(27K1) Pure Requirement Lists of 27002 Controls

Control ID Control Title
Policy on the use of cryptographic

A 10.1.1 controls Control
A 10.1.2 Key management Control
A 11.1.1 Physical security perimeter Control
A 11.1.2 Physical entry controls Control
Securing offices, rooms & facilities

A 11.1.3 Control
Protecting against external &

A 11.1.4 environmental threats Control
A 11.1.5 Working in secure areas Control

A 11.1.6 Delivery & loading areas Control
Equipment siting & protection

A 11.2.1 Control
A 11.2.2 Supporting utilities Control
A 11.2.3 Cabling security Control
A 11.2.4 Equipment maintenance Control
A 11.2.5 Removal of assets Control
Security of equipment & assets off-

A 11.2.6 premises Control
Secure disposal or reuse of

A 11.2.7 equipment Control
A 11.2.8 Unattended user equipment Control
Clear desk & clear screen policy

A 11.2.9 Control
Documented operating procedures
A 12.1.1 Control
A 12.1.2 Change management Control
A 12.1.3 Capacity management Control
Separation of development, testing &

A 12.1.4 operational environments Control
A 12.2.1 Controls against malware Control
A 12.3.1 Information backup Control
A 12.4.1 Event logging Control
A 12.4.2 Protection of log information Control

Administrator & operator logs
A 12.4.3 Control
A 12.4.4 Clock synchronisation Control
Installation of software on
A 12.5.1 operational systems Control
Management of technical
A 12.6.1 vulnerabilities Control
Restrictions on software installation
A 12.6.2 Control
Information systems audit controls
A 12.7.1 Control
A 13.1.1 Network controls Control
A 13.1.2 Security of network services Control
A 13.1.3 Segregation in networks Control
Information transfer policies &

A 13.2.1 procedures Control
Agreements on information transfer

A 13.2.2 Control
A 13.2.3 Electronic messaging Control
Confidentiality or nondisclosure
A 13.2.4 agreements Control
Info Security Requirement Analysis &

A 14.1.1 Specification
Securing application services on
A 14.1.2 public networks Control
Protecting application services

A 14.1.3 transactions Control
A 14.2.1 Secure development policy Control
System change control procedures

A 14.2.2 Control
Technical review of applications after

A 14.2.3 operating platform changes Control
Restrictions on changes to software

A 14.2.4 packages Control
Secure system engineering principles

A 14.2.5 Control
Secure development environment

A 14.2.6 Control
A 14.2.7 Outsourced development Control
A 14.2.8 System security testing Control

A 14.2.9 System acceptance testing Control
A 14.3.1 Protection of test data Control
Information security policy for
A 15.1.1 supplier relationships Control
Addressing security within supplier

A 15.1.2 agreements Control
Information & communication

A 15.1.3 technology supply chain Control
Monitoring & review of supplier
A 15.2.1 services Control
Managing changes to supplier
A 16.1.1 Responsibilities & procedures Control
Reporting information security

A 16.1.2 events Control
Reporting information security

A 16.1.3 weaknesses Control
Assessment of & decision on

A 16.1.4 information security events Control
Response to information security

A 16.1.5 incidents Control
Learning from information security
A 16.1.6 incidents Control
A 16.1.7 Collection of evidence Control
Planning information security

A 17.1.1 continuity Control
Implementing information security

A 17.1.2 continuity Control
Verify, review & evaluate information

A 17.1.3 security continuity Control
Availability of information processing

A 17.2.1 facilities Control
Identification of applicable legislation
A 18.1.1 & contractual requirements Control
A 18.1.2 Intellectual property rights Control
A 18.1.3 Protection of records Control
A 18.1.4 Privacy & protection of personally

identifiable information Control
Regulation of cryptographic controls

A 18.1.5 Control
Independent review of information

A 18.2.1 security Control
Compliance with security policies &
A 18.2.2 standards Control
A 18.2.3 Technical compliance review Control
Policies for information security
A 5.1.1 Control
Review of the policies for
A 5.1.2 information security Control
Information security roles &

A 6.1.1 responsibilities Control
A 6.1.2 Segregation of duties Control
A 6.1.3 Contact with authorities Control
Contact with special interest groups

A 6.1.4 Control
Information security in project
A 6.1.5 management Control
A 6.2.1 Mobile device policy Control
A 6.2.2 Teleworking Control
A 7.1.1 Screening Control
Terms & conditions of employment

A 7.1.2 Control
A 7.2.1 Management responsibilities Control
Information security awareness,

A 7.2.2 education and training Control
A 7.2.3 Disciplinary process Control
Termination or change of
A 7.3.1 employment responsibilities Control
A 8.1.1 Inventory of assets Control
A 8.1.2 Ownership of assets Control
A 8.1.3 Acceptable use of assets Control
A 8.1.4 Return of assets Control
A 8.2.1 Classification of information Control
A 8.2.2 Labelling of information Control
A 8.2.3 Handling of assets Control
Management of removable media

A 8.3.1 Control
A 8.3.2 Disposal of media Control
A 8.3.3 Physical media transfer Control
A 9.1.1 Access control policy Control
Access to networks & network

User registration & de-registration

A 9.2.1 Control
A 9.2.2 User access provisioning Control
Management of privileged access

A 9.2.3 rights Control
Management of secret
A 9.2.4 authentication information of users
Control
A 9.2.5 Review of user access rights Control

Removal or adjustment of access
A 9.2.6 rights Control
Use of secret authentication

A 9.3.1 information Control
Information access restriction

A 9.4.1 Control
A 9.4.2 Secure log-on procedures Control
Password management system

A 9.4.3 Control
Use of privileged utility programs
A 9.4.4 Control
Access control to program source
A 9.4.5 code Control
Grouping at Header Level (Concating each Row)
*** A 10.1.1 - Policy on the use of cryptographic controls Control *** A 10.1.2 - Key management
Control
*** A 10.1.2 - Key management Control
*** A 11.1.1 - Physical security perimeter Control *** A 11.1.2 - Physical entry controls Control *** A
11.1.3 - Securing offices, rooms & facilities Control *** A 11.1.4 - Protecting against external &
environmental threats Control *** A 11.1.5 - Working in secure areas Control *** A 11.1.6 - Delivery &
loading areas Control *** A 11.2.1 - Equipment siting & protection Control *** A 11.2.2 - Supporting
utilities Control *** A 11.2.3 - Cabling security Control *** A 11.2.4 - Equipment maintenance Control
*** A 11.2.5 - Removal of assets Control *** A 11.2.6 - Security of equipment & assets off-premises
Control *** A 11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user
equipment Control *** A 11.2.9 - Clear desk & clear screen policy Control
*** A 11.1.2 - Physical entry controls Control *** A 11.1.3 - Securing offices, rooms & facilities Control
*** A 11.1.4 - Protecting against external & environmental threats Control *** A 11.1.5 - Working in
secure areas Control *** A 11.1.6 - Delivery & loading areas Control *** A 11.2.1 - Equipment siting &
protection Control *** A 11.2.2 - Supporting utilities Control *** A 11.2.3 - Cabling security Control ***
A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 -
Security of equipment & assets off-premises Control *** A 11.2.7 - Secure disposal or reuse of
equipment Control *** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk & clear
screen policy Control
*** A 11.1.3 - Securing offices, rooms & facilities Control *** A 11.1.4 - Protecting against external &
secure areas Control *** A 11.1.6 - Delivery & loading areas Control *** A 11.2.1 - Equipment siting &
protection Control *** A 11.2.2 - Supporting utilities Control *** A 11.2.3 - Cabling security Control ***
A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 -
*** A 11.1.5 - Working in secure areas Control *** A 11.1.6 - Delivery & loading areas Control *** A
11.2.1 - Equipment siting & protection Control *** A 11.2.2 - Supporting utilities Control *** A 11.2.3 -
Cabling security Control *** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal of assets
Control *** A 11.2.6 - Security of equipment & assets off-premises Control *** A 11.2.7 - Secure
disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 -
Clear desk & clear screen policy Control
*** A 11.1.6 - Delivery & loading areas Control *** A 11.2.1 - Equipment siting & protection Control ***
A 11.2.2 - Supporting utilities Control *** A 11.2.3 - Cabling security Control *** A 11.2.4 - Equipment
maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 - Security of equipment &
assets off-premises Control *** A 11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 -
Unattended user equipment Control *** A 11.2.9 - Clear desk & clear screen policy Control
*** A 11.2.1 - Equipment siting & protection Control *** A 11.2.2 - Supporting utilities Control *** A
11.2.3 - Cabling security Control *** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal
of assets Control *** A 11.2.6 - Security of equipment & assets off-premises Control *** A 11.2.7 -
Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment Control *** A
11.2.9 - Clear desk & clear screen policy Control
*** A 11.2.2 - Supporting utilities Control *** A 11.2.3 - Cabling security Control *** A 11.2.4 -
Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 - Security of
equipment & assets off-premises Control *** A 11.2.7 - Secure disposal or reuse of equipment Control
*** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk & clear screen policy Control
*** A 11.2.3 - Cabling security Control *** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 -
Removal of assets Control *** A 11.2.6 - Security of equipment & assets off-premises Control *** A
11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment
Control *** A 11.2.9 - Clear desk & clear screen policy Control
*** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 -
*** A 11.2.6 - Security of equipment & assets off-premises Control *** A 11.2.7 - Secure disposal or
reuse of equipment Control *** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk
& clear screen policy Control
*** A 11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment
*** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk & clear screen policy
Control
*** A 11.2.9 - Clear desk & clear screen policy Control

*** A 12.1.1 - Documented operating procedures Control *** A 12.1.2 - Change management Control
*** A 12.1.3 - Capacity management Control *** A 12.1.4 - Separation of development, testing &
operational environments Control *** A 12.2.1 - Controls against malware Control *** A 12.3.1 -
Information backup Control *** A 12.4.1 - Event logging Control *** A 12.4.2 - Protection of log
information Control *** A 12.4.3 - Administrator & operator logs Control *** A 12.4.4 - Clock
synchronisation Control *** A 12.5.1 - Installation of software on operational systems Control *** A
12.6.1 - Management of technical vulnerabilities Control *** A 12.6.2 - Restrictions on software
installation Control *** A 12.7.1 - Information systems audit controls Control
*** A 12.1.2 - Change management Control *** A 12.1.3 - Capacity management Control *** A 12.1.4 -
Separation of development, testing & operational environments Control *** A 12.2.1 - Controls against
malware Control *** A 12.3.1 - Information backup Control *** A 12.4.1 - Event logging Control *** A
12.4.2 - Protection of log information Control *** A 12.4.3 - Administrator & operator logs Control *** A
12.4.4 - Clock synchronisation Control *** A 12.5.1 - Installation of software on operational systems
Control *** A 12.6.1 - Management of technical vulnerabilities Control *** A 12.6.2 - Restrictions on
software installation Control *** A 12.7.1 - Information systems audit controls Control
*** A 12.1.4 - Separation of development, testing & operational environments Control *** A 12.2.1 -
Controls against malware Control *** A 12.3.1 - Information backup Control *** A 12.4.1 - Event logging
Control *** A 12.4.2 - Protection of log information Control *** A 12.4.3 - Administrator & operator logs
Control *** A 12.4.4 - Clock synchronisation Control *** A 12.5.1 - Installation of software on operational
systems Control *** A 12.6.1 - Management of technical vulnerabilities Control *** A 12.6.2 -
Restrictions on software installation Control *** A 12.7.1 - Information systems audit controls Control
*** A 12.2.1 - Controls against malware Control *** A 12.3.1 - Information backup Control *** A 12.4.1 -
Event logging Control *** A 12.4.2 - Protection of log information Control *** A 12.4.3 - Administrator &
operator logs Control *** A 12.4.4 - Clock synchronisation Control *** A 12.5.1 - Installation of software
on operational systems Control *** A 12.6.1 - Management of technical vulnerabilities Control *** A
12.6.2 - Restrictions on software installation Control *** A 12.7.1 - Information systems audit controls
Control
*** A 12.3.1 - Information backup Control *** A 12.4.1 - Event logging Control *** A 12.4.2 - Protection
of log information Control *** A 12.4.3 - Administrator & operator logs Control *** A 12.4.4 - Clock
*** A 12.4.1 - Event logging Control *** A 12.4.2 - Protection of log information Control *** A 12.4.3 -
Administrator & operator logs Control *** A 12.4.4 - Clock synchronisation Control *** A 12.5.1 -
Installation of software on operational systems Control *** A 12.6.1 - Management of technical
vulnerabilities Control *** A 12.6.2 - Restrictions on software installation Control *** A 12.7.1 -
Information systems audit controls Control
*** A 12.4.2 - Protection of log information Control *** A 12.4.3 - Administrator & operator logs Control
*** A 12.4.4 - Clock synchronisation Control *** A 12.5.1 - Installation of software on operational
*** A 12.4.3 - Administrator & operator logs Control *** A 12.4.4 - Clock synchronisation Control *** A
12.5.1 - Installation of software on operational systems Control *** A 12.6.1 - Management of technical
vulnerabilities Control *** A 12.6.2 - Restrictions on software installation Control *** A 12.7.1 -
*** A 12.4.4 - Clock synchronisation Control *** A 12.5.1 - Installation of software on operational
*** A 12.5.1 - Installation of software on operational systems Control *** A 12.6.1 - Management of
technical vulnerabilities Control *** A 12.6.2 - Restrictions on software installation Control *** A 12.7.1 -
*** A 12.6.1 - Management of technical vulnerabilities Control *** A 12.6.2 - Restrictions on software
*** A 12.6.2 - Restrictions on software installation Control *** A 12.7.1 - Information systems audit
controls Control
*** A 12.7.1 - Information systems audit controls Control
*** A 13.1.1 - Network controls Control *** A 13.1.2 - Security of network services Control *** A 13.1.3
- Segregation in networks Control *** A 13.2.1 - Information transfer policies & procedures Control *** A
13.2.2 - Agreements on information transfer Control *** A 13.2.3 - Electronic messaging Control *** A
13.2.4 - Confidentiality or nondisclosure agreements Control
*** A 13.1.2 - Security of network services Control *** A 13.1.3 - Segregation in networks Control *** A
13.2.1 - Information transfer policies & procedures Control *** A 13.2.2 - Agreements on information
transfer Control *** A 13.2.3 - Electronic messaging Control *** A 13.2.4 - Confidentiality or
nondisclosure agreements Control
*** A 13.1.3 - Segregation in networks Control *** A 13.2.1 - Information transfer policies & procedures
Control *** A 13.2.2 - Agreements on information transfer Control *** A 13.2.3 - Electronic messaging
Control *** A 13.2.4 - Confidentiality or nondisclosure agreements Control
*** A 13.2.1 - Information transfer policies & procedures Control *** A 13.2.2 - Agreements on
information transfer Control *** A 13.2.3 - Electronic messaging Control *** A 13.2.4 - Confidentiality or
*** A 13.2.2 - Agreements on information transfer Control *** A 13.2.3 - Electronic messaging Control
*** A 13.2.4 - Confidentiality or nondisclosure agreements Control
*** A 13.2.3 - Electronic messaging Control *** A 13.2.4 - Confidentiality or nondisclosure agreements
Control
*** A 14.1.1 - Info Security Requirement Analysis & Specification *** A 14.1.2 - Securing application
services on public networks Control *** A 14.1.3 - Protecting application services transactions Control
*** A 14.2.1 - Secure development policy Control *** A 14.2.2 - System change control procedures
Control *** A 14.2.3 - Technical review of applications after operating platform changes Control *** A
14.2.4 - Restrictions on changes to software packages Control *** A 14.2.5 - Secure system engineering
principles Control *** A 14.2.6 - Secure development environment Control *** A 14.2.7 - Outsourced
development Control *** A 14.2.8 - System security testing Control *** A 14.2.9 - System acceptance
testing Control *** A 14.3.1 - Protection of test data Control
*** A 14.1.2 - Securing application services on public networks Control *** A 14.1.3 - Protecting
application services transactions Control *** A 14.2.1 - Secure development policy Control *** A 14.2.2 -
System change control procedures Control *** A 14.2.3 - Technical review of applications after operating
platform changes Control *** A 14.2.4 - Restrictions on changes to software packages Control *** A
14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure development environment
Control *** A 14.2.7 - Outsourced development Control *** A 14.2.8 - System security testing Control
*** A 14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test data Control
*** A 14.1.3 - Protecting application services transactions Control *** A 14.2.1 - Secure development
policy Control *** A 14.2.2 - System change control procedures Control *** A 14.2.3 - Technical review of
applications after operating platform changes Control *** A 14.2.4 - Restrictions on changes to software
packages Control *** A 14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure
development environment Control *** A 14.2.7 - Outsourced development Control *** A 14.2.8 - System
security testing Control *** A 14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test
data Control
*** A 14.2.2 - System change control procedures Control *** A 14.2.3 - Technical review of applications
after operating platform changes Control *** A 14.2.4 - Restrictions on changes to software packages
Control *** A 14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure development
environment Control *** A 14.2.7 - Outsourced development Control *** A 14.2.8 - System security
testing Control *** A 14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test data
Control
*** A 14.2.3 - Technical review of applications after operating platform changes Control *** A 14.2.4 -
Restrictions on changes to software packages Control *** A 14.2.5 - Secure system engineering
*** A 14.2.4 - Restrictions on changes to software packages Control *** A 14.2.5 - Secure system
engineering principles Control *** A 14.2.6 - Secure development environment Control *** A 14.2.7 -
Outsourced development Control *** A 14.2.8 - System security testing Control *** A 14.2.9 - System
acceptance testing Control *** A 14.3.1 - Protection of test data Control
*** A 14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure development
testing Control *** A 14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test data
Control
*** A 14.2.6 - Secure development environment Control *** A 14.2.7 - Outsourced development
Control *** A 14.2.8 - System security testing Control *** A 14.2.9 - System acceptance testing Control
*** A 14.3.1 - Protection of test data Control
*** A 14.2.7 - Outsourced development Control *** A 14.2.8 - System security testing Control *** A
14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test data Control
*** A 14.2.8 - System security testing Control *** A 14.2.9 - System acceptance testing Control *** A
14.3.1 - Protection of test data Control
*** A 14.2.9 - System acceptance testing Control *** A 14.3.1 - Protection of test data Control
*** A 15.1.1 - Information security policy for supplier relationships Control *** A 15.1.2 - Addressing
security within supplier agreements Control *** A 15.1.3 - Information & communication technology
supply chain Control *** A 15.2.1 - Monitoring & review of supplier services Control *** A 15.2.2 -
Managing changes to supplier services Control
*** A 15.1.2 - Addressing security within supplier agreements Control *** A 15.1.3 - Information &
communication technology supply chain Control *** A 15.2.1 - Monitoring & review of supplier services
Control *** A 15.2.2 - Managing changes to supplier services Control
*** A 15.1.3 - Information & communication technology supply chain Control *** A 15.2.1 - Monitoring
& review of supplier services Control *** A 15.2.2 - Managing changes to supplier services Control
*** A 15.2.1 - Monitoring & review of supplier services Control *** A 15.2.2 - Managing changes to
supplier services Control
*** A 15.2.2 - Managing changes to supplier services Control
*** A 16.1.1 - Responsibilities & procedures Control *** A 16.1.2 - Reporting information security events
Control *** A 16.1.3 - Reporting information security weaknesses Control *** A 16.1.4 - Assessment of &
decision on information security events Control *** A 16.1.5 - Response to information security incidents
Control *** A 16.1.6 - Learning from information security incidents Control *** A 16.1.7 - Collection of
evidence Control
*** A 16.1.2 - Reporting information security events Control *** A 16.1.3 - Reporting information
security weaknesses Control *** A 16.1.4 - Assessment of & decision on information security events
Control *** A 16.1.5 - Response to information security incidents Control *** A 16.1.6 - Learning from
information security incidents Control *** A 16.1.7 - Collection of evidence Control
*** A 16.1.3 - Reporting information security weaknesses Control *** A 16.1.4 - Assessment of &
evidence Control
*** A 16.1.4 - Assessment of & decision on information security events Control *** A 16.1.5 - Response
to information security incidents Control *** A 16.1.6 - Learning from information security incidents
Control *** A 16.1.7 - Collection of evidence Control
*** A 16.1.5 - Response to information security incidents Control *** A 16.1.6 - Learning from
*** A 16.1.6 - Learning from information security incidents Control *** A 16.1.7 - Collection of evidence
Control
*** A 16.1.7 - Collection of evidence Control
*** A 17.1.1 - Planning information security continuity Control *** A 17.1.2 - Implementing information
security continuity Control *** A 17.1.3 - Verify, review & evaluate information security continuity
Control *** A 17.2.1 - Availability of information processing facilities Control
*** A 17.1.2 - Implementing information security continuity Control *** A 17.1.3 - Verify, review &
evaluate information security continuity Control *** A 17.2.1 - Availability of information processing
facilities Control
*** A 17.1.3 - Verify, review & evaluate information security continuity Control *** A 17.2.1 - Availability
of information processing facilities Control
*** A 17.2.1 - Availability of information processing facilities Control

*** A 18.1.1 - Identification of applicable legislation & contractual requirements Control *** A 18.1.2 -
Intellectual property rights Control *** A 18.1.3 - Protection of records Control *** A 18.1.4 - Privacy &
protection of personally identifiable information Control *** A 18.1.5 - Regulation of cryptographic
controls Control *** A 18.2.1 - Independent review of information security Control *** A 18.2.2 -
Compliance with security policies & standards Control *** A 18.2.3 - Technical compliance review Control
*** A 18.1.2 - Intellectual property rights Control *** A 18.1.3 - Protection of records Control *** A
18.1.4 - Privacy & protection of personally identifiable information Control *** A 18.1.5 - Regulation of
cryptographic controls Control *** A 18.2.1 - Independent review of information security Control *** A
18.2.2 - Compliance with security policies & standards Control *** A 18.2.3 - Technical compliance
review Control
*** A 18.1.3 - Protection of records Control *** A 18.1.4 - Privacy & protection of personally identifiable
information Control *** A 18.1.5 - Regulation of cryptographic controls Control *** A 18.2.1 -
Independent review of information security Control *** A 18.2.2 - Compliance with security policies &
standards Control *** A 18.2.3 - Technical compliance review Control
*** A 18.1.4 - Privacy & protection of personally identifiable information Control *** A 18.1.5 -
Regulation of cryptographic controls Control *** A 18.2.1 - Independent review of information security
Control *** A 18.2.2 - Compliance with security policies & standards Control *** A 18.2.3 - Technical
compliance review Control
*** A 18.1.5 - Regulation of cryptographic controls Control *** A 18.2.1 - Independent review of
information security Control *** A 18.2.2 - Compliance with security policies & standards Control *** A
18.2.3 - Technical compliance review Control
*** A 18.2.1 - Independent review of information security Control *** A 18.2.2 - Compliance with
security policies & standards Control *** A 18.2.3 - Technical compliance review Control
*** A 18.2.2 - Compliance with security policies & standards Control *** A 18.2.3 - Technical compliance
review Control
*** A 18.2.3 - Technical compliance review Control
*** A 5.1.1 - Policies for information security Control *** A 5.1.2 - Review of the policies for information
security Control
*** A 5.1.2 - Review of the policies for information security Control
*** A 6.1.1 - Information security roles & responsibilities Control *** A 6.1.2 - Segregation of duties
Control *** A 6.1.3 - Contact with authorities Control *** A 6.1.4 - Contact with special interest groups
Control *** A 6.1.5 - Information security in project management Control *** A 6.2.1 - Mobile device
policy Control *** A 6.2.2 - Teleworking Control
*** A 6.1.2 - Segregation of duties Control *** A 6.1.3 - Contact with authorities Control *** A 6.1.4 -
Contact with special interest groups Control *** A 6.1.5 - Information security in project management
Control *** A 6.2.1 - Mobile device policy Control *** A 6.2.2 - Teleworking Control
*** A 6.1.3 - Contact with authorities Control *** A 6.1.4 - Contact with special interest groups Control
*** A 6.1.5 - Information security in project management Control *** A 6.2.1 - Mobile device policy
Control *** A 6.2.2 - Teleworking Control
*** A 6.1.4 - Contact with special interest groups Control *** A 6.1.5 - Information security in project
management Control *** A 6.2.1 - Mobile device policy Control *** A 6.2.2 - Teleworking Control
*** A 6.1.5 - Information security in project management Control *** A 6.2.1 - Mobile device policy
Control *** A 6.2.2 - Teleworking Control
*** A 6.2.1 - Mobile device policy Control *** A 6.2.2 - Teleworking Control
*** A 6.2.2 - Teleworking Control
*** A 7.1.1 - Screening Control *** A 7.1.2 - Terms & conditions of employment Control *** A 7.2.1 -
Management responsibilities Control *** A 7.2.2 - Information security awareness, education and
training Control *** A 7.2.3 - Disciplinary process Control *** A 7.3.1 - Termination or change of
employment responsibilities Control
*** A 7.1.2 - Terms & conditions of employment Control *** A 7.2.1 - Management responsibilities
Control *** A 7.2.2 - Information security awareness, education and training Control *** A 7.2.3 -
Disciplinary process Control *** A 7.3.1 - Termination or change of employment responsibilities Control
*** A 7.2.1 - Management responsibilities Control *** A 7.2.2 - Information security awareness,
education and training Control *** A 7.2.3 - Disciplinary process Control *** A 7.3.1 - Termination or
change of employment responsibilities Control
*** A 7.2.2 - Information security awareness, education and training Control *** A 7.2.3 - Disciplinary
process Control *** A 7.3.1 - Termination or change of employment responsibilities Control
*** A 7.2.3 - Disciplinary process Control *** A 7.3.1 - Termination or change of employment
responsibilities Control
*** A 7.3.1 - Termination or change of employment responsibilities Control
*** A 8.1.1 - Inventory of assets Control *** A 8.1.2 - Ownership of assets Control *** A 8.1.3 -
Acceptable use of assets Control *** A 8.1.4 - Return of assets Control *** A 8.2.1 - Classification of
information Control *** A 8.2.2 - Labelling of information Control *** A 8.2.3 - Handling of assets Control
*** A 8.3.1 - Management of removable media Control *** A 8.3.2 - Disposal of media Control *** A
8.3.3 - Physical media transfer Control
*** A 8.1.2 - Ownership of assets Control *** A 8.1.3 - Acceptable use of assets Control *** A 8.1.4 -
Return of assets Control *** A 8.2.1 - Classification of information Control *** A 8.2.2 - Labelling of
information Control *** A 8.2.3 - Handling of assets Control *** A 8.3.1 - Management of removable
media Control *** A 8.3.2 - Disposal of media Control *** A 8.3.3 - Physical media transfer Control
*** A 8.1.3 - Acceptable use of assets Control *** A 8.1.4 - Return of assets Control *** A 8.2.1 -
Classification of information Control *** A 8.2.2 - Labelling of information Control *** A 8.2.3 - Handling
of assets Control *** A 8.3.1 - Management of removable media Control *** A 8.3.2 - Disposal of media
Control *** A 8.3.3 - Physical media transfer Control
*** A 8.1.4 - Return of assets Control *** A 8.2.1 - Classification of information Control *** A 8.2.2 -
Labelling of information Control *** A 8.2.3 - Handling of assets Control *** A 8.3.1 - Management of
removable media Control *** A 8.3.2 - Disposal of media Control *** A 8.3.3 - Physical media transfer
Control
*** A 8.2.1 - Classification of information Control *** A 8.2.2 - Labelling of information Control *** A
8.2.3 - Handling of assets Control *** A 8.3.1 - Management of removable media Control *** A 8.3.2 -
Disposal of media Control *** A 8.3.3 - Physical media transfer Control
*** A 8.2.2 - Labelling of information Control *** A 8.2.3 - Handling of assets Control *** A 8.3.1 -
Management of removable media Control *** A 8.3.2 - Disposal of media Control *** A 8.3.3 - Physical
media transfer Control
*** A 8.2.3 - Handling of assets Control *** A 8.3.1 - Management of removable media Control *** A
8.3.2 - Disposal of media Control *** A 8.3.3 - Physical media transfer Control
*** A 8.3.2 - Disposal of media Control *** A 8.3.3 - Physical media transfer Control
*** A 8.3.3 - Physical media transfer Control
*** A 9.1.1 - Access control policy Control *** A 9.1.2 - Access to networks & network services Control
*** A 9.2.1 - User registration & de-registration Control *** A 9.2.2 - User access provisioning Control
*** A 9.2.3 - Management of privileged access rights Control *** A 9.2.4 - Management of secret
authentication information of users Control *** A 9.2.5 - Review of user access rights Control *** A 9.2.6
- Removal or adjustment of access rights Control *** A 9.3.1 - Use of secret authentication information
Control *** A 9.4.1 - Information access restriction Control *** A 9.4.2 - Secure log-on procedures
Control *** A 9.4.3 - Password management system Control *** A 9.4.4 - Use of privileged utility
programs Control *** A 9.4.5 - Access control to program source code Control
*** A 9.1.2 - Access to networks & network services Control *** A 9.2.1 - User registration & de-
registration Control *** A 9.2.2 - User access provisioning Control *** A 9.2.3 - Management of
privileged access rights Control *** A 9.2.4 - Management of secret authentication information of users
Control *** A 9.2.5 - Review of user access rights Control *** A 9.2.6 - Removal or adjustment of access
rights Control *** A 9.3.1 - Use of secret authentication information Control *** A 9.4.1 - Information
access restriction Control *** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password
management system Control *** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access
control to program source code Control
*** A 9.2.2 - User access provisioning Control *** A 9.2.3 - Management of privileged access rights
Control *** A 9.2.4 - Management of secret authentication information of users Control *** A 9.2.5 -
Review of user access rights Control *** A 9.2.6 - Removal or adjustment of access rights Control *** A
9.3.1 - Use of secret authentication information Control *** A 9.4.1 - Information access restriction
Control *** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management system
Control *** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to program
source code Control
*** A 9.2.4 - Management of secret authentication information of users Control *** A 9.2.5 - Review of
user access rights Control *** A 9.2.6 - Removal or adjustment of access rights Control *** A 9.3.1 - Use
of secret authentication information Control *** A 9.4.1 - Information access restriction Control *** A
9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management system Control *** A 9.4.4
- Use of privileged utility programs Control *** A 9.4.5 - Access control to program source code Control
*** A 9.2.5 - Review of user access rights Control *** A 9.2.6 - Removal or adjustment of access rights
Control *** A 9.3.1 - Use of secret authentication information Control *** A 9.4.1 - Information access
restriction Control *** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management
system Control *** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to
program source code Control
*** A 9.2.6 - Removal or adjustment of access rights Control *** A 9.3.1 - Use of secret authentication
information Control *** A 9.4.1 - Information access restriction Control *** A 9.4.2 - Secure log-on
procedures Control *** A 9.4.3 - Password management system Control *** A 9.4.4 - Use of privileged
utility programs Control *** A 9.4.5 - Access control to program source code Control
*** A 9.3.1 - Use of secret authentication information Control *** A 9.4.1 - Information access
restriction Control *** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management
system Control *** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to
program source code Control
*** A 9.4.1 - Information access restriction Control *** A 9.4.2 - Secure log-on procedures Control *** A
9.4.3 - Password management system Control *** A 9.4.4 - Use of privileged utility programs Control ***
A 9.4.5 - Access control to program source code Control
*** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management system Control ***
A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to program source code
Control
*** A 9.4.3 - Password management system Control *** A 9.4.4 - Use of privileged utility programs
Control *** A 9.4.5 - Access control to program source code Control
*** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to program source
code Control
*** A 9.4.5 - Access control to program source code Control

Grouping at Header Level (Concating At Change of Level)
Control
evidence Control
security Control
Grouping at Header Level (Remove Duplicate)
Control
evidence Control
security Control
Grouping at Objective Level (Concating each Row)
Control
*** A 10.1.2 - Key management Control
loading areas Control
*** A 11.1.2 - Physical entry controls Control *** A 11.1.3 - Securing offices, rooms & facilities Control
secure areas Control *** A 11.1.6 - Delivery & loading areas Control
*** A 11.1.3 - Securing offices, rooms & facilities Control *** A 11.1.4 - Protecting against external &
secure areas Control *** A 11.1.6 - Delivery & loading areas Control
*** A 11.1.5 - Working in secure areas Control *** A 11.1.6 - Delivery & loading areas Control
*** A 11.1.6 - Delivery & loading areas Control
*** A 11.2.2 - Supporting utilities Control *** A 11.2.3 - Cabling security Control *** A 11.2.4 -
Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 - Security of
equipment & assets off-premises Control *** A 11.2.7 - Secure disposal or reuse of equipment Control
*** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk & clear screen policy Control
*** A 11.2.3 - Cabling security Control *** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 -
Removal of assets Control *** A 11.2.6 - Security of equipment & assets off-premises Control *** A
11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment
*** A 11.2.4 - Equipment maintenance Control *** A 11.2.5 - Removal of assets Control *** A 11.2.6 -
*** A 11.2.6 - Security of equipment & assets off-premises Control *** A 11.2.7 - Secure disposal or
reuse of equipment Control *** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk
& clear screen policy Control
*** A 11.2.7 - Secure disposal or reuse of equipment Control *** A 11.2.8 - Unattended user equipment
*** A 11.2.8 - Unattended user equipment Control *** A 11.2.9 - Clear desk & clear screen policy
Control
*** A 11.2.9 - Clear desk & clear screen policy Control

operational environments Control
*** A 12.1.2 - Change management Control *** A 12.1.3 - Capacity management Control *** A 12.1.4 -
Separation of development, testing & operational environments Control
*** A 12.1.4 - Separation of development, testing & operational environments Control
*** A 12.2.1 - Controls against malware Control
*** A 12.3.1 - Information backup Control
Administrator & operator logs Control *** A 12.4.4 - Clock synchronisation Control
*** A 12.4.2 - Protection of log information Control *** A 12.4.3 - Administrator & operator logs Control
*** A 12.4.4 - Clock synchronisation Control
*** A 12.4.3 - Administrator & operator logs Control *** A 12.4.4 - Clock synchronisation Control
*** A 12.4.4 - Clock synchronisation Control
*** A 12.5.1 - Installation of software on operational systems Control
installation Control
*** A 12.6.2 - Restrictions on software installation Control
- Segregation in networks Control
*** A 13.1.2 - Security of network services Control *** A 13.1.3 - Segregation in networks Control
*** A 13.1.3 - Segregation in networks Control
*** A 13.2.2 - Agreements on information transfer Control *** A 13.2.3 - Electronic messaging Control
*** A 13.2.3 - Electronic messaging Control *** A 13.2.4 - Confidentiality or nondisclosure agreements
Control
*** A 14.1.2 - Securing application services on public networks Control *** A 14.1.3 - Protecting
application services transactions Control
*** A 14.1.3 - Protecting application services transactions Control
testing Control
*** A 14.2.2 - System change control procedures Control *** A 14.2.3 - Technical review of applications
after operating platform changes Control *** A 14.2.4 - Restrictions on changes to software packages
Control *** A 14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure development
testing Control *** A 14.2.9 - System acceptance testing Control
*** A 14.2.3 - Technical review of applications after operating platform changes Control *** A 14.2.4 -
Restrictions on changes to software packages Control *** A 14.2.5 - Secure system engineering
testing Control
*** A 14.2.4 - Restrictions on changes to software packages Control *** A 14.2.5 - Secure system
engineering principles Control *** A 14.2.6 - Secure development environment Control *** A 14.2.7 -
Outsourced development Control *** A 14.2.8 - System security testing Control *** A 14.2.9 - System
acceptance testing Control
*** A 14.2.5 - Secure system engineering principles Control *** A 14.2.6 - Secure development
testing Control *** A 14.2.9 - System acceptance testing Control
*** A 14.2.6 - Secure development environment Control *** A 14.2.7 - Outsourced development
Control *** A 14.2.8 - System security testing Control *** A 14.2.9 - System acceptance testing Control
*** A 14.2.7 - Outsourced development Control *** A 14.2.8 - System security testing Control *** A
14.2.9 - System acceptance testing Control
*** A 14.2.8 - System security testing Control *** A 14.2.9 - System acceptance testing Control
*** A 14.2.9 - System acceptance testing Control
supply chain Control
*** A 15.1.2 - Addressing security within supplier agreements Control *** A 15.1.3 - Information &
communication technology supply chain Control
*** A 15.1.3 - Information & communication technology supply chain Control
*** A 15.2.2 - Managing changes to supplier services Control
evidence Control
*** A 16.1.2 - Reporting information security events Control *** A 16.1.3 - Reporting information
security weaknesses Control *** A 16.1.4 - Assessment of & decision on information security events
Control *** A 16.1.5 - Response to information security incidents Control *** A 16.1.6 - Learning from
*** A 16.1.3 - Reporting information security weaknesses Control *** A 16.1.4 - Assessment of &
evidence Control
*** A 16.1.4 - Assessment of & decision on information security events Control *** A 16.1.5 - Response
to information security incidents Control *** A 16.1.6 - Learning from information security incidents
Control *** A 16.1.7 - Collection of evidence Control
*** A 16.1.5 - Response to information security incidents Control *** A 16.1.6 - Learning from
*** A 16.1.6 - Learning from information security incidents Control *** A 16.1.7 - Collection of evidence
Control
*** A 16.1.7 - Collection of evidence Control
Control
*** A 17.1.2 - Implementing information security continuity Control *** A 17.1.3 - Verify, review &
evaluate information security continuity Control
*** A 17.1.3 - Verify, review & evaluate information security continuity Control

controls Control
*** A 18.1.2 - Intellectual property rights Control *** A 18.1.3 - Protection of records Control *** A
18.1.4 - Privacy & protection of personally identifiable information Control *** A 18.1.5 - Regulation of
cryptographic controls Control
*** A 18.1.3 - Protection of records Control *** A 18.1.4 - Privacy & protection of personally identifiable
information Control *** A 18.1.5 - Regulation of cryptographic controls Control
*** A 18.1.4 - Privacy & protection of personally identifiable information Control *** A 18.1.5 -
Regulation of cryptographic controls Control
*** A 18.1.5 - Regulation of cryptographic controls Control
*** A 18.2.2 - Compliance with security policies & standards Control *** A 18.2.3 - Technical compliance
review Control
*** A 18.2.3 - Technical compliance review Control
security Control
*** A 5.1.2 - Review of the policies for information security Control
Control *** A 6.1.5 - Information security in project management Control
*** A 6.1.2 - Segregation of duties Control *** A 6.1.3 - Contact with authorities Control *** A 6.1.4 -
Contact with special interest groups Control *** A 6.1.5 - Information security in project management
Control
*** A 6.1.3 - Contact with authorities Control *** A 6.1.4 - Contact with special interest groups Control
*** A 6.1.5 - Information security in project management Control
*** A 6.1.4 - Contact with special interest groups Control *** A 6.1.5 - Information security in project
management Control
*** A 6.1.5 - Information security in project management Control

*** A 6.2.2 - Teleworking Control
*** A 7.1.1 - Screening Control *** A 7.1.2 - Terms & conditions of employment Control
*** A 7.1.2 - Terms & conditions of employment Control
education and training Control *** A 7.2.3 - Disciplinary process Control
*** A 7.2.2 - Information security awareness, education and training Control *** A 7.2.3 - Disciplinary
process Control
*** A 7.2.3 - Disciplinary process Control
Acceptable use of assets Control *** A 8.1.4 - Return of assets Control
*** A 8.1.2 - Ownership of assets Control *** A 8.1.3 - Acceptable use of assets Control *** A 8.1.4 -
Return of assets Control
*** A 8.1.3 - Acceptable use of assets Control *** A 8.1.4 - Return of assets Control
*** A 8.1.4 - Return of assets Control
8.2.3 - Handling of assets Control
*** A 8.2.2 - Labelling of information Control *** A 8.2.3 - Handling of assets Control
*** A 8.2.3 - Handling of assets Control
*** A 8.3.2 - Disposal of media Control *** A 8.3.3 - Physical media transfer Control
*** A 8.3.3 - Physical media transfer Control
*** A 9.1.2 - Access to networks & network services Control
- Removal or adjustment of access rights Control
*** A 9.2.2 - User access provisioning Control *** A 9.2.3 - Management of privileged access rights
Control *** A 9.2.4 - Management of secret authentication information of users Control *** A 9.2.5 -
Review of user access rights Control *** A 9.2.6 - Removal or adjustment of access rights Control
*** A 9.2.4 - Management of secret authentication information of users Control *** A 9.2.5 - Review of
user access rights Control *** A 9.2.6 - Removal or adjustment of access rights Control
*** A 9.2.5 - Review of user access rights Control *** A 9.2.6 - Removal or adjustment of access rights
Control
*** A 9.2.6 - Removal or adjustment of access rights Control
*** A 9.3.1 - Use of secret authentication information Control
*** A 9.4.2 - Secure log-on procedures Control *** A 9.4.3 - Password management system Control ***
A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to program source code
Control
*** A 9.4.3 - Password management system Control *** A 9.4.4 - Use of privileged utility programs
Control *** A 9.4.5 - Access control to program source code Control
*** A 9.4.4 - Use of privileged utility programs Control *** A 9.4.5 - Access control to program source
code Control
*** A 9.4.5 - Access control to program source code Control

Grouping at Objective Level (Concating At Change of Level)
Control
testing Control

evidence Control
Control

controls Control
security Control
Grouping at Objective Level (Remove Duplicate)
Control
testing Control
evidence Control
Control
controls Control
security Control

(27K1) Pure Requirement Lists of 27002 Controls

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

(27K1) Pure Requirement Lists of 27002 Controls

Загружено:

Авторское право:

Доступные форматы

Control ID Control Title

Policy on the use of cryptographic

A 10.1.2 Key management Control

A 11.1.1 Physical security perimeter Control

A 11.1.2 Physical entry controls Control

Securing offices, rooms & facilities

Protecting against external &

A 11.1.5 Working in secure areas Control

Equipment siting & protection

A 11.2.2 Supporting utilities Control

A 11.2.3 Cabling security Control

A 11.2.4 Equipment maintenance Control

A 11.2.5 Removal of assets Control

Security of equipment & assets off-

Secure disposal or reuse of

A 11.2.8 Unattended user equipment Control

Clear desk & clear screen policy

A 12.1.2 Change management Control

A 12.1.3 Capacity management Control

Separation of development, testing &

A 12.2.1 Controls against malware Control

A 12.3.1 Information backup Control

A 12.4.1 Event logging Control

A 12.4.2 Protection of log information Control

A 12.4.4 Clock synchronisation Control

A 13.1.1 Network controls Control

A 13.1.2 Security of network services Control

A 13.1.3 Segregation in networks Control

Information transfer policies &

Agreements on information transfer

A 13.2.3 Electronic messaging Control

Info Security Requirement Analysis &

Protecting application services

A 14.2.1 Secure development policy Control

System change control procedures

Technical review of applications after

Restrictions on changes to software

Secure system engineering principles

Secure development environment

A 14.2.7 Outsourced development Control

A 14.2.8 System security testing Control

Addressing security within supplier

Information & communication

A 16.1.1 Responsibilities & procedures Control

Reporting information security

Reporting information security

Assessment of & decision on

Response to information security

Planning information security

Implementing information security

Verify, review & evaluate information

Availability of information processing

A 18.1.2 Intellectual property rights Control

A 18.1.3 Protection of records Control

A 18.1.4 Privacy & protection of personally

Regulation of cryptographic controls

Independent review of information

Information security roles &

A 6.1.2 Segregation of duties Control

A 6.1.3 Contact with authorities Control

Contact with special interest groups

Terms & conditions of employment

A 7.2.1 Management responsibilities Control