Scribd Logo
Upload

Welcome to Scribd!

  • ISO 27001 Controls

    Uploaded by

    rakesh_dandu
    3 views16 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views16 pages

    ISO 27001 Controls

    Uploaded by

    rakesh_dandu

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    ISO 27001 Control

    Category ISO 27001 Control and Sub-Control

    1. Information Security
    A.5.1.1: Develop and maintain information security policies
    Policies and Procedures

    A.5.1.2: Establish a framework for information security roles


    and responsibilities

    A.5.1.3: Manage legal, regulatory, and contractual


    requirements

    2. Organization of
    A.6.1.1: Define information security roles and responsibilities
    Information Security
    A.6.1.2: Establish an information security organization

    A.6.1.3: Determine the scope of the ISMS

    3. Human Resource Security A.7.1.1: Prioritize information security during employment

    A.7.1.2: Establish a formal disciplinary process

    A.7.1.3: Define roles and responsibilities for information


    security

    4. Asset Management A.8.1.1: Create an inventory of assets


    A.8.1.2: Define information classification criteria

    A.8.1.3: Ensure proper handling of assets

    5. Access Control A.9.1.1: Implement access control policy

    A.9.1.2: Manage user access rights

    A.9.1.3: Control system access

    6. Cryptography A.10.1.1: Cryptographic controls


    A.10.1.2: Key management

    A.10.1.3: Protecting sensitive data

    7. Physical and
    A.11.1.1: Secure areas
    Environmental Security

    A.11.1.2: Equipment security

    A.11.1.3: Secure disposal and removal of assets

    8. Operations Security A.12.1.1: Operational procedures and responsibilities


    A.12.1.2: Protection from malware

    A.12.1.3: Backup

    A.12.1.4: Logging and monitoring

    9. Communications Security A.13.1.1: Network security management

    A.13.1.2: Information transfer

    A.13.1.3: Electronic messaging


    10. System Acquisition,
    Development, and A.14.1.1: Security requirements for information systems
    Maintenance

    A.14.1.2: Secure development policy

    A.14.1.3: Secure development environment

    11. Supplier Relationships A.15.1.1: Information security in supplier relationships

    A.15.1.2: Supplier service delivery management

    A.15.1.3: Supplier risk management


    12. Information Security
    A.16.1.1: Establish an incident response process
    Incident Management

    A.16.1.2: Incident reporting

    A.16.1.3: Management of information security incidents and


    improvements

    13. Information Security


    Aspects of Business A.17.1.1: Develop and implement continuity processes
    Continuity Management

    A.17.1.2: Test and review continuity plans

    A.17.1.3: Information security continuity


    14. Compliance A.18.1.1: Compliance with legal and contractual requirements

    A.18.1.2: Information security reviews

    A.18.1.3: Compliance with security policies and standards


    IT Policy Integration for a Software
    Development Company

    The company shall establish and


    maintain information security policies
    that are relevant to its software
    development activities.

    Define roles and responsibilities for


    information security within the
    development team.

    Ensure compliance with legal and


    regulatory requirements applicable to
    software development.

    Clearly define roles and responsibilities


    for information security within the
    organization.
    Establish an information security team
    responsible for security measures
    during development.

    Clearly define the scope of the


    Information Security Management
    System (ISMS) in the context of
    software development.

    Ensure that all employees are aware of


    and prioritize information security in
    their roles.

    Define a disciplinary process for


    employees who violate security policies.

    Clearly outline the roles and


    responsibilities of employees in
    safeguarding information security.

    Maintain an inventory of software,


    hardware, and data assets used in
    development.
    Classify software and data assets based
    on their sensitivity and importance.

    Specify procedures for handling,


    storing, and disposing of software
    assets securely.

    Develop and enforce access control


    policies for software development
    environments and repositories.

    Regularly review and manage user


    access rights to software and data.

    Implement strong authentication and


    authorization mechanisms for accessing
    development systems.

    Implement encryption mechanisms to


    protect sensitive data during
    transmission and storage.
    Establish robust key management
    practices to safeguard cryptographic
    keys.

    Define measures for protecting sensitive


    data, both within software and during
    transfer.

    Ensure that physical development


    environments and data centers are
    secure against unauthorized access.

    Implement physical security measures


    for hardware and infrastructure used in
    development.

    Establish secure processes for disposing


    of hardware and data assets when they
    are no longer needed.

    Define operational procedures for


    software development and ensure that
    responsibilities are clear.
    Implement anti-malware measures to
    protect development systems and code
    repositories.

    Establish backup procedures for


    software source code, databases, and
    critical development assets.

    Set up logging and monitoring systems


    to detect and respond to security
    incidents in real-time.

    Implement network security measures


    to protect data in transit within
    development environments.

    Secure the transfer of data, code, and


    software updates within development
    teams and systems.

    Secure email and messaging systems


    used for communication within the
    development process.
    Define and incorporate security
    requirements into the software
    development life cycle (SDLC).

    Develop a secure development policy


    outlining security expectations for
    coding and testing.

    Ensure that the development


    environment is secure and isolated from
    production environments.

    Assess and manage the security


    practices of third-party suppliers or
    software vendors.

    Monitor and manage the security of


    services provided by external suppliers.

    Assess and mitigate security risks


    associated with third-party suppliers
    and software components.
    Develop an incident response plan to
    address security incidents during
    development.

    Establish procedures for reporting and


    documenting security incidents.

    Implement corrective actions and


    improvements following incident
    investigations.

    Develop business continuity and


    disaster recovery plans for software
    development operations.

    Periodically test and review continuity


    plans to ensure their effectiveness.

    Ensure that information security is


    maintained during and after disruptive
    events.
    Ensure compliance with legal,
    regulatory, and contractual security
    requirements in software development.

    Conduct regular security reviews and


    assessments of software and
    development practices.

    Enforce adherence to security policies


    and standards in all development
    activities.

    You might also like