Saturday, September 25 2021


ISO 27001 requirements version 2013

Quiz requirements ISO 27001 version 2013

You want to familiarize yourself with the structure of the standard, identify and understand the requirements of ISO 27001 version 2013, then it's up to you to play!


The quiz "ISO 27001 Requirements of version 2013" will help you understand the main requirements of the standard.

The questions (requirements) for this quiz are 69, don't panic. The requirements of the standard are 252 but these 69 requirements are among the most important, so don't hesitate to learn in a fun way!

Don't think that you can complete this quiz in less than an hour, or even two hours, unless of course you are a little genius!

The 252 requirements (shall, shall) of clauses 4 to 10 and annex A of ISO 27001 are broken down as follows:

ISO 27001 requirements version 2013 copyleft
PDCA cycle
Requirement No
Context Plan
1 ÷ 9
5 Leadership Plan, Do, Check, Act
10 ÷ 27
6 Planning Plan
28 ÷ 63
7 Support Do
64 ÷ 88
8 Operation Do
89 ÷ 97
9 Performance Check 98 ÷ 126 29
10 Improvement Act 127 ÷ 138 12
  Annex A Plan, Do, Check, Act 139 ÷ 252 114

requirements iso 27001

Requirements in ISO 27001 clauses, sub-clauses and annex A



Deming PDCA cycle


Note. Any requirement normally begins with "The organization shall ...". For simplicity we present the requirements directly starting with the verb.

ISO 27001 - Requirements and comments
PDCA cycle, links, comments
The organization and its context
Determine external and internal issues Understand everything that can influence the purpose (mission) of the company (corporate culture, innovation, strategic orientation, competition, market, obligations, working time, working conditions) and its ability to obtain the expected results of the ISMS. See sub-clauses 6.1 and 7.5.1
Interested parties
4.2 a
Determine interested parties Concerned with the ISMS, such as laws, contracts and others. See sub-clause 7.5.1
3 4.2 b Determine needs and expectations Interested parties relating to information security requirements and obligations
Determine the scope of the ISMS (Administrative) limits and applicability
5  4.3 a Take into account external and internal issues "To determine hazards is to reduce risks". Cf. sub-clause 4.1
6  4.3 b Take into account the requirements of interested parties When changing processes, requirements, infrastructure. See sub-clause 4.2
7 4.3 c Take into account the profesional interfaces "No-risk situations do not exist". Interactivity of internal activities and those of other organizations
8 4.3 Make the scope available as documented information Cf. sub-clause 7.5.1
Information security management system
9  4.4 Establish, implement and maintain and improve the ISMS "If you cannot describe what you are doing as a process, you do not know what you're doing". Edwards Deming. In accordance with the requirements of ISO 27001. Information security manual, cf. sub-clause 7.5.1 
Leadership and commitment
10 5.1 a Ensure that the information security policy and objectives are established

"When you sweep the stairs, you start at the top. Romanian proverb." Ensure compatibility with strategic direction. Top management is showing leadership. Affirm top management's commitment to the ISMS

11 5.1 b Ensure that ISMS requirements are integrated into business processes Show leadership
12 5.1 c Ensure that the necessary resources for the ISMS are available Resources to establish, apply, maintain and improve the ISMS. Cf. sub-clause 4.4
13 5.1 d Communicate on the importance of an effective ISMS And comply with the requirements of ISO 27001
14 5.1 e Ensure that the ISMS achieves the intended results Commitment, responsiveness and active support from top management
15 5.1 f

Guide and support people

In order to contribute to the performance of the ISMS
16 5.1 g Promote continual improvement "Employees first, customers second. Vineet Nayar." Show leadership. Cf. clause 10
17 5.1 h Help those affected to show leadership When necessary for their area of responsibility
18 5.2 a Establish an information security policy Taking into account the mission of the organization. Keep the policy up to date. Cf. sub-clause 7.5.1
19 5.2 b Provide a framework for establishing information security objectives Cf. sub-clause 6.2
20 5.2 c Commit to meet applicable requirements Regarding information security
21 5.2 d Commit to continual improvement of the ISMS Cf. clause 10
22 5.2 e Make the information security policy available as documented information Cf. sub-clause 7.5.1
23 5.2 f Communicate the information security policy At all levels of the organization
24 5.2 g Keep the information security policy available to interested parties If applicable
Roles, responsibilities and authorities
25 5.3 Ensure that responsibilities and authorities for the ISMS are assigned And communicated at all levels of the organization. "Responsibility cannot be shared. Robert Heinlein". Cf. sub-clause 7.5.1
26 5.3 a Ensure that the ISMS meets the requirements of the ISO 27001 standard And who has the responsibility and authority at all levels of the organization. Remember that in the end top management is fully responsible (cf. sub-clause 5.1)
27 5.3 b Submit reports on ISMS performance to top management on a regular basis By assigning responsibility and authority by name, cf. sub-clause 7.5.1
Actions to address risks
28 6.1.1 a Determine risks and opportunities In order to ensure that the ISMS can achieve the expected results. Cf. sub-clause 4.1 for issues and sub-clause 4.2 for requirements. An inventory of the situation is always useful before planning. "Any decision involves a risk. Peter Barge"
29 6.1.1 b Determine risks and opportunities In order to anticipate or reduce side effects
30  6.1.1 c Determine risks and opportunities In order to be part of the continual improvement process, cf. clause 10
31 6.1.1 d Plan actions to address these risks and opportunities Cf. sub-clause 6.1.3
32 6.1.1 e 1 Plan how to integrate and implement the necessary actions For all processes of the ISMS
33 6.1.1 e 2 Plan how to assess the effectiveness of actions taken Cf. sub-clause 6.1.3
Risk assessment
34 6.1.2 a 1 Apply an information security risk assessment process By establishing and maintaining acceptance criteria
35 6.1.2 a 2 Apply an information security risk assessment process By establishing and updating the criteria for carrying out assessments
36 6.1.2 b Apply an information security risk assessment process By ensuring that the repetition of risk assessments leads to consistent, valid and comparable results
37 6.1.2 c 1 Apply an information security risk assessment process By identifying the risks associated with the loss of confidentiality, integrity and availability of information
38 6.1.2 c 2 Apply an information security risk assessment process By identifying the risk owners
39 6.1.2 d 1 Apply an information security risk assessment process

By analyzing the risks and the potential consequences of risks in 6.1.2 c 1 materializing

40 6.1.2 d 2  Apply an information security risk assessment process By analyzing the risks and assessing the likelihood of occurrence of the risks identified in 6.1.2 c 1
41 6.1.2 d 3 Apply an information security risk assessment process By analyzing risks and determining risk levels
42 6.1.2 e 1 Apply an information security risk assessment process By evaluating the risks and comparing the results of the risk analysis with the criteria in 6.1.2 a
43 6.1.2 e 2 Apply an information security risk assessment process By evaluating the risks and prioritizing the analyzed risks
44 6.1.2 Retain documented information on the information security risk assessment process Cf. sub-clause 7.5.1
Risk treatment
45 6.1.3 a Apply an information security risk treatment process In order to choose the risk treatment options taking into account the results in 6.1.2
46 6.1.3 b Apply an information security risk treatment process In order to determine the necessary measures to be taken for the chosen option
47 6.1.3 c Apply an information security risk treatment process In order to compare the measurements determined in 6.1.3 b and those of annex A of ISO 27001
48 6.1.3 d Apply an information security risk treatment process In order to produce a statement of applicability including the necessary measures (cf. 6.1.3 b and c), the justification for their inclusion, their implementation (or not), the justification for the exclusion of controls from Annex A of ISO 27001
49  6.1.3 e Apply an information security risk treatment process In order to develop a risk treatment plan, cf. sub-clause 6.2
50  6.1.3 f Apply an information security risk treatment process In order to obtain from the risk owners the validation of the risk treatment plan and the acceptance of residual risks
51 6.1.3 Retain documented information on the information security risk treatment process  Cf. sub-clause 7.5.1
52 6.2 Establish information security objectives For all functions and levels in the organization
53 6.2 a Determine information security objectives Consistent with the organization's information security policy
54 6.2 b Determine information security objectives Measurables, if possible
55 6.2 c Determine information security objectives Taking into account the requirements applicable to information security, the results of the risk assessment and treatment
56 6.2 d Determine information security objectives And communicate them, cf. sub-clause 7.4
57 6.2 e Determine information security objectives And update them, if appropriate
58 6.2 Retain documented information on objecives Related to information security, including the objective achievement plan, cf. sub-clause 7.5.1
59 6.2 f Determine when planning information security objectives What will be dona
60 6.2 g Determine when planning information security objectives The necessary resources
61 6.2 h Determine when planning information security objectives The responsible
62 6.2 i Determine when planning information security objectives The deadlines
63 6.2 j Determine when planning information security objectives How the results will be evaluated
Identify and provide the resources needed In order to establish, apply, maintain and improve the ISMS. Resources provided, cf. sub-clause 7.5.1
65  7.2 a Determine the necessary competence of the people involved Those involved can affect information security performance
66 7.2 b Ensure that these people are competent On the basis of initial and professional training and experience
67 7.2 c Take actions to acquire and keep the necessary competence updated And evaluate the effectiveness of these actions. Actions include training, but also supervision, reassignment and recruitment of competent people
68 7.2 d Retain documented information on competence Cf. sub-clause 7.5.1 like the competence development plan
7.3 a
Make people aware of the information security policy and objectives Cf. sub-clauses 5.2 and 6.2. Awareness enhancement plan, cf. sub-clause 7.5.1
70 7.3 b Make people aware of the importance of their contribution to the effectiveness of the ISMS And the beneficial effects of improved performance of the ISMS
71 7.3 c Make people aware of the repercussions and consequences of not conforming with ISMS requirements Do not forget the potential consequences on all professional activities
72 7.4 a Determine internal and external communication needs Including on which subjects, communication improvement plan, cf. sub-clause 7.5.1
73 7.4 b Determine internal and external communication needs Including when
74 7.4 c Determine internal and external communication needs Including with whom
75 7.4 d Determine internal and external communication needs Including who shall communicate
76 7.4 e Determine internal and external communication needs Including the communication processes
Documented information
77 7.5.1 a Include in the ISMS the documented information required by ISO 27001

Information security manual (sub-clause 4.4)

Documented information to maintain (procedures):procédure


Documented information to retain (records):enregistrement

  • external and internal issues (sub-clause 4.1)
  • list of interested parties (sub-clause 4.2)
  • job descriptions (sub-clause 5.3)
  • risk acceptance criteria (sub-clause 6.1.2)
  • criteria for carrying out risk assessments (sub-clause 6.1.2)
  • statement of applicability (sub-clause 6.1.3)
  • risk treatment plan (sub-clause 6.1.3)
  • plan to achieve the objectives (sub-clause 6.2)
  • provided resources (sub-clause 7.1)
  • competency development plan (sub-clause 7.2)
  • awareness enhancement plan (sub-clause 7.3)
  • communication improvement plan (sub-clause 7.4)
  • list of documented information (sub-clause 7.5.3)
  • documented information of external origin (sub-clause 7.5.3)
  • codification of documents (sub-clause 7.5.3)
  • process monitoring (sub-clause 8.1)
  • change management pan (sub-clause 8.1)
  • results of risk assessment (sub-clause 8.2)
  • results of risk treatment (sub-clause 8.3)
  • results of monitoring and measurement (sub-clause 9.1)
  • audit program (sub-clause 9.2)
  • audit report (sub-clause 9.2)
  • conclusions of the management review (sub-clause 9.3)
  • nature of nonconformities (sub-clause 10.1)
  • results of corrective actions (sub-clause 10.1)
  • ISMS improvement plan (sub-clause 10.2)
  • functions and responsibilities (A.6.1.1)
  • notification of authorities (A.6.1.3)
  • mobile device security (A.6.2.1)
  • security of teleworking (A.6.2.2)
  • terms and conditions of employment (A.7.1.1)
  • commitment to security rules (A.7.2.1)
  • certificate of attendance (A.7.2.2)
  • training evaluation (A.7.2.2)
  • disciplinary rules (A.7.2.3)
  • rules for breach of contract (A.7.3.1)
  • asset inventory (A.8.1.1)
  • rules for the use of assets (A.8.1.3)
  • classification plan (A.8.2.1)
  • waste inventory (A.8.3.2A.11.2.7)
  • protection of media during transportation (A.8.3.3)
  • registration and unsubscription (A.9.2.1)
  • access distribution  (A.9.2.2)
  • user engagement (A.9.2.4 ; A.13.2.4)
  • access rights review (A.9.2.5)
  • password (A.9.4.3)
  • privileged authorizations (A.9.4.4)
  • cryptographic keys (A.10.1.2)
  • secure areas (A.11.1.1)
  • visitors access (A.11.1.2)
  • protection of equipment (A.11.2.1)
  • cabling security (A.11.2.3)
  • equipment maintenance (A.11.2.4)
  • removal of assets (A.11.2.5)
  • change request (A.12.1.2)
  • protection against malware (A.12.2.1)
  • information backup (A.12.3.1)
  • event logs (A.12.4.1)
  • technical vulnerabilities (A.12.6.1)
  • network protection (A.13.1.1)
  • system change request (A.14.2.2)
  • engineering principles (A.14.2.5)
  • 'information security with suppliers (A.15.1.1)
  • supplier contract (A.15.1.2)
  • supplier performance (A.15.2.1)
  • supplier service changes (A.15.2.2)
  • incident log (A.16.1.1)
  • list of evidence (A.16.1.7)
  • business continuity plan (A.17.1.2)
  • list of requirements (A.18.1.1)
  • corrective action report (A.18.2.2)
78 7.5.1 b Include documented information deemed necessary for the effectiveness of the ISMS

This documented information is specific in relation to the size of the organization, to the field of activity, to the complexity of the processes and their interactions to the competence of the personnel

Creating and updating
79 7.5.2 a Identify and describe the documented information appropriately When creating and updating. As title, author, date, codification
80 7.5.2 b Ensure that the format and media of the documented information is appropriate Examples of formats: language, software version and graphics. Examples of media: paper, electronic
81 7.5.2 c Review and validate documented information appropriately In order to determine their relevance and suitability
Control of documented information
82 7.5.3 a Control documented information so that it is available and suitable for use When and where needed. According to the requirements of the ISMS and the ISO 27001 standard
83 7.5.3 b Control documented information so that it is properly protected As loss of confidentiality, improper use or loss of integrity
84 7.5.3 c Apply distribution, access, retrieval and usage activities In order to control the documented information
85 7.5.3 d Apply storage and preservation activities Including legibility preservation
86 7.5.3 e Apply change control activities Like version control
87 7.5.3 f Apply retention and disposition activities By determining for each documented information the retention period and the way of disposal
88 7.5.3 Identify and control documented information of external origin List of documented information deemed necessary for the planning and operation of the ISMS, including that of external origin. Cf. sub-clause 7.5.1
Planning and control
8.1 Plan, apply, control and maintain the processes necessary to meet the requirements of the ISMS By establishing criteria for these processes and carrying out specific actions in the sub-clause 6.1
90 8.1 Apply plans to achieve information security objectives By controlling these processes in accordance with sub-clause 6.2
91 8.1 Retain documented information on the necessary processes In order to ensure that the processes are carried out as planned. Cf. sub-clause 7.5.1
92 8.1 Control planned changes and analyze unforeseen changes By taking actions to limit any negative impact. Cf. sub-clause 7.5.1
93 8.1 Ensure that outsourced processes are identified And controlled
Risk assessment
94 8.2 Assess information security risks regularly Taking into account the criteria established in 6.1.2 a
95 8.2 Retain documented information on the results of the risk assessment Cf. sub-clause 7.5.1
Risk treatment
96 8.3 Apply the risk treatment plan In accordance with sub-clause 6.2
97 8.3 Retain documented information on the results of the risk treatment Cf. sub-clause 7.5.1
98 9.1 Evaluate the information security performance And the effectiveness of the ISMS
99 9.1 a Determine what to inspect (monitor and measure) Including information security processes and measures
100 9.1 b Determine inspection methods Including analysis and evaluation to ensure the validity of the results. Any valid result is comparable and reproducible
101 9.1 c Determine when to inspect The points where monitoring and measurement are carried out
102 9.1 d Determine who performs the inspection The person responsible for the inspection
103 9.1 e Determine when to analyze inspection results And the moment of evaluation of these results
104 9.1 f Determine who analyzes the results And the person responsible for evaluating the results
105 9.1 Retain documented information on inspection results Cf. sub-clause 7.5.1
Internal audit
106 9.2 a 1 Perform internal audits at scheduled intervals to provide information to determine whether the ISMS meets organizational requirements Including policy and objectives, cf. sub-clauses 5.2 and 6.2
107 9.2 a 2 Perform internal audits at scheduled intervals to provide information to determine whether the ISMS meets ISO 27001 requirements Requirements in clauses 4 to 10 of the standard
108 9.2 b  Perform internal audits at scheduled intervals to provide information to determine whether the ISMS is being applied effectively Cf. management review, sub-clause 9.3
109 9.2 c Plan, establish, apply and maintain the audit program Including frequency, methods, responsibilities, planning and reporting requirements. Follow the recommendations of ISO 19011
110 9.2 c Take into account in the audit program the importance of the processes And results of previous audits
111 9.2 d Define the audit criteria And the scope of each audit. Follow the recommendations of ISO 19011
112 9.2 e Select auditors In order to carry out objective and impartial audits. Follow the recommendations of ISO 19011
113 9.2 f Report the results of the audits To the direction concerned
114 9.2 g Retain documented information on the application of the audit program And audit results, cf. sub-clause 7.5.1
Management review
115 9.3 Review the ISMS at scheduled intervals To ensure that the ISMS is still appropriate, adequate and effective. "No system is perfect"
116 9.3 a Take into consideration the progress of actions decided during the previous management review Use the latest management review report
117 9.3 b Take into consideration the modifications of the relevant issues for the ISMS Like the needs and expectations of interested parties, cf. sub-clause 4.2
118 9.3 c 1 Take into consideration feedback on information security performance Including nonconformities and corrective actions, cf. sub-clause 10.1
119 9.3 c 2 Take into account the results of the inspection assessment Cf. sub-clause 9.1
120 9.3 c 3 Take into account audit results Cf. sub-clause 9.2
121 9.3 c 4 Take into account information on the achievement of objectives And achievement of objectives, cf. sub-clause 6.2 
122 9.3 d Take into account feedback from interested parties Cf. sub-clause 4.2
123 9.3 e Take into account the results of the risk assessment And the progress of the risk treatment plan, cf. sub-clause 6.1
124 9.3 f Take into consideration opportunities for continual improvement Cf. sub-clause 10.2
125 9.3 Include decisions on improvement opportunities in the conclusions of the management review And any changes to the ISMS
126 9.3 Retain documented information on the conclusions of the management review Cf. sub-clause 7.5.1
Nonconformity and corrective action
127 10.1 a 1 React quickly when a nonconformity appears In order to be able to control and correct
128 10.1 a 2 React quickly when a nonconformity appears In order to face the consequences
129 10.1 b 1 Evaluate the need for corrective action by reviewing the nonconformity Corrective action eliminates the root causes so that it does not happen again
130 10.1 b 2

Evaluate the need for corrective action by determining the root cause of the nonconformity

Or the root causes of nonconformity
131 10.1 b 3

Evaluate the need for corrective action by determining if similar nonconformities have occurred

Or could happen
132 10.1 c Determine and apply all the necessary actions Including corrective actions
133 10.1 d Review the effectiveness of any action taken Including any corrective action
134 10.1 e Change the ISMS If that is necessary
135 10.1 Carry out corrective actions appropriate to the actual or potential consequences In relation to the nonconformities that appeared
136 10.1 f Retain documented information on the nature of nonconformities And any action taken, cf. sub-clause 7.5.1
137 10.1 Retain documented information on the results of corrective actions Cf. sub-clause 7.5.1
Continual improvement
138 10.3 a Continually improve the suitability, adequacy and effectiveness of the ISMS By improving overall performance, ISMS improvement plan, cf. sub-clause 7.5.1
Annex A (normative)
A.5 Information security policies
139 A.5.1.1 Define information security policies Approved by top management, distributed and communicated to interested parties. Cf. sub-clause 7.5.1
140 A.5.1.2 Review information security policies At scheduled intervals to ensure their relevance, adequacy and effectiveness
A.6 Organization of information security
141 A.6.1.1 Define and assign all responsibilities In relation to information security. Cf. sub-clause 7.5.1
142 A.6.1.2 Segregate incompatible duties and areas of responsibility In order to limit the possibilities of modification or misuse of the assets of the organization
143 A.6.1.3 Maintain appropriate relationships With the competent authorities, cf. sub-clause 7.5.1
144 A.6.1.4 Maintain appropriate relationships With interest groups, specialized forums and associations
145 A.6.1.5 Consider information security in project management For all types of projects
146 A.6.2.1 Adopt a policy and additional security measures In order to manage the risks of using mobile devices. Cf. sub-clause 7.5.1
147 A.6.2.2 Establish a policy and additional security measures In order to protect information at teleworking sites. Cf. sub-clause 7.5.1
A.7 People security
148 A.7.1.1 Perform checks on all candidates for hire In accordance with laws, regulations, ethics and be proportionate to business requirements, information and identified risks. Cf. sub-clause 7.5.1
149 A.7.1.2 Specify the responsibilities of agreements between employees and subcontractor In relation to information security
150 A.7.2.1 Request from top management that all employees and subcontractors apply the information security rules In accordance with the policies and procedures in force. Cf. sub-clause 7.5.1
151 A.7.2.2 Benefit from awareness-raising and adapted training for all employees and subcontractors And receive regular updates on policies and procedures. Cf. sub-clause 7.5.1
152 A.7.2.3 Apply a formal disciplinary process known to all In order to take action against those who have violated the rules related to information security. Cf. sub-clause 7.5.1
153 A.7.3.1 Define and apply responsibilities and missions related to information security Which remain valid at the end of the breach, the term or the modification of the employment contract. Cf. sub-clause 7.5.1
A.8 Asset management
154 A.8.1.1 Identify information and other assets associated with information and information processing means Establish and maintain an inventory of these assets. Cf. sub-clause 7.5.1
155 A.8.1.2 Assign assets in inventory to an owner Every asset must have its owner
156 A.8.1.3 Identify, document and apply the rules for the correct use of information, assets associated with information Including the means of processing information. Cf. sub-clause 7.5.1
157 A.8.1.4 Return all of the organization's assets at the end of the term of employment, contract or agreement This concerns all employees and third-party users
158 A.8.2.1 Classify information in terms of legal requirements, value, criticality and sensitivity Regarding unauthorized disclosure or modification. Cf. sub-clause 7.5.1
159 A.8.2.2 Develop and apply information labeling procedures According to the "house" classification plan. Cf. sub-clause 7.5.1
160 A.8.2.3 Develop and apply information processing procedures According to the "house" classification plan. Cf. sub-clause 7.5.1
161 A.8.3.1 Apply removable media management procedures According to the "house" classification plan. Cf. sub-clause 7.5.1
162 A.8.3.2 Securely dispose of media that are no longer needed By using formal procedures. Cf. sub-clause 7.5.1
163 A.8.3.3 Protect media containing information Against unauthorized access, user errors and tampering during transport. Cf. sub-clause 7.5.1
A.9 Access control
164 A.9.1.1 Establish, document and review an access control policy In accordance with business requirements and information security, cf. sub-clause 7.5.1
165 A.9.1.2

Should only have access users who have received specific authorization

Regarding networks and network services. Cf. sub-clause 7.5.1 
166 A.9.2.1 Apply a formal user registration and de-registration process In order to allow the allocation of access rights. Cf. sub-clause 7.5.1
167 A.9.2.2 Apply a formal process for distributing access to users In order to assign and withdraw access rights to all types of users. Cf. sub-clause 7.5.1
168 A.9.2.3 Restrict and control the allocation of privileged access rights Including their use
169 A.9.2.4 Assign secret authentication information As part of a formal management process. Cf. sub-clause 7.5.1
170 A.9.2.5 Check user access rights at regular intervals From asset owners. Cf. sub-clause 7.5.1
171 A.9.2.6 Remove the rights of access to information and the means of processing information from employees and third-party users at the end of their period of employment Or adapted in case of modification of either the contract or the agreement
172 A.9.3.1 Follow, on the part of users, the practices of the organization Regarding the use of secret authentication information
173 A.9.4.1 Restrict access to information and system application functions In accordance with the access control policy
174 A.9.4.2 Control access to systems and applications through a secure log-on procedure When the access control policy requires it. Cf. sub-clause 7.5.1
175 A.9.4.3 Use systems that manage interactive passwords And guarantee the quality of passwords. Cf. sub-clause 7.5.1
176 A.9.4.4 Limit and control the use of utility programs to bypass system controls Or application controls. Cf. sub-clause 7.5.1
177 A.9.4.5 Restrict access to program source code Limit and control this access. Reserved for internal development
A.10 Cryptography
178 A.10.1.1 Develop and apply a policy on the use of cryptographic controls In order to protect information. Cf. sub-clause 7.5.1
179 A.10.1.2 Develop and apply a policy on the use, protection and lifetime of cryptographic keys Throughout their life cycle. Cf. sub-clause 7.5.1
A.11 Physical and environmental security
180 A.11.1.1 Define and use physical security perimeters In order to protect secure areas concerning sensitive or critical information and information processing means. Cf. sub-clause 7.5.1
181 A.11.1.2 Protect secure areas with adequate entry controls In order to ensure that only authorized personnel are admitted. Cf. sub-clause 7.5.1
182 A.11.1.3 Design and apply physical security measures To offices, rooms and equipment
183 A.11.1.4 Design and apply physical security measures Against natural disasters, malicious attacks or accidents. Cf. sub-clause 7.5.1
184 A.11.1.5 Design and apply procedures for working In secure areas. Cf. sub-clause 7.5.1
185 A.11.1.6 Control and, if possible, isolate access points such as delivery and loading areas and other sensitive points from information processing means In order to prevent unauthorized access. Cf. sub-clause 7.5.1
186 A.11.2.1 Locate and protect equipment In order to reduce the risks associated with environmental threats and hazards and unauthorized access. Cf. sub-clause 7.5.1
187 A.11.2.2 Protect equipment from power cuts and other disturbances Related to general service failures
188 A.11.2.3 Protect electrical or telecommunications cables carrying data or supporting information services Against any interception or damage. Cf. sub-clause 7.5.1
189 A.11.2.4 Maintain equipment correctly In order to guarantee their permanent availability and their integrity. Cf. sub-clause 7.5.1
190 A.11.2.5 Prevent any removal of assets from premises Without prior authorization. Cf. sub-clause 7.5.1
191 A.11.2.6 Apply security measures for equipment used outside the organization's premises Taking into account specific off-site risks
192 A.11.2.7 Check all components of materials containing storage media before disposal or re-use To ensure that all sensitive data has been deleted and that any licensed software has been securely uninstalled or overwritten. Cf. sub-clause 7.5.1
193 A.11.2.8 Ensure, on the part of users, that unattended equipment is provided with appropriate protection Applies to any material left unattended
194 A.11.2.9 Adopt a clear desk policy And locked screens. Cf. sub-clause 7.5.1
A.12 Operations security
195 A.12.1.1 Document operational procedures And make them available to all affected users, cf. sub-clause 7.5.1
196 A.12.1.2 Control changes to the organization, business processes, information processing systems and resources Changes affecting information security. Cf. sub-clause 7.5.1
197 A.12.1.3 Monitor and tune use of resources and make projections on future capacity In order to guarantee the required performance of the ISMS
198 A.12.1.4 Separate development, test and operational environments In order to reduce the risk of access or authorized changes
199 A.12.2.1 Apply detection, prevention and recovery controls with appropriate user awareness In order to protect against malware. Cf. sub-clause 7.5.1
200 A.12.3.1 Take and regularly test backup copies of information, software and system images In accordance with the established backup policy. Cf. sub-clause 7.5.1
201 A.12.4.1 Create, maintain and regularly verify event logs recording user activities, exceptions, failures and information security events In relation to information security. Cf. sub-clause 7.5.1
202 A.12.4.2 Protect logging facilities and log information Against the risk of falsification or unauthorized access
203 A.12.4.3 Log in, protect and regularly review the activities of the system administrator And the system operator
204 A.12.4.4 Synchronize the clocks of all information processing systems or a security domain On a single time reference source
205 A.12.5.1 Apply software installation procedures In order to control the installation on operational systems. Cf. sub-clause 7.5.1
206 A.12.6.1 Obtain timely information on technical vulnerabilities in operational information systems, evaluate exposure to these vulnerabilities and take appropriate action In order to treat the associated risk. Cf. sub-clause 7.5.1
207 A.12.6.2 Establish and enforce rules governing the installation of software Regarding users. Cf. sub-clause 7.5.1
208 A.12.7.1 Carefully plan and validate operational systems verification audit requirements and activities In order to minimize the impact on business processes
A.13 Communications security
209 A.13.1.1 Manage and control networks In order to protect the information of systems and applications. Cf. sub-clause 7.5.1
210 A.13.1.2 Identify and integrate network services, security mechanisms, service levels and management requirements into network service agreements Services provided internally or outsourced
211 A.13.1.3 Segragate on networks the groups of information services and users And information systems
212 A.13.2.1 Put in place formal transfer policies, procedures and controls In order to protect information transfers passing through any type of equipment. Cf. sub-clause 7.5.1
213 A.13.2.2 Treat secure transfer of information in agreements Between the organization and third parties
214 A.13.2.3 Protect information passing through electronic messaging Appropriately
215 A.13.2.4 Identify, regularly review and document the requirements for confidentiality or non-disclosure agreements In accordance with the needs of the organization. Cf. sub-clause 7.5.3
A.14 System acquisition, development and maintenance
216 A.14.1.1 Integrate information security requirements with the requirements of new information systems Or during improvements to existing information systems
217 A.14.1.2 Protect information involved in application services transmitted over public networks Against fraudulent activities, contractual differences, unauthorized disclosure and modification
218 A.14.1.3 Protect information involved in transactions related to application services In order to prevent incomplete transmission, misrouting, modification and unauthorized disclosure and duplication of the message or its re-transmission
219 A.14.2.1 Establish and enforce software and systems development rules To organizational developments
220 A.14.2.2 Control system changes as part of the development lifecycle Through formal procedures. Cf. sub-clause 7.5.1. Reserved for internal development
221 A.14.2.3 Review and test business critical applications when changes are made to operational platforms In order to verify the absence of adverse effects on activity and security
222 A.14.2.4 Discourage modifications to software packages, limit to necessary changes And strictly control any change
223 A.14.2.5 Establish, document, maintain and apply principles for engineering secure systems Concerning all the work of setting up information systems, cf. sub-clause 7.5.1
224 A.14.2.6 Establish secure development environments for system development and integration tasks and ensure appropriate protection In relation to the entire system development lifecycle. Reserved for internal development
225 A.14.2.7 Supervise the activity of outsourced system development And monitor it
226 A.14.2.8 Perform security functionality tests During system development. Reserved for internal development
227 A.14.2.9 Determine acceptance testing programs and associated criteria for new information systems Including updates and new versions
228 A.14.3.1 Select test data carefully Also protect and control them
A.15 Supplier relationships
229 A.15.1.1 Have the supplier accept and document information security requirements In order to limit the risks resulting from the access of suppliers to the assets of the organization, cf. sub-clause 7.5.1
230 A.15.1.2 Establish and agree with each supplier the relevant information security requirements  Regarding suppliers who can access, process, store, communicate or provide components of the IT infrastructure. Cf. sub-clause 7.5.1
231 A.15.1.3 Include in the agreements concluded with the supplier requirements on the treatment of information security risks In relation to the supply chain of IT products and services
232 A.15.2.1 Monitor, review and audit service delivery at regular intervals Provided by supplierss. Cf. sub-clause 7.5.1
233 A.15.2.2 Manage changes in supplier services taking into account the critical nature of the information, systems and processes involved and the risks Services including the maintenance and improvement of information security policies, procedures and measures. Cf. sub-clause 7.5.1
A.16 Information security incident management
234 A.16.1.1 Establish, in the event of an information security incident, management responsibilities and procedures In order to guarantee a rapid, efficient and relevant response. Cf. sub-clause 7.5.1
235 A.16.1.2 Report information security events as quickly as possible This through appropriate hierarchical channels
236 A.16.1.3 Note and report any security weaknesses observed or suspected by employees and contractors  Using the organization's information systems and services
237 A.16.1.4 Assess information security events And decide whether to classify them as an information security incident
238 A.16.1.5 Respond to information security incidents in accordance with the documented procedures Cf. sub-clause 7.5.1
239 A.16.1.6 Use the knowledge gained from the analysis and resolution of incidents To reduce the likelihood or impact of subsequent incidents
240 A.16.1.7 Define and apply procedures for identifying, collecting, acquiring and preservating information Can be used as proof. List of evidence, cf. sub-clause 7.5.1
A.17 Business continuity management
241 A.17.1.1 Determine its information security and information security management continuity requirements In unfavorable situations (crisis or disaster)
242 A.17.1.2 Establish, document, implement and maintain processes, procedures and controls In order to provide the required level of information security continuity during an adverse situation, cf. sub-clause 7.5.1
243 A.17.1.3 Check the information security continuity controls put in place at regular intervals In order to ensure that they are valid and effective in adverse situations
244 A.17.2.1 Set up information processing facilities with sufficient redundancies In order to meet the availability requirements
A.18 Compliance
245 A.18.1.1 Explicitly define, document and update all legal, statutory, regulatory and contractual requirements for each information system and for the organization As well as the approach adopted by the organization to meet these requirements. List of requirements, cf. sub-clause 7.5.1
246 A.18.1.2 Put in place appropriate procedures to ensure compliance with legal, regulatory and contractual requirements relating to intellectual property And for the use of proprietary software licenses. Cf. sub-clause 7.5.1
247 A.18.1.3 Protect records from loss, destruction, falsification, unauthorized access and distribution In accordance with legal, regulatory, contractual and business requirements
248 A.18.1.4 Guarantee the protection of privacy and personal data In accordance with applicable legislation or regulations, and contractual clauses if applicable
249 A.18.1.5 Take cryptographic controls In accordance with applicable agreements, laws and regulations. Cf. annex A.10
250 A.18.2.1 Perform regular and independent reviews of the internal approach to manage and apply information security At defined intervals or following major changes. Cf. sub-clause 9.2
251 A.18.2.2 Regularly review, on the part of those responsible, the compliance of information processing and the procedures within their area of responsibility In accordance with applicable security policies, standards and other security requirements. Cf. sub-clause 7.5.1
252 A.18.2.3 Regularly review information systems for compliance With the organization's information security policies and standards