ISO/IEC 270

Control cro

Original version generously contributed to th

and updated for the 2013 release of
with trivial formatting mods and this p

The spreadsheet classifies the information security controls recommended by ISO/IEC 27002:

In this classification, controls are intended to:

- Deter: the control reduces the threat, deterring hackers from attacking a given system for
- Avoid: the control involves avoiding risky situations, perhaps ensuring that a known vulnera
- Prevent: the control usually reduces the vulnerability (most common security controls act i
- Detect: the control helps identify an event or incident as soon as possible, generally trigge
- React: the control helps minimise the impact of incidents by promptly and effectively react
- Recover: the control helps minimise the impact of incidents by aiding the restoration of no
... while the objectives of the controls are primarily to maintain the confidentiality, integrit

Other classifications are possible. Furthermore, you may disagree with the particular way we
point for discussion. Feel free to modify this spreadsheet as you wish for your own purposes

One way to use the spreadsheet is to identify and mark any controls that are excluded from y
appropriate to your circumstances. Then look down the columns to check that you still have

You may also use this spreadsheet when deciding how to treat identified risks, choosing a ba

Copyright

This work is copyright 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Common
use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial prod
they are published or shared, derivative works are shared under the same terms as this.

Control Cross Check

ISO/IEC 27002

Control

section

5
5.1

Management direction for information security

Policies for information security
Review of the policies for information security

Internal Organization

6.1.1
6.1.2
6.1.3
6.1.4
6.1.5

Information security roles and responsibilities

Segregation of duties
Contact with authorities
Contact with special interest groups
Information security in project management

6.2

Mobile devices and teleworking

6.2.1
6.2.2

Mobile device policy

Teleworking

Prior to employment

7.1.1
7.1.2

Screening
Terms and conditions of employment

7.2

During employment

7.2.1
7.2.2
7.2.3

Management responsibilities
Information security awareness, education and training
Disciplinary process

7.3

Termination and change of employment

7.3.1

Termination or change of employment responsibilities

8.1

Responsibility for Assets

Inventory of Assets
Ownership of assets
Acceptable use of assets
Return of assets

8.2

Information classification

8.2.1
8.2.2
8.2.3

Classification of information
Labelling of information
Handling of assets

8.3

Media handling

8.3.1
8.3.2
8.3.3

Management of removeable media

Disposal of media
Physical media transfer

P
P

P
P

P
P
P
P
P

P
P

Recover

Confidentiality

Integrity

Availability

P
P

P
P

P
P

P
P

P
P

P
P
P
P
P

P
P
P
P

P
P
P

P
P

P
P

P
P

P
P

P
P

P
P
P

P
P
P

P
P
P

P
P
P
P

P
P
P
P

P
P
P
P

P
P

P
P
P

P
P
P
P
P
P

P
P
P

P
P

P
P

P
P

P
P
P

P
P
P

P
P
P

P
P
P

P
P
P
P

P
P

P
P

P
P
P

P
P

P
P

P
P
P
P

P
P
P

P
P
P

P
P

P
P

P
P

P
P

P
P

P
P
P
P
P

P
P
P
P
P
P

P
P
P
P
P
P

Access Control

9.1

Business requirements of access control

9.1.1
9.1.2

Access control policy

Access to networks and network services

9.2

User access management

9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6

User registration and de-registration

User access provisioning
Management of privileged access rights
Management of secret authentication information of users
Review of user access rights
Removal or adjustment of access rights

9.3

User responsibilities

9.3.1

Use of secret authentication information

9.4

System and application access control

276063039.xlsx

P
P

React

Asset Management

8.1.1
8.1.2
8.1.3
8.1.4

P
P

Primary objective

Detect

Human Resources Security

7.1

Prevent

Organization of information security

6.1

Avoid

Information security policies

5.1.1
5.1.2

Type
Deter

P
P
P

36

Control Cross Check

9.4.1
9.4.2
9.4.3
9.4.4
9.4.5

10

Information access restriction

Secure log-on procedures
Password management system
Use of privileged utility programs
Access control to program source code

Cryptographic controls

10.1.1
10.1.2

Policy on the use of cryptographic controls

Key management

Secure Areas

11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6

Physical security perimeter

Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental attacks
Working in secure areas
Delivery and loading areas

11.2

Equipment

11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9

Equipment siting and protection

Supporting utilities
Cabling Security
Equipment maintenance
Removal of assets
Security of equipment and assets off-premises
Secure disposal or re-use of equipment
Unattended user equipment
Clear desk and clear screen policy

Operational procedures and responsibilities

12.1.1
12.1.2
12.1.3
12.1.4

Documented operating procedures

Change management
Capacity management
Separation of development, testing and operational environments

12.2

Protection from malware

12.2.1

Controls against malware

12.3

Backup

12.3.1

Information backup

12.4

Logging and monitoring

12.4.1
12.4.2
12.4.3
12.4.4

Event logging
Protection of log information
Administrator and operator logs
Clock synchronisation

12.5

Control of operational software

12.5.1

Installation of software on operational systems

12.6

Technical Vulnerability Management

12.6.1
12.6.2

Control of technical vulnerabilities

Restrictions on software installation

12.7

Information systems audit controls

12.7.1

Information systems audit controls

P
P
P
P
P

P
P

P
P

P
P
P

P
P
P

P
P

P
P

P
P

P
P
P

P
P
P
P

P
P

P
P
P
P
P
P
P

P
P
P

P
P
P
P
P
P
P
P
P
P
P

P
P

P
P

P
P

P
P

P
P
P
P
P

P
P

P
P
P

P
P
P
P
P
P
P
P
P
P
P
P

P
P
P
P

P
P
P

P
P

P
P

P
P
P

P
P

P
P

P
P
P
P

P
P
P

P
P
P
P

P
P
P

P
P

P
P
P

P
P

Communications security

13.1

Network security management

13.1.1
13.1.2
13.1.3

Network controls
Security of network services
Segregation in networks

13.2

Information transfer

276063039.xlsx

P
P
P
P

Operations security

12.1

13

P
P
P
P
P

Physical and Environmental Security

11.1

12

Cryptography

10.1

11

P
P
P

P
P

46

P
P
P

P
P
P

P
P
P

P
P

Control Cross Check

13.2.1
13.2.2
13.2.3
13.2.4

14

Information transfer policies and procedures

Agreements on information transfer
Electronic messaging
Confidentiality or non-disclosure agreements

Security requirements of information systems

14.1.1
14.1.2
14.1.3

Information security requirements analysis and specification

Securing application services on public networks
Protecting application services transactions

14.2

Security in development and support processes

14.2.1
14.2.2
14.2.3
14.2.4
14.2.5
14.2.6
14.2.7
14.2.8
14.2.9

Secure development policy

System change control procedures
Technical review of applications after operating platform changes
Restrictions on changes to software packages
Secure system engineering principles
Secure development environment
Outsourced software development
System security testing
System acceptance testing

14.3

Test data

14.3.1

Protection of system test data

15.1

Information security in supplier relationships

Information security in supplier relationships
Addressing security within supplier agreements
Information and communication technology supply chain

15.2

Supplier service delivery management

15.2.1
15.2.2

Monitoring and review of supplier services

Managing changes to supplier services

Management of information security incidents and improvements

16.1.1
16.1.2
16.1.3
16.1.4
16.1.5
16.1.6
16.1.7

Responsibilities and procedures

Reporting information security events
Reporting information security weaknesses
Assessment of and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence

17.1

Information security continuity

Planning information security continuity
Implementing information security continuity
Verify, review and evaluate information security continuity

17.2

Redundancies

17.2.1

Availability of information processing facilities

P
P

P
P
P

P
P
P
P
P
P
P
P

P
P

P
P
P
P
P
P

P
P
P
P
P
P

P
P
P
P

P
P
P

P
P
P

P
P
P

P
P
P

P
P
P

P
P
P

P
P

P
P

P
P

P
P
P

P
P
P
P

P
P

P
P
P
P
P
P
P

P
P
P
P
P
P
P

P
P
P
P
P
P
P

P
P

P
P
P

P
P
P

Compliance

18.1

Compliance with legal and contractual requirements

18.1.1
18.1.2
18.1.3
18.1.4
18.1.5

Identification of applicable legislation and contractual requirements

Intellectual property rights
Protection of records
Privacy and protection of personally identifiable information
Regulation of cryptographic controls

18.2

Information security reviews

18.2.1
18.2.2

Independent review of information security

Compliance with security policies and standards

276063039.xlsx

P
P
P

P
P

Information security aspects of business continuity management

17.1.1
17.1.2
17.1.3

18

P
P
P

Information security incident management

16.1

17

Supplier relationships

15.1.1
15.1.2
15.1.3

16

P
P
P
P

P
P
P

P
P
P
P

System acquisition, development and maintenance

14.1

15

P
P

P
P
P
P
P
P
P

P
P

56

P
P
P
P
P

P
P

P
P

P
P

Control Cross Check

18.2.3

276063039.xlsx

Technical compliance review

66