CONTROLS
131 controls
READINESS
10 implemented · 0 N/A
5.1
Policies for information security
5 — Organizational Controls
→
5.10
Acceptable use of information and other associated assets
5 — Organizational Controls
→
5.11
Return of assets
5 — Organizational Controls
→
5.12
Classification of information
5 — Organizational Controls
→
5.13
Labelling of information
5 — Organizational Controls
→
5.14
Information transfer
5 — Organizational Controls
→
5.15
Access control
5 — Organizational Controls
→
5.16
Identity management
5 — Organizational Controls
→
5.17
Authentication information
5 — Organizational Controls
→
5.18
Access rights
5 — Organizational Controls
→
5.19
Information security in supplier relationships
5 — Organizational Controls
→
5.2
Information security roles and responsibilities
5 — Organizational Controls
→
5.20
Addressing information security within supplier agreements
5 — Organizational Controls
→
5.21
Managing information security in the ICT supply chain
5 — Organizational Controls
→
5.22
Monitoring, review and change management of supplier services
5 — Organizational Controls
→
5.23
Information security for use of cloud services
5 — Organizational Controls
→
5.24
Information security incident management planning and preparation
5 — Organizational Controls
→
5.25
Assessment and decision on information security events
5 — Organizational Controls
→
5.26
Response to information security incidents
5 — Organizational Controls
→
5.27
Learning from information security incidents
5 — Organizational Controls
→
5.28
Collection of evidence
5 — Organizational Controls
→
5.29
Information security during disruption
5 — Organizational Controls
→
5.3
Segregation of duties
5 — Organizational Controls
→
5.30
ICT readiness for business continuity
5 — Organizational Controls
→
5.31
Legal, statutory, regulatory, and contractual requirements
5 — Organizational Controls
→
5.32
Intellectual property rights
5 — Organizational Controls
→
5.33
Protection of records
5 — Organizational Controls
→
5.34
Privacy and protection of personal information
5 — Organizational Controls
→
5.35
Independent review of information security
5 — Organizational Controls
→
5.36
Compliance with policies, rules, and standards for information security
5 — Organizational Controls
→
5.37
Documented operating procedures
5 — Organizational Controls
→
5.4
Management responsibilities
5 — Organizational Controls
→
5.5
Contact with authorities
5 — Organizational Controls
→
5.6
Contact with special interest groups
5 — Organizational Controls
→
5.7
Threat intelligence
5 — Organizational Controls
→
5.8
Information security in project management
5 — Organizational Controls
→
5.9
Inventory of information and other associated assets
5 — Organizational Controls
→
6.1
Screening
6 — People Controls
→
6.2
Terms and conditions of employment
6 — People Controls
→
6.3
Information security awareness, education, and training
6 — People Controls
→
6.4
Disciplinary process
6 — People Controls
→
6.5
Responsibilities after termination or change of employment
6 — People Controls
→
6.6
Confidentiality or non-disclosure agreements
6 — People Controls
→
6.7
Remote working
6 — People Controls
→
6.8
Information security event reporting
6 — People Controls
→
7.1
Physical security perimeters
7 — Physical Controls
→
7.10
Storage media
7 — Physical Controls
→
7.11
Supporting utilities
7 — Physical Controls
→
7.12
Cabling security
7 — Physical Controls
→
7.13
Equipment maintenance
7 — Physical Controls
→
7.14
Secure disposal or re-use of equipment
7 — Physical Controls
→
7.2
Physical entry
7 — Physical Controls
→
7.3
Securing offices, rooms, and facilities
7 — Physical Controls
→
7.4
Physical security monitoring
7 — Physical Controls
→
7.5
Protecting against physical and environmental threats
7 — Physical Controls
→
7.6
Working in secure areas
7 — Physical Controls
→
7.7
Clear desk and clear screen
7 — Physical Controls
→
7.8
Equipment siting and protection
7 — Physical Controls
→
7.9
Security of assets off-premises
7 — Physical Controls
→
8.1
User end point devices
8 — Technological Controls
→
8.10
Information deletion
8 — Technological Controls
→
8.11
Data masking
8 — Technological Controls
→
8.12
Data leakage prevention
8 — Technological Controls
→
8.13
Information backup
8 — Technological Controls
→
8.14
Redundancy of information processing facilities
8 — Technological Controls
→
8.15
Logging
8 — Technological Controls
→
8.16
Monitoring activities
8 — Technological Controls
→
8.17
Clock synchronisation
8 — Technological Controls
→
8.18
Use of privileged utility programs
8 — Technological Controls
→
8.19
Installation of software on operational systems
8 — Technological Controls
→
8.2
Privileged access rights
8 — Technological Controls
→
8.20
Networks security
8 — Technological Controls
→
8.21
Security of network services
8 — Technological Controls
→
8.22
Segregation of networks
8 — Technological Controls
→
8.23
Web filtering
8 — Technological Controls
→
8.24
Use of cryptography
8 — Technological Controls
→
8.25
Secure development life cycle
8 — Technological Controls
→
8.26
Application security requirements
8 — Technological Controls
→
8.27
Secure system architecture and engineering principles
8 — Technological Controls
→
8.28
Secure coding
8 — Technological Controls
→
8.29
Security testing in development and acceptance
8 — Technological Controls
→
8.3
Information access restriction
8 — Technological Controls
→
8.30
Outsourced development
8 — Technological Controls
→
8.31
Separation of development, test, and production environments
8 — Technological Controls
→
8.32
Change management
8 — Technological Controls
→
8.33
Test information
8 — Technological Controls
→
8.34
Protection of information systems during audit testing
8 — Technological Controls
→
8.4
Access to source code
8 — Technological Controls
→
8.5
Secure authentication
8 — Technological Controls
→
8.6
Capacity management
8 — Technological Controls
→
8.7
Protection against malware
8 — Technological Controls
→
8.8
Management of technical vulnerabilities
8 — Technological Controls
→
8.9
Configuration management
8 — Technological Controls
→
A1.1
Capacity Management
A1 — Availability
→
A1.2
Environmental Threats
A1 — Availability
→
A1.3
Recovery Plan Testing
A1 — Availability
→
C1.1
Identifies and Maintains Confidential Information
C1 — Confidentiality
→
C1.2
Disposes of Confidential Information
C1 — Confidentiality
→
CC1.1
Demonstrates Commitment to Integrity and Ethical Values
CC1 — Control Environment
→
CC1.2
Exercises Oversight Responsibility
CC1 — Control Environment
→
CC1.3
Establishes Structure, Authority, and Responsibility
CC1 — Control Environment
→
CC1.4
Demonstrates Commitment to Competence
CC1 — Control Environment
→
CC1.5
Enforces Accountability
CC1 — Control Environment
→
CC2.1
Uses Relevant Information
CC2 — Communication and Information
→
CC2.2
Communicates Internally
CC2 — Communication and Information
→
CC2.3
Communicates Externally
CC2 — Communication and Information
→
CC3.1
Specifies Suitable Objectives
CC3 — Risk Assessment
→
CC3.2
Identifies and Analyzes Risk
CC3 — Risk Assessment
→
CC3.3
Assesses Fraud Risk
CC3 — Risk Assessment
→
CC3.4
Identifies and Analyzes Significant Change
CC3 — Risk Assessment
→
CC4.1
Conducts Ongoing and/or Separate Evaluations
CC4 — Monitoring Activities
→
CC4.2
Evaluates and Communicates Deficiencies
CC4 — Monitoring Activities
→
CC5.1
Selects and Develops Control Activities
CC5 — Control Activities
→
CC5.2
Selects and Develops General Controls Over Technology
CC5 — Control Activities
→
CC5.3
Deploys Through Policies and Procedures
CC5 — Control Activities
→
CC6.1
Logical Access Security Software, Infrastructure, and Architectures
CC6 — Logical and Physical Access Controls
→
CC6.2
New Internal and External Users Provisioning
CC6 — Logical and Physical Access Controls
→
CC6.3
Role-Based Access Control
CC6 — Logical and Physical Access Controls
→
CC6.4
Physical Access Restrictions
CC6 — Logical and Physical Access Controls
→
CC6.5
Cessation of Access
CC6 — Logical and Physical Access Controls
→
CC6.6
Security Measures Against External Threats
CC6 — Logical and Physical Access Controls
→
CC6.7
Transmission and Movement of Information
CC6 — Logical and Physical Access Controls
→
CC6.8
Prevention or Detection of Unauthorized Software
CC6 — Logical and Physical Access Controls
→
CC7.1
Detection and Monitoring Procedures
CC7 — System Operations
→
CC7.2
Monitors System Components for Anomalous Behavior
CC7 — System Operations
→
CC7.3
Evaluates Security Events
CC7 — System Operations
→
CC7.4
Responds to Security Incidents
CC7 — System Operations
→
CC7.5
Identifies, Develops, and Implements Activities to Recover
CC7 — System Operations
→
CC8.1
Authorizes, Designs, Develops or Acquires, Configures, Documents, Tests, Approves, and Implements Changes
CC8 — Change Management
→
CC9.1
Identifies, Selects, and Develops Risk Mitigation Activities
CC9 — Risk Mitigation
→
CC9.2
Assesses and Manages Risks from Vendors and Business Partners
CC9 — Risk Mitigation
→