12.7
B12.8
B4.1
A.18.1.3 Protection of records B6.17
B10.4
B6.21
B6.22
Although cryptographic controls are not
A.18.1.5 Regulation of cryptographic controls specifically mentioned in this context, the
IASME Governance Standard expects the 6.5 Legal and regulatory landscape
A.18 Compliance business to identify, and comply with, any 7.1 Policy realisation
legislation and regulatory requirements
placed on it, including cryptographic controls. 7.2 Physical and environmental protection