ISO 27001
Objective
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and
maintenance
A.15 Supplier relationships
A.16 Information security incident
management
A.17 Information security aspects of
business continuity management
A.18 Compliance
IASME Governance Standard v5.
IASME Question Set v11
Reference
Control Objective Control (Green indicates full mapping, IASME Governance Standard Reference
Orange indicates partial mapping,
Red indicates no direct correlation)
B6.1
A.5.1.1 Policies for information security B6.3
B6.6 - B6.20
A.5.1 Management direction for information security policies 7.1 Policy realisation
B6.2
A.5.1.2 Review of the policies for information security B6.4
B6.5
A2.10
B1.1
B1.3
B2.3
A.6.1.1 roles and responsibilities B5.3
B5.5
B5.6
A7.5
B12.7
A7.4
B8.5
A.6.1.2 Segregation of duties Segregation of duties is not covered by a
specific question. However, Sect 6.2
Organisation, of the IASME Governance
Standard requires the business to segregate
work to match responsibilities.
6.1 Planning
A.6.1.3 Contact with authorities 6.2 Organisation
A.6.1 Internal organisation B6.21 - B6.24 6.5 Legal and regulatory landscape
B12.5 7.3 Secure business operations
9.2 Incident management
Contact with authorities is not the subject of
specific questions. However, Sections 6.5
Legal and regulatory landscape and 9.2
Incident management, of the IASME
A.6.1.4 Contact with special interest groups Governance Standard include reference to
the business's relationship with authorities.
B1.1 - B1.4
B8.2 - B8.4
Project management is not subject to a
question in its own right. However, Section
A.6.1.5 Information security in project management 6.1 Planning, and Section 7.3 Secure business
operations, of the IASME Governance
Standard refer to information security in the
context of system procurement and change.
Information security in project management
is therefore covered.
B2.5
A.6.2.1 Mobile device policy B6.16
A5.1 - A5.3
A8.1
A.6.2 Mobile devices and teleworking 7.1 Policy realisation
7.3 Secure business operations
A.6.2.2 Teleworking A1.7
B6.16
A.7.1.1 Screening B5.1
B5.2
A.7.1 Prior to employment
A.7.1.2 Terms and conditions of employment B5.6
B6.19
A.7.2.1 Management responsibilities B5.3
B6.18
6.6 People
A.7.2 During employment B5.4
A.7.2.2 Information security awareness, education and B5.5
training
B5.7
B12.2
A.7.2.3 Disciplinary process
A disciplinary process is implied by the
question.
A.7.3 Termination and change of employment A.7.3.1 Termination or change of employment responsibilities B5.8
A.8.1.1 Inventory of assets B2.1
B2.2
A.8.1.2 Ownership of assets B2.3
A.8.1 Responsibility for assets
A.8.1.3 Acceptable use of assets B6.12
A.8.1.4 Return of assets B2.9
A.8.2.1 Classification of information B2.6
B2.8
6.3 Assets
7.1 Policy realisation
A.8.2 Information classification A.8.2.2 Labelling of information B2.6
B2.6
A.8.2.3 Handling of assets B2.8
A.8.3.1 Management of removable media B2.4
B6.8
A.8.3 Media handling A.8.3.2 Disposal of media B2.9
B6.8
A.8.3.3 Physical media transfer B2.4
A.9.1.1 Access control policy B6.9
A.9.1 Business requirements of access control
A.9.1.2 Access to networks and network services
A7.1
A7.2
A.9.2.1 User registration and de-registration A7.3
A7.4
B6.9
A.9.2.2 User access provisioning
A7.5
A.9.2.3 Management of privileged access rights
A.9.2 User access management A7.1
A.9.2.4 Management of secret authentication information of A7.5
users A7.9
B6.9
A7.4
A.9.2.5 Review of user access rights A7.9
B6.9 6.2 Organisation
6.6 People
7.1 Policy realisation
7.3 Secure business operations
7.4 Access control
A.9.2.6 Removal or adjustment of access rights A7.3
B6.9
A.9.3 User responsibilities A.9.3.1 Use of secret authentication information
B6.9
A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures A7.2
A5.9
A7.1
A.9.4 System and application access control A.9.4.3 Password management system A7.2
A.9.4.4 Use of privileged utility programs A7.6
A.9.4.5 Access control to program source code A7.4
A.10.1.1 Policy on the use of cryptographic tools.
There are no specific questions on these
subjects. However, Section 7.1 Policy
A.10.1 Cryptographic controls realisation, and Section 7.3 Secure business 7.1 Policy realisation
7.3 Secure business operations
operations include reference to key
management and cryptographic controls.
A.10.1.2 Key management
A.11.1.1 Physical security perimeter B7.5
A.11.1.2 Physical entry controls
B7.1
B7.5
A.11.1.3 Securing offices, rooms and facilities
A.11.1 Secure areas
A.11.1.4 Protecting against external and environ- mental B7.4
threats
A.11.1.5 Working in secure areas
There are no specific questions on theses
subjects. However, the requirements of
Section 7.2 Physical and environmental
protection, and Section 7.3 Secure business
operations, of the IASME Governance
A.11.1.6 Delivery and loading areas Standard implicitly cover these subjects.
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities 7.1 Policy realisation
7.2 Physical and environmental protection
B7.4 7.3 Secure business operations
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets B6.16
A.11.2 Equipment
A.11.2.6 Security of equipment and assets off-premises B2.5
A.11.2.7 Secure disposal or re- use of equipment B2.9
A.11.2.8 Unattended user equipment
B6.10
A.11.2.9 Clear desk and clear screen policy
A.12.1.1 Documented operating procedures
B8.1
B8.2
NB IASME questions focus on management
of information systems. Operating
procedures are not specifically covered.
A.12.1.2 Change management
A.12.1 Operational procedures and responsibilities
B8.2
A.12.1.3 Capacity management NB IASME questions do not specifically
mention capacity management. However,
this question would cover that aspect of
operations.
A.12.1.4 Separation of development, testing and operational B8.5
environments
A.12.2 Protection from malware A.12.2.1 Controls against malware A8.1 - A8.6
7.3 Secure business operations
A.12.3 Backup A.12.3.1 Information backup B11.1 - B11.3
A.12.4.1 Event logging B10.1
A.12.4.2 Protection of log information B10.4
A.12.4 Logging and monitoring
A.12.4.3 Administrator and operator logs B10.1
A.12.4.4 Clock synchronisation B10.3
A7.4
A7.6
A.12.5 Control of operational software A.12.5.1 Installation of software on operational systems B8.3
B8.4
A.12.6.1 Management of technical vulnerabilities B9.1 - B9.3
A.12.6 Technical vulnerability management
A7.4
A.12.6.2 Restrictions on software installation A7.6
The subject of planning audits to minimise
A.12.7 Information system audit considerations A.12.7.1 Information systems audit controls disruption to business processes is not
covered.
A.13.1.1 Network controls B8.1
A.13.1.2 Security of network services B8.2
A.13.1 Network security management
A.13.1.3 Segregation in networks B8.5
B2.15
B2.16
B4.19 7.1 Policy realisation
A.13.2.1 Information transfer policies and procedures B6.8 7.3 Secure business operations
B6.12
A.13.2.2 Agreements on information transfer B6.17
A.13.2 Information transfer These subjects are not covered by specific
A.13.2.3 Electronic messaging questions. However, the relevant policies
and controls, where appropriate, would be
expected in a business undergoing audit
A.13.2.4 Confidentiality or non- disclosure agreements B5.6
against the IASME Governance Standard.
B5.8
A.14.1.1 Information security requirements analysis and B8.2
specification B8.4
A.14.1.2 Securing application services on public networks A5.5 - A5.9
A.14.1 Security requirements of information systems
Information security aspects of software
A.14.1.3 Protecting application services transactions development are not covered specifically by
IASME questions.
However, the IASME Governance Standard
can readily be implemented in a software
A.14.2.1 Secure development policy development environment as it covers basic
software change management amongst other
A.14.2.2 System change control procedures things.
A.14.2.3 Technical review of applications after operating
A.14.2.4 Restrictions on changes to software packages B8.4 6.3 Assets
7.1 Policy realisation
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2 Security in development and support processes
A.14.2.7 Outsourced development
A.14.2.8 System security testing Information security aspects of software
development are not covered specifically by
IASME questions.
However, the IASME Governance Standard
A.14.2.9 System acceptance testing can readily be implemented in a software
development environment as it covers basic
software change management amongst other
things.
A.14.3 Test data A.14.3.1 Protection of test data
A.15.1.1 Information security policy for supplier relationships
B4.17
B4.19
B6.20
B8.10
A.15.1.2 Addressing security within supplier agreements B8.11
A.15.1 Information security in supplier relationships
6.2 Organisation
6.4 Assessing risks
A.15.1.3 Information and communication technology supply 7.1 Policy realisation
chain 7.3 Secure business operations
7.4 Access control
B6.20
B8.10
A.15.2.1 Monitoring and review of supplier services
A.15.2 Supplier service delivery management
A.15.2.2 Managing changes to supplier services
B12.3
A.16.1.1 Responsibilities and procedures B12.7
B12.8
A.16.1.2 Reporting information security events
B12.1
B12.5
A.16.1.3 Reporting information security weaknesses 7.1 Policy realisation
A.16.1 Management of information security incidents and 8.2 Monitoring, review, and change - for healthy systems and
improvements A.16.1.4 Assessment of and decision on information security unauthorised access
events 9.2 Incident management
A.16.1.5 Response to information security incidents B12.3
A.16.1.6 Learning from information security incidents
A.16.1.7 Collection of evidence B12.4
A.17.1.1 Planning information security continuity
B13.1
A.17.1 Information security continuity A.17.1.2 Implementing information security continuity
7.1 Policy realisation
A.17.1.3 Verify, review and evaluate information security B13.2 9.3 Business continuity, disaster recovery, and resilience
continuity B13.3
A.17.2 Redundancies A.17.2.1 Availability of information processing facilities
B13.1
A.18.1.1 Identification of applicable legislation and contractual B6.21
requirements B6.22
A.18.1.2 Intellectual property rights B6.6
B4.1
A.18.1.3 Protection of records B6.17
B10.4
A.18.1.4 Privacy and protection of personally identifiable B2.6 - B2.8
B4.1 - B4.19
information B6.17
A.18.1 Compliance with legal and contractual requirements
6.5 Legal and regulatory landscape
7.1 Policy realisation
7.2 Physical and environmental protection
 A.18.1 Compliance with legal and contractual requirements

B6.21
B6.22
Although cryptographic controls are not
A.18.1.5 Regulation of cryptographic controls specifically mentioned in this context, the
IASME Governance Standard expects the 6.5 Legal and regulatory landscape
A.18 Compliance business to identify, and comply with, any 7.1 Policy realisation
legislation and regulatory requirements
placed on it, including cryptographic controls. 7.2 Physical and environmental protection

To achieve the IASME Gold level of assurance

A.18.2.1 Independent review of information security the business must be audited, including policy
review, independently. See Section 1.2 of the
IASME Governance Standard.

A.18.2 Information security reviews B1.1 - B1.4

A.18.2.2 Compliance with security policies and standards B3.2
B6.2
B6.5
B7.9
B10.1 - B10.2
B13.2
A.18.2.3 Technical compliance review B8.4
B9.1 - B9.3