ISO 27001:2013

Information Security
Management System

Standard ISO 27001:2013 (Annex A)

ISO 27001 Control Sections (“Annex A”)

2
Information security policies

 Management direction for information security

 Objective: To provide management direction and support for information

security in accordance with
 business requirements and relevant laws and regulations.
 Consists of 2 controls
 A.5.1.1. Policies for information security
 A.5.1.2. Review of the policies for information security

3
Organization of information security

Information security roles & responsibilities

Segregation of duties
Information security in project management

Internal organization

Mobile device policy

4
Human resource security

Prior to employment Termination and change

of employment

Termination or change
of employment
responsibilities

During employment
5
Asset management

Inventory of assets
Acceptable use of assets Media handling
Responsibility for assetsReturn of assets Management of
removable media
Disposal of media
Physical media transfer

Classification of information
Information Labelling of information
classification 6
Handling of assets
Access control

Access control
policy

User access
management
User registration and
de-registration
Management of secret
authentication information of users

User Review of user access rights

responsibilities Removal or adjustment of access rights
Use of secret authentication information
7
Password management system
Physical and environmental security

Secure areas
Physical security perimeter
Physical entry controls
Equipment
Securing offices, rooms and facilities Equipment siting and protection Security of equipment
Protecting against external and Supporting utilities and assets off-premises
Environmental threats
Cabling security Secure disposal or reuse
of equipment
Equipment maintenance
Unattended user
Removal of assets
equipment
8
Operations security

Operational
Backup
procedures and
responsibilities
Documented operating
procedures

Protection from
malware

Control of operational 9
software
Communications security

Network
security
management

Information transfer

Agreements on information transfer

Electronic messaging
Confidentiality or nondisclosure
agreements

10
Supplier relationships

Addressing security within supplier agreements

Information and communication technology
supply chain

Information security
in supplier
relationships
Supplier service
delivery management

Monitoring and review

of supplier services

11
Information security incident management

Response to information
Management of IS incidents security incidents
& improvements
Learning from
Reporting information information security
security events & Weakness incidents

12
Information security aspects of business
continuity management

Information security
continuity

Planning information security continuity

Implementing information security continuity
Verify, review and evaluate information
security continuity

Availability of information
Processing facilities

13
Compliance

Compliance with
legal and
contractual
requirements
Identification of applicable legislation and contractual
requirements
Intellectual property rights

Protection of records

Compliance with security policies and standards

14
Thank You

15