Annex A Controls

Define, approve, publish, communicate and review a set of policies for information security at planned intervals.

Define and allocate information security roles and responsibilities across the organisation.

Segregate conflicting duties and areas of responsibility to reduce the risk of fraud, error and misuse.

Management requires all personnel to apply information security in accordance with policies and procedures.

Establish and maintain contact with relevant authorities.

Maintain contact with special interest groups, security forums and professional associations.

Collect and analyse information related to information security threats to produce threat intelligence.

Integrate information security in project management regardless of the type of project.

Develop and maintain an inventory of information and other associated assets, including owners.

Identify, document and implement rules for the acceptable use of information and assets.

Personnel and other interested parties return all organisational assets on termination of employment or contract.

Classify information according to its information security needs based on confidentiality, integrity, availability and stakeholder requirements.

Develop and implement procedures for labelling information in line with the classification scheme.

Establish rules, procedures and agreements for transferring information securely within and outside the organisation.

Establish and implement rules to control physical and logical access to information and associated assets based on business and security requirements.

Manage the full life cycle of identities.

Allocate and manage authentication information securely, including advising personnel on its proper handling.

Provision, review, modify and remove access rights in accordance with the access control policy.

Define and implement processes and procedures to manage information security risks associated with the use of supplier products and services.

Establish and agree relevant information security requirements with each supplier based on the type of supplier relationship.

Manage information security risks associated with the ICT products and services supply chain.

Regularly monitor, review, evaluate and manage changes to supplier information security practices and service delivery.

Establish processes for the acquisition, use, management and exit from cloud services in accordance with the organisation's security requirements.

Plan and prepare for managing information security incidents by defining, establishing and communicating processes, roles and responsibilities.

Assess information security events and decide whether they are to be categorised as incidents.

Respond to information security incidents in accordance with the documented procedures.

Use knowledge gained from incidents to strengthen and improve information security controls.

Establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

Plan how to maintain information security at an appropriate level during disruption.

Plan, implement, maintain and test ICT readiness based on business continuity objectives and ICT continuity requirements.

Identify, document and keep up to date legal, statutory, regulatory and contractual requirements relevant to information security.

Implement procedures to protect intellectual property rights.

Protect records from loss, destruction, falsification, unauthorised access and unauthorised release.

Identify and meet requirements for the preservation of privacy and protection of PII.

Independently review the organisation's approach to managing information security at planned intervals or when significant changes occur.

Regularly review compliance with the organisation's information security policies, topic-specific policies, rules and standards.

Document operating procedures for information processing facilities and make them available to those who need them.

Carry out background verification checks on all candidates prior to joining, proportionate to business requirements, classification of information and perceived risks.

Employment contracts state the personnel's and organisation's responsibilities for information security.

Provide personnel and relevant interested parties with appropriate awareness, education and training and regular updates.

Formalise and communicate a disciplinary process to take action against personnel and other interested parties who have committed an information security policy violation.

Define, enforce and communicate information security responsibilities and duties that remain valid after termination or change of employment.

Identify, document, regularly review and have signed by personnel and other relevant interested parties confidentiality or non-disclosure agreements.

Implement security measures when personnel work remotely to protect information accessed, processed or stored outside the organisation's premises.

Provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Define and use security perimeters to protect areas that contain information and associated assets.

Protect secure areas by appropriate entry controls and access points.

Design and apply physical security for offices, rooms and facilities.

Continuously monitor premises for unauthorised physical access.

Design and implement protection against physical and environmental threats such as natural disasters and intentional attacks.

Design and implement procedures for working in secure areas.

Define and enforce clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities.

Site and protect equipment securely.

Protect off-site assets.

Manage storage media through their life cycle of acquisition, use, transportation and disposal in accordance with the classification scheme and handling requirements.

Protect information processing facilities from power failures and other disruptions caused by failures in supporting utilities.

Protect cables carrying power, data or supporting information services from interception, interference or damage.

Correctly maintain equipment to ensure availability, integrity and confidentiality of information.

Verify items of equipment containing storage media to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use.

Protect information stored on, processed by or accessible via user endpoint devices.

Restrict and manage the allocation and use of privileged access rights.

Restrict access to information and other associated assets in accordance with the established access control policy.

Appropriately manage read and write access to source code, development tools and software libraries.

Implement secure authentication technologies and procedures based on the access restrictions and the topic-specific policy on access control.

Monitor and adjust the use of resources in line with current and expected capacity requirements.

Implement protection against malware supported by appropriate user awareness.

Obtain information about technical vulnerabilities, evaluate the exposure and take appropriate measures.

Establish, document, implement, monitor and review configurations, including security configurations, of hardware, software, services and networks.

Delete information stored in information systems, devices or in any other storage media when no longer required.

Use data masking in accordance with the access control policy and business requirements, taking applicable legislation into consideration.

Apply data leakage prevention measures to systems, networks and other devices that process, store or transmit sensitive information.

Maintain and regularly test backup copies of information, software and systems in accordance with the agreed backup policy.

Implement information processing facilities with sufficient redundancy to meet availability requirements.

Produce, store, protect and analyse logs that record activities, exceptions, faults and other relevant events.

Monitor networks, systems and applications for anomalous behaviour and take appropriate actions to evaluate potential information security incidents.

Synchronise clocks of information processing systems to approved time sources.

Restrict and tightly control the use of utility programs that can override system and application controls.

Implement procedures and measures to securely manage software installation on operational systems.

Secure, manage and control networks and network devices to protect information in systems and applications.

Identify, implement and monitor security mechanisms, service levels and service requirements of network services.

Segregate groups of information services, users and information systems in the organisation's networks.

Manage access to external websites to reduce exposure to malicious content.

Define and implement rules for the effective use of cryptography, including cryptographic key management.

Establish and apply rules for the secure development of software and systems.

Identify, specify and approve information security requirements when developing or acquiring applications.

Establish, document, maintain and apply secure system engineering principles to information system development activities.

Apply secure coding principles to software development.

Define and implement security testing processes in the development lifecycle.

Direct, monitor and review activities related to outsourced system development.

Separate and secure development, testing and production environments.

Subject changes to information processing facilities and systems to change management procedures.

Select, protect and manage test information appropriately.

Plan and agree audit tests and other assurance activities involving operational systems to minimise disruption.