| |
A.5.1 |
Information Security Policy |
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
| |
A.6.1 |
Internal Organization |
To manage information security within the organization. |
| |
A.6.2 |
External Parties |
To maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. |
| |
A.7.1 |
Responsibility for Assets |
To achieve and maintain appropriate protection of organizational assets. |
| |
A.7.2 |
Information Classification |
To ensure that information receives an appropriate level of protection. |
| |
A.8.1 |
Prior to Employment |
To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. |
| |
A.8.2 |
During Employment |
To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. |
| |
A.8.3 |
Termination or Change of Employment |
To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. |
| |
A.9.1 |
Secure Areas |
To prevent unauthorized physical access, damage and interference to the organization's premises and information. |
| |
A.9.2 |
Equipment Security |
To prevent loss, damage, theft or compromise of assets and interruption to the organization's activities. |
| |
A.10.1 |
Operational Procedures and Responsibilities |
To ensure the correct and secure operation of information processing facility. |
| |
A.10.2 |
Third Party Service Delivery Management |
To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. |
| |
A.10.3 |
System Planning and Acceptance |
To minimize the risk of systems failure. |
| |
A.10.4 |
Protection Against Malicious and Mobile Attack |
To protect the integrity of software and information. |
| |
A.10.5 |
Back-Up |
To maintain the integrity and availability of information and information processing facilities. |
| |
A.10.6 |
Network Security Management |
To ensure the protection of information in networks and the protection of the supporting infrastructure. |
| |
A.10.7 |
Media Handling |
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. |
| |
A.10.8 |
Exchange of Information |
To maintain the security of information and software exchanged within an organization and with any external entity. |
| |
A.10.9 |
Electronic Commerce Services |
To ensure the security of electronic commerce services, and their secure use. |
| |
A.10.10 |
Monitoring |
To detect unauthorized information processing activities. |
| |
A.11.1 |
Business Requirement for Access Control |
To control access to information |
| |
A.11.2 |
User Access Management |
To ensure authorized user access and to prevent unauthorized access to information systems. |
| |
A.11.3 |
User Responsibilities |
To prevent unauthorized user access, and compromise or theft of information and information processing facilities. |
| |
A.11.4 |
Network Access Control |
To prevent unauthorized access to networked services. |
A.11.5 |
Operating System Access Control |
To prevent unauthorized access to operating systems. |
| |
A.11.6 |
Application and information Access Control |
To prevent unauthorized access to information help in application systems. |
| |
A.11.7 |
Mobile Computing and Teleworking |
To ensure information security when using mobile computing and teleworking facilities. |
| |
A.12.1 |
Security Requirements of Information Systems |
To ensure that security is an integral part of information systems. |
| |
A.12.2 |
Correct Processing in Applications |
To prevent errors, loss, unauthorized modification or misuse of information in applications. |
| |
A.12.3 |
Cryptographic Controls |
To protect the confidentiality, authenticity or integrity of information by cryptographic means. |
| |
A.12.4 |
Security of System Files |
To ensure the security of system files. |
| |
A.12.5 |
Security in Development and Support Processes |
To maintain the security of application system software and information. |
| |
A.12.6 |
Technical Vulnerability Management |
To reduce risks resulting from exploration of published technical vulnerabilities. |
| |
A.13.1 |
Reporting Information Security Events and Weaknesses |
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. |
| |
A.13.2 |
Management of Information Security Incidents and Improvements |
To ensure a consistent and effective approach is applied to the management of information security incidents. |
| |
A.14.1 |
I S Aspects of Business Continuity Management |
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. |
| |
A.15.1 |
Compliance with Legal Requirements |
To avoid breaches of any la, statutory, regulatory or contractual obligations, and of any security requirements. |
| |
A.15.2 |
Compliance with Security Policies and Standards, and Technical Compliance |
To ensure compliance of systems with organizational security policies and standards. |
| |
A.15.3 |
Information Systems Audit Considerations |
To maximize the effectiveness of and minimize interference to/from the information systems audit process. |
