-
01-03. Context of the organisation
Note: There are no requirements in these sections.
-
04. Context of the organisation
04.1 Understanding the organization and its context
04.2 Understanding the needs and expectations of interested parties
04.3 Determining the scope of the information security management system
04.4 Information security management system
-
05. Leadership
05.1 Leadership and commitment
05.2 Policy
05.3 Organizational roles, responsibilities and authorities
-
06. Planning
06.1 Actions to address risks and opportunities
06.2 Information security objectives and planning to achieve them
-
07. Support
07.1 Resources
07.2 Competence
07.3 Awareness
07.4 Communication
07.5 Documented information
-
08. Operation
08.1 Operational planning and control
08.2 Information security risk assessment
08.3 Information security risk treatment
-
09. Performance evaluation
09.1 Monitoring, measurement, analysis and evaluation
09.2 Internal audit
09.3 Management review
-
10. Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
-
A05. Information security policies
A05.1 Management direction for information security
-
A06. Organization of information security
A06.1 Internal organization
A06.2 Mobile devices and teleworking
-
A07. Human resource security
A07.1 Prior to employment
A07.2 During employment
A07.3 Termination and change of employment
-
A08. Asset management
A08.1 Responsibility for assets
A08.2 Information classification
A08.3 Media Handling
-
A09. Access control
A09.1 Business requirements of access control
A09.2 User access management
A09.3 User responsibilities
A09.4 System and application access control
-
A10. Cryptography
A.10.1 Cryptographic controls
-
A11. Physical and environmental security
A.11.1 Secure areas
A.11.2 Equipment
-
A12. Operations security
A.12.1 Operational procedures and responsibilities
A.12.2 Protection from malware
A.12.3 Backup
A.12.4 Logging and monitoring
A.12.5 Control of operational software
A.12.6 Technical vulnerability management
A.12.7 Information systems audit considerations
-
A13. Communications security
A.13.1 Network security management
A.13.2 Information transfer
-
A14. System acquisition, development & maintenance
A.14.1 Security requirements of information systems
A.14.2 Security in development and support processes
A.14.3 Test data
-
A15. Supplier relationships
A.15.1 Information security in supplier relationships
A.15.2 Supplier service delivery management
-
A16. Information security incident management
A.16.1 Management of information security incidents and improvements
-
A17. Information security aspects of BCM
A.17.1 Information security continuity
A.17.2 Redundancies
-
A18. Compliance
A.18.1 Compliance with legal and contractual requirements
A.18.2 Information security reviews