| wdt_ID | AID | Clause | Domain | Control Category | CID | Control | Procedure | Objective |
|---|---|---|---|---|---|---|---|---|
| 1 | 1 | A.5 | Information security policies | Management direction for information security | 2021-10-13 | Policies for information security | A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties | To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
| 2 | 2 | A.5 | Information security policies | Management direction for information security | 2021-10-13 | Review of the policies for information security | The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. | To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
| 3 | 3 | A.6 | Organization of information security | Internal Organization | 2021-10-13 | Information security roles and responsibilities | All information security responsibilities shall be defined and allocated. | To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
| 4 | 4 | A.6 | Organization of information security | Internal Organization | 2021-10-13 | Segregation of duties | Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. | To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
| 5 | 5 | A.6 | Organization of information security | Internal Organization | 2021-10-13 | Contact with authorities | Appropriate contacts with relevant authorities shall be maintained. | To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
| 6 | 6 | A.6 | Organization of information security | Internal Organization | 2021-10-13 | Contact with special interest groups | Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. | To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
| 7 | 7 | A.6 | Organization of information security | Internal Organization | 2021-10-13 | Information security in project management | Information security shall be addressed in project management, regardless of the type of the project. | To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
| 8 | 8 | A.6 | Organization of information security | Mobile devices and teleworking | 2021-10-13 | Mobile device policy | A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. | To ensure the security of teleworking and use of mobile devices. |
| 9 | 9 | A.6 | Organization of information security | Mobile devices and teleworking | 2021-10-13 | Teleworking | A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. | To ensure the security of teleworking and use of mobile devices. |
| 10 | 10 | A.7 | Human Resources Security | Prior to employment | 2021-10-13 | Screening | Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. | to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. |
| 11 | 11 | A.7 | Human Resources Security | Prior to employment | 2021-10-13 | Terms and conditions of employment | The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. | to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. |
| 12 | 12 | A.7 | Human Resources Security | During employment | 2021-10-13 | Management responsibilities | Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. | To ensure that employees and contractors are aware of and fulfil their information security responsibilities. |
| 13 | 13 | A.7 | Human Resources Security | During employment | 2021-10-13 | Information security awareness, education and training | All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. | To ensure that employees and contractors are aware of and fulfil their information security responsibilities. |
| 14 | 14 | A.7 | Human Resources Security | During employment | 2021-10-13 | Disciplinary process | There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. | To ensure that employees and contractors are aware of and fulfil their information security responsibilities. |
| 15 | 15 | A.7 | Human Resources Security | Termination and change of employment | 2021-10-13 | Termination or change of employment responsibilities | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. | To protect the organization's interests as part of the process of changing or terminating employment. |
| 16 | 16 | A.8 | Asset Management | Responsibility for assets | 2021-10-13 | Inventory of assets | Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. | To identify organizational assets and define appropriate protection responsibilities. |
| 17 | 17 | A.8 | Asset Management | Responsibility for assets | 2021-10-13 | Ownership of assets | Assets maintained in the inventory shall be owned. | To identify organizational assets and define appropriate protection responsibilities. |
| 18 | 18 | A.8 | Asset Management | Responsibility for assets | 2021-10-13 | Acceptable use of assets | Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. | To identify organizational assets and define appropriate protection responsibilities. |
| 19 | 19 | A.8 | Asset Management | Responsibility for assets | 2021-10-13 | Return of assets | All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. | To identify organizational assets and define appropriate protection responsibilities. |
| 20 | 20 | A.8 | Asset Management | Information classification | 2021-10-13 | Classification of information | Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. | To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. |
| 21 | 21 | A.8 | Asset Management | Information classification | 2021-10-13 | Labelling of information | An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. | To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. |
| 22 | 22 | A.8 | Asset Management | Information classification | 2021-10-13 | Handling of assets | Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. | To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. |
| 23 | 23 | A.8 | Asset Management | Media handling | 2021-10-13 | Management of removeable media | Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. | To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
| 24 | 24 | A.8 | Asset Management | Media handling | 2021-10-13 | Disposal of media | Media shall be disposed of securely when no longer required, using formal procedures. | To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
| 25 | 25 | A.8 | Asset Management | Media handling | 2021-10-13 | Physical media transfer | Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. | To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
| 26 | 26 | A.9 | Access Control | Business requirements of access control | 2021-10-13 | Access control policy | An access control policy shall be established, documented and reviewed based on business and information security requirements. | To limit access to information and information processing facilities. |
| 27 | 27 | A.9 | Access Control | Business requirements of access control | 2021-10-13 | Access to networks and network services | Users shall only be provided with access to the network and network services that they have been specifically authorized to use. | To limit access to information and information processing facilities. |
| 28 | 28 | A.9 | Access Control | User access management | 2021-10-13 | User registration and de-registration | A formal user registration and de-registration process shall be implemented to enable assignment of access rights. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 29 | 29 | A.9 | Access Control | User access management | 2021-10-13 | User access provisioning | A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 30 | 30 | A.9 | Access Control | User access management | 2021-10-13 | Management of privileged access rights | The allocation and use of privileged access rights shall be restricted and controlled. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 31 | 31 | A.9 | Access Control | User access management | 2021-10-13 | Management of secret authentication information of users | The allocation of secret authentication information shall be controlled through a formal management process. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 32 | 32 | A.9 | Access Control | User access management | 2021-10-13 | Review of user access rights | Asset owners shall review users’ access rights at regular intervals. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 33 | 33 | A.9 | Access Control | User access management | 2021-10-13 | Removal or adjustment of access rights | The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. | To ensure authorized user access and to prevent unauthorized access to systems and services. |
| 34 | 34 | A.9 | Access Control | User responsibilities | 2021-10-13 | Use of secret authentication information | Users shall be required to follow the organization’s practices in the use of secret authentication information. | To make users accountable for safeguarding their authentication information. |
| 35 | 35 | A.9 | Access Control | System and application access control | 2021-10-13 | Information access restriction | Access to information and application system functions shall be restricted in accordance with the access control policy. | To prevent unauthorized access to systems and applications. |
| 36 | 36 | A.9 | Access Control | System and application access control | 2021-10-13 | Secure log-on procedures | Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. | To prevent unauthorized access to systems and applications. |
| 37 | 37 | A.9 | Access Control | System and application access control | 2021-10-13 | Password management system | Password management systems shall be interactive and shall ensure quality passwords. | To prevent unauthorized access to systems and applications. |
| 38 | 38 | A.9 | Access Control | System and application access control | 2021-10-13 | Use of privileged utility programs | The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. | To prevent unauthorized access to systems and applications. |
| 39 | 39 | A.9 | Access Control | System and application access control | 2021-10-13 | Access control to program source code | Access to program source code shall be restricted. | To prevent unauthorized access to systems and applications. |
| 40 | 40 | A.10 | Cryptography | Cryptographic controls | 2021-10-13 | Policy on the use of cryptographic controls | A policy on the use of cryptographic controls for protection of information shall be developed and implemented. | To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
| 41 | 41 | A.10 | Cryptography | Cryptographic controls | 2021-10-13 | Key management | A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. | To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
| 42 | 42 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Physical security perimeter | Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 43 | 43 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Physical entry controls | Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 44 | 44 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Securing offices, rooms and facilities | Physical security for offices, rooms and facilities shall be designed and applied. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 45 | 45 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Protecting against external and environmental attacks | Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 46 | 46 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Working in secure areas | Procedures for working in secure areas shall be designed and applied. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 47 | 47 | A.11 | Physical and Environmental Security | Secure Areas | 2021-10-13 | Delivery and loading areas | Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. |
| 48 | 48 | A.11 | Physical and Environmental Security | Equipment | 2021-10-13 | Equipment siting and protection | Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
| 49 | 49 | A.11 | Physical and Environmental Security | Equipment | 2021-10-13 | Supporting utilities | Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. | To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
| 50 | 50 | A.11 | Physical and Environmental Security | Equipment | 2021-10-13 | Cabling security | Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. | To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
| Clause | Domain |
Information Technology & Cybersecurity Training and Consulting