Saturday, July 13 2024

ISO 27001 requirements information security management systems version 2022


Quiz requirements ISO 27001 version 2022

You want to familiarize yourself with the structure of the standard, identify and understand the requirements of ISO 27001 version 2022, then it's up to you to play!


The quiz "ISO 27001 Requirements version 2022" will help you understand the main requirements of the standard.

The questions (requirements) for this quiz are 79, don't panic. The requirements of the standard are 235 but these 79 requirements are among the most important, so don't hesitate to learn in a fun way!

Don't think that you can complete this quiz in less than an hour, or even two hours, unless of course you are a little genius!


News on the information security standard ISO 27001 version 2022


The 235 requirements (shall, shall) of clauses 4 to 10 and annex A of ISO 27001 are broken down as follows:

ISO 27001 requirements version 2022 copyleft
PDCA cycle
Requirement No
Context Plan
1 ÷ 10
5 Leadership Plan, Do, Check, Act
11 ÷ 28
6 Planning Plan
29 ÷ 67
7 Support Do
68 ÷ 91
8 Operation Do
92 ÷ 100
9 Performance Check 101 ÷ 130 30
10 Improvement Act 131 ÷ 142 12
  Annex A Plan, Do, Check, Act 143 ÷ 235 93

requirements iso 27001

Requirements in ISO 27001 clauses, sub-clauses and annex A



Deming PDCA cycle


Note. Any requirement normally begins with "The organization shall ...". For simplicity we present the requirements directly starting with the verb.

ISO 27001 - Requirements and comments version 2022 copyleft
PDCA cycle, links, comments
The organization and its context
Determine external and internal issues Understand everything that can influence the purpose (mission) of the company (corporate culture, innovation, strategic orientation, competition, market, obligations, working time, working conditions) and its ability to obtain the expected results of the ISMS. See sub-clauses 6.1 and 7.5.1
4.2 a
Determine stakeholders Concerned with the ISMS, such as laws, contracts and others. See sub-clause 7.5.1
3 4.2 b Determine needs and expectations Of the stakeholders relating to information security requirements and obligations
4 4.2 c Determine requirements concerned by the ISMS Requirements addressed by the ISMS
Determine the scope of the ISMS (Administrative) limits and applicability
6  4.3 a Take into account external and internal issues "To determine hazards is to reduce risks". Cf. sub-clause 4.1
7  4.3 b Take into account the requirements of the stakeholders When changing processes, requirements, infrastructure. See sub-clause 4.2
8 4.3 c Take into account the profesional interfaces "No-risk situations do not exist". Interactivity of internal activities and those of other organizations
9 4.3 Make the scope available as documented information Cf. sub-clause 7.5.1
Information security management system
10  4.4 Establish, implement and maintain and improve the ISMS "If you cannot describe what you are doing as a process, you do not know what you're doing". Edwards Deming. In accordance with the requirements of ISO 27001. Information security manual, cf. sub-clause 7.5.1 
Leadership and commitment
11 5.1 a Ensure that the information security policy and objectives are established

"When you sweep the stairs, you start at the top. Romanian proverb." Ensure compatibility with strategic direction. Top management is showing leadership. Affirm top management's commitment to the ISMS

12 5.1 b Ensure that ISMS requirements are integrated into business processes Show leadership
13 5.1 c Ensure that the necessary resources for the ISMS are available Resources to establish, apply, maintain and improve the ISMS. Cf. sub-clause 4.4
14 5.1 d Communicate on the importance of an effective ISMS And comply with the requirements of ISO 27001
15 5.1 e Ensure that the ISMS achieves the intended results Commitment, responsiveness and active support from top management
16 5.1 f

Guide and support people

In order to contribute to the performance of the ISMS
17 5.1 g Promote continual improvement "Employees first, customers second. Vineet Nayar." Show leadership. Cf. clause 10
18 5.1 h Help those affected to show leadership When necessary for their area of responsibility
19 5.2 a Establish an information security policy Taking into account the mission of the organization. Keep the policy up to date. Cf. sub-clause 7.5.1
20 5.2 b Provide a framework for establishing information security objectives Cf. sub-clause 6.2
21 5.2 c Commit to meet applicable requirements Regarding information security
22 5.2 d Commit to continual improvement of the ISMS Cf. clause 10
23 5.2 e Make the information security policy available as documented information Cf. sub-clause 7.5.1
24 5.2 f Communicate the information security policy At all levels of the organization
25 5.2 g Keep the information security policy available to stakeholders If applicable
Roles, responsibilities and authorities
26 5.3 Ensure that responsibilities and authorities for the ISMS are assigned And communicated at all levels of the organization. "Responsibility cannot be shared. Robert Heinlein". Cf. sub-clause 7.5.1
27 5.3 a Ensure that the ISMS meets the requirements of the ISO 27001 standard And who has the responsibility and authority at all levels of the organization. Remember that in the end top management is fully responsible (cf. sub-clause 5.1)
28 5.3 b Submit reports on ISMS performance to top management on a regular basis By assigning responsibility and authority by name, cf. sub-clause 7.5.1
Actions to address risks
29 6.1.1 a Determine risks and opportunities In order to ensure that the ISMS can achieve the expected results. Cf. sub-clause 4.1 for issues and sub-clause 4.2 for requirements. An inventory of the situation is always useful before planning. "Any decision involves a risk. Peter Barge"
30 6.1.1 b Determine risks and opportunities In order to anticipate or reduce side effects
31  6.1.1 c Determine risks and opportunities In order to be part of the continual improvement process, cf. clause 10
32 6.1.1 d Plan actions to address these risks and opportunities Cf. sub-clause 6.1.3
33 6.1.1 e 1 Plan how to integrate and implement the necessary actions For all processes of the ISMS
34 6.1.1 e 2 Plan how to assess the effectiveness of actions taken Cf. sub-clause 6.1.3
Risk assessment
35 6.1.2 a 1 Apply an information security risk assessment process By establishing and maintaining acceptance criteria
36 6.1.2 a 2 Apply an information security risk assessment process By establishing and updating the criteria for carrying out assessments
37 6.1.2 b Apply an information security risk assessment process By ensuring that the repetition of risk assessments leads to consistent, valid and comparable results
38 6.1.2 c 1 Apply an information security risk assessment process By identifying the risks associated with the loss of confidentiality, integrity and availability of information
39 6.1.2 c 2 Apply an information security risk assessment process By identifying the risk owners
40 6.1.2 d 1 Apply an information security risk assessment process

By analyzing the risks and the potential consequences of risks in 6.1.2 c 1 materializing

41 6.1.2 d 2  Apply an information security risk assessment process By analyzing the risks and assessing the likelihood of occurrence of the risks identified in 6.1.2 c 1
42 6.1.2 d 3 Apply an information security risk assessment process By analyzing risks and determining risk levels
43 6.1.2 e 1 Apply an information security risk assessment process By evaluating the risks and comparing the results of the risk analysis with the criteria in 6.1.2 a
44 6.1.2 e 2 Apply an information security risk assessment process By evaluating the risks and prioritizing the analyzed risks
45 6.1.2 Retain documented information on the information security risk assessment process Cf. sub-clause 7.5.1
Risk treatment
46 6.1.3 a Apply an information security risk treatment process In order to choose the risk treatment options taking into account the results in 6.1.2
47 6.1.3 b Apply an information security risk treatment process In order to determine the necessary measures to be taken for the chosen option
48 6.1.3 c Apply an information security risk treatment process In order to compare the measurements determined in 6.1.3 b and those of annex A of ISO 27001
49 6.1.3 d Apply an information security risk treatment process In order to produce a statement of applicability including the necessary measures (cf. 6.1.3 b and c), the justification for their inclusion, their implementation (or not), the justification for the exclusion of controls from Annex A of ISO 27001
50  6.1.3 e Apply an information security risk treatment process In order to develop a risk treatment plan, cf. sub-clause 6.2
51  6.1.3 f Apply an information security risk treatment process In order to obtain from the risk owners the validation of the risk treatment plan and the acceptance of residual risks
52 6.1.3 Retain documented information on the information security risk treatment process  Cf. sub-clause 7.5.1
53 6.2 Establish information security objectives For all functions and levels in the organization
54 6.2 a Determine information security objectives Consistent with the organization's information security policy
55 6.2 b Determine information security objectives Measurables, if possible
56 6.2 c Determine information security objectives Taking into account the requirements applicable to information security, the results of the risk assessment and treatment
57 6.2 d Determine information security objectives And monitor them, cf. sub-clause 9.1
58 6.2 e Determine information security objectives And communicate them, cf. sub-clause 7.4
59 6.2 f Determine information security objectives And update them, if appropriate
60 6.2 g Determine information security objectives And retain them as documents, cf. sub-clause 7.5
61 6.2 Retain documented information on objectives Related to information security, including the objective achievement plan, cf. sub-clause 7.5.1
62 6.2 h Determine when planning information security objectives What will be done
63 6.2 i Determine when planning information security objectives The necessary resources
64 6.2 j Determine when planning information security objectives The responsible
65 6.2 k Determine when planning information security objectives The deadlines
66 6.2 l Determine when planning information security objectives How the results will be evaluated
Planning of changes
67 6.3 Plan the changes of the ISMS Before applying them
Identify and provide the resources needed In order to establish, apply, maintain and improve the ISMS
69  7.2 a Determine the necessary competence of the people involved Those involved can affect information security performance
70 7.2 b Ensure that these people are competent On the basis of initial and professional training and experience
71 7.2 c Take actions to acquire and keep the necessary competence updated And evaluate the effectiveness of these actions. Actions include training, but also supervision, reassignment and recruitment of competent people
72 7.2 d Retain documented information on competence Cf. sub-clause 7.5.1 like the competence development plan
7.3 a
Make people aware of the information security policy and objectives Cf. sub-clauses 5.2 and 6.2. Awareness enhancement plan, cf. sub-clause 7.5.1
74 7.3 b Make people aware of the importance of their contribution to the effectiveness of the ISMS And the beneficial effects of improved performance of the ISMS
75 7.3 c Make people aware of the repercussions and consequences of not conforming with ISMS requirements Do not forget the potential consequences on all professional activities
76 7.4 a Determine internal and external communication needs Including on which subjects, communication improvement plan, cf. sub-clause 7.5.1
77 7.4 b Determine internal and external communication needs Including when
78 7.4 c Determine internal and external communication needs Including with whom
79 7.4 d Determine internal and external communication needs Including who shall communicate
Documented information
80 7.5.1 a Include in the ISMS the documented information required by ISO 27001

Documented information to maintain (procedures):procédure


  • information security (§ 5.2, A.5.1)
  • acceptable use of information (A.5.10)
  • information classification (A.5.12)
  • information transfer (A.5.14)
  • access control (A.5.15A.8.12)
  • access rights (A.5.18)
  • supplier relationships (A.5.19)
  • use of cloud services (A.5.23)
  • intellectual property (A.5.32)
  • protection of records (A.5.33)
  • protection of personal identifiable information (A.5.34)
  • compliance with rugulations and standards ( A.5.36)
  • employment contract (A.6.2)
  • awareness and training (A.6.3)
  • remote working (A.6.7)
  • clear desk and clear screen (A.7.7)
  • storage media (A.7.10)
  • technical vulnerabilities (A.8.8)
  • information backup (A.8.13)
  • logging (A.8.15)
  • use of cryptography (A.8.24)

Documented information to retain (records):enregistrement

  • external and internal issues (sub-clause 4.1)
  • list of stakeholders (sub-clause 4.21)
  • scope (sub-clause 4.3)
  • job description (sub-clause 5.3, A.5.2)
  • risk acceptance criteria (sub-clause 6.1.2)
  • risk assessment criteria (sub-clause 6.1.2)
  • statement of applicability (sub-clause 6.1.3)
  • risk treatment plan (sub-clause 6.1.3)
  • plan to achieve objectives (sub-clause 6.2)
  • change management plan (sub-clauses 6.3, 8.1)
  • available resources (sub-clause 7.1)
  • competence development plan (sub-clause 7.2)
  • awareness enhancement plan (sub-clause 7.3)
  • communication improvement plan (sub-clause 7.4)
  • list of documented information (sub-clause 7.5.3, A.5.37)
  • documents of external origin (sub-clause 7.5.3)
  • codification of documents (sub-clause 7.5.3)
  • process monitoring (sub-clause 8.1)
  • risk assessment results (sub-clause 8.2)
  • results of risk treatment (sub-clause 8.3)
  • results of monitoring and measurements (sub-clause 9.1)
  • audit program (sub-clause 9.2)
  • audit report (sub-clause 9.2)
  • management review decisions (sub-clause 9.3)
  • ISMS improvement plan (sub-clause 10.1)
  • nature of the nonconformities (sub-clause 10.2)
  • corrective actions (sub-clause 10.2)
  • commitment to safety rules (A.5.4)
  • notification of authorities (A.5.5)
  • inventory of assets (A.5.9)
  • rules for the use of assets (A.5.10A.5.11)
  • classification plan (A.5.12)
  • transfer data (A.5.14)
  • registration and unsubscription (A.5.16)
  • user engagement (A.5.17, A.6.6)
  • password (A.5.17)
  • access distribution (A.5.18)
  • review of access rights (A.5.18)
  • information security with suppliers (A.5.19)
  • supplier contract (A.5.20)
  • supplier performance (A.5.22)
  • changes in supplier services (A.5.22)
  • incident management plan (A.5.24)
  • incident register (A.5.24A.5.26)
  • information security events (A.5.25)
  • list of evidence (A.5.28)
  • business continuity plan (A.5.29A.5.30)
  • list of requirements (A.5.31)
  • register of licenses (A.5.32)
  • record protection (A.5.33)
  • results of safety reviews (A.5.35)
  • corrective action report (A.5.36)
  • terms and conditions of employment (A.6.1)
  • training program (A.6.3)
  • certificate of attendance (A.6.3)
  • disciplinary rules (A.6.4)
  • breach of contract rules (A.6.5)
  • confidentiality agreement (A.6.6)
  • security for remote working (A.6.7)
  • security perimeters (A.7.1)
  • visitor access (A.7.2)
  • protection of equipment (A.7.5A.7.8A.7.7)
  • removal of assets (A.7.9A.7.10)
  • scrap inventory (A.7.10A.7.14)
  • protection of storage media during transport (A.7.10)
  • emergency contacts (A.7.11)
  • cabling security (A.7.12)
  • equipment maintenance (A.7.13)
  • mobile device security (A.8.1)
  • wireless connection (A.8.1
  • privileged access (A.8.2A.8.18)
  • capacity management plan (A.8.6)
  • protection against malware (A.8.7)
  • technical vulnerabilities (A.8.8)
  • configuration register (A.8.9)
  • deletion of information (A.8.10)
  • backup of information (A.8.13)
  • event logs (A.8.15)
  • monitoring (A.8.16)
  • synchronization (A.8.17)
  • privileged authorizations (A.8.18)
  • network protection (A.8.20)
  • web filtering (A.8.23)
  • cryptographic keys (A.8.24)
  • applications (A.8.26)
  • engineering principles (A.8.27)
  • secure coding (A.8.28)
  • test plan (A.8.29)
  • environments (A.8.31)
  • change request (A.8.32A.8.3)
81 7.5.1 b Include documented information deemed necessary for the effectiveness of the ISMS

This documented information is specific in relation to the size of the organization, to the field of activity, to the complexity of the processes and their interactions to the competence of the personnel

Creating and updating
82 7.5.2 a Identify and describe the documented information appropriately When creating and updating. As title, author, date, codification
83 7.5.2 b Ensure that the format and media of the documented information is appropriate Examples of formats: language, software version and graphics. Examples of media: paper, electronic
85 7.5.2 c Review and validate documented information appropriately In order to determine their relevance and suitability
Control of documented information
82 7.5.3 a Control documented information so that it is available and suitable for use When and where needed. According to the requirements of the ISMS and the ISO 27001 standard
86 7.5.3 b Control documented information so that it is properly protected As loss of confidentiality, improper use or loss of integrity
87 7.5.3 c Apply distribution, access, retrieval and usage activities In order to control the documented information
88 7.5.3 d Apply storage and preservation activities Including legibility preservation
89 7.5.3 e Apply change control activities Like version control
90 7.5.3 f Apply retention and disposition activities By determining for each documented information the retention period and the way of disposal
91 7.5.3 Identify and control documented information of external origin List of documented information deemed necessary for the planning and operation of the ISMS, including that of external origin. Cf. sub-clause 7.5.1
Planning and control
8.1 Plan, apply, control and maintain the processes necessary to meet the requirements of the ISMS By establishing criteria for these processes and carrying out specific actions in the sub-clause 6.1
93 8.1 Plan, apply, control and maintain the processes necessary to meet the requirements of the ISMS By applying the control in accordance with the criteria
94 8.1 Retain documented information on the necessary processes In order to ensure that the processes are carried out as planned. Cf. sub-clause 7.5.1
95 8.1 Control planned changes and analyze unforeseen changes By taking actions to limit any negative impact. Cf. sub-clause 7.5.1
96 8.1 Ensure that outsourced processes are controlled and relevant Including outsourced products and services
Risk assessment
97 8.2 Assess information security risks regularly Taking into account the criteria established in 6.1.2 a and sub-clause 6.3
98 8.2 Retain documented information on the results of the risk assessment Results of risk assessment, cf. sub-clause 7.5.1
Risk treatment
99 8.3 Apply the risk treatment plan In accordance with sub-clause 6.2
100 8.3 Retain documented information on the results of the risk treatment Risk treatment plan, cf. sub-clause 7.5.1
101 9.1 a Determine what to inspect (monitor and measure) Including information security processes and measures
102 9.1 b Determine inspection methods Including analysis and evaluation to ensure the validity of the results. Any valid result is comparable and reproducible
103 9.1 c Determine when to inspect Including the points where monitoring and measurement are carried out
104 9.1 d Determine who performs the inspection The person responsible for the inspection
105 9.1 e Determine when to analyze inspection results Including the moment of evaluation of the results
106 9.1 f Determine who analyzes the results Including the person responsible for evaluating the results
107 9.1 Retain documented information on inspection results Cf. sub-clause 7.5.1
108 9.1 Evaluate the information security performance Including the effectiveness of the ISMS
Internal audit
109 9.2.1 a 1 Perform internal audits at scheduled intervals to provide information to determine whether the ISMS meets organizational requirements Including policy and objectives, cf. sub-clauses 5.2 and 6.2
110 9.2.1 a 2 Perform internal audits at scheduled intervals to provide information to determine whether the ISMS meets ISO 27001 requirements Requirements in clauses 4 to 10 of the standard
111 9.2.1 b Perform internal audits at scheduled intervals to provide information to determine whether the ISMS meets ISO 27001 requirements Cf. management review, sub-clause 9.3
Internal audit program
112 9.2.2 Plan, establish, apply and maintain the audit program Including frequency, methods, responsibilities, planning and reporting requirements. Follow the recommendations of ISO 19011
113 9.2.2 Take into account in the audit program the importance of the processes And results of previous audits
114 9.2.2 a Define the audit criteria And the scope of each audit. Follow the recommendations of ISO 19011
115 9.2.2 b Select auditors In order to carry out objective and impartial audits. Follow the recommendations of ISO 19011
116 9.2.2 c Report the results of the audits To the direction concerned
117 9.2.2 Retain documented information on the application of the audit program And audit results, cf. sub-clause 7.5.1
Management review
118 9.3.1 Review the ISMS at scheduled intervals To ensure that the ISMS is still appropriate, adequate and effective. "No system is perfect"
Management review inputs
119 9.3.2 a Take into consideration the progress of actions decided during the previous management review Use the latest management review report
120 9.3.2 b Take into consideration the modifications of the relevant issues for the ISMS Cf. sub-clause 4.1
121 9.3.2 c Consider changing stakeholders' requirements Cf. sub-clause 4.2 
122 9.3.2 d 1 Consider feedback trends

Including nonconformities and corrective actions, cf. sub-clause 10.2

123 9.3.2 d 2 Consider trends in inspection results In other words, the results of monitoring and measurement, cf. sub-clause 9.1 
124 9.3.2 d 3 Consider trends in audit results

Cf. sub-clause 9.2

125 9.3.2 d 4 Take into consideration the trends of objective achievement Cf. sub-clause 6.2
126 9.3.2 e Consider feedback from stakeholders

Cf. sub-clause 4.2 

127 9.3.2 f Consider the results of the risk assessment Including the progress of the risk treatment plan, cf. paragraph 6.1.3 
128 9.3.2 g Consider opportunities for continual improvement And any changes to the ISMS, cf. sub-clause 10.2
Management review results
129 9.3.3 Include continuous improvement decisions in the results of the management review And any changes to the ISMS, cf. sub-clause 10.2
130 9.3.3 Retain documented information on the conclusions of the management review Cf. sub-clause 7.5.1
Continual improvement
131 10.1

Continually improve the suitability, adequacy and effectiveness of the ISMS


By improving overall performance
Nonconformity and corrective action
132 10.2 a 1 React to the nonconformity In order to control and correct it
133 10.2 a 2

React to the nonconformity

In order to deal with the consequences of nonconformity
134 10.2 b 1

Review the nonconformity

Evaluate whether action is needed to eliminate the cause
135 10.2 b 2 Find the cause of the nonconformity If possible the root cause
136 10.2 b 3 Find out if similar nonconformities have occurred Or could occur
137 10.2 c Implement any action needed Including corrective actions
138 10.2 d Review the effectiveness of any undertaken action Including any corrective action
139 10.2 e Make changes to the ISMS If necessary
140 10.2 Take corrective actions appropriate to actual or potential consequences In relation to the nonconformities that appeared
141 10.2 f Retain documented information on the nature of nonconformities Cf. sub-clause 7.5.1
142 10.2 g Retain documented information on the results of corrective actions Cf. sub-clause 7.5.1
Annex A (normative)
A.5 Organizational controls
143 A.5.1 Policies for information security Define information security policies, which are approved by top management, published, communicated, reviewed and changed, cf. sub-clause 5.2
144 A.5.2 Information security roles and responsibilities Define and assign functions and responsibilities related to information security, cf. sub-clause 5.3
145 A.5.3 Segregation of duties Segregate conflicting duties and areas of responsibilities
146 A.5.4 Management responsibilities Apply information security measures according to company policies and procedures, as requested by top management, cf. sub-clause 5.1
147 A.5.5 Contact with authorities Establish and maintain contact with relevant authorities
148 A.5.6 Contact with special interest groups Establish and maintain contacts with interest groups related to information security
149 A.5.7 Threat intelligence Collect and analyze information security threats
150 A.5.8 Information security in project management Integrate information security into project management
151 A.5.9   Inventory of information and other associated assets Develop and maintain an inventory of information and assets related to information security
152 A.5.10 Acceptable use of information and other associated assets Identify, document and apply rules for acceptable use and procedures for handling information and assets
153 A.5.11 Return of assets Return all assets upon leaving the company or changing employment contract
154 A.5.12 Classification of information Classify information according to confidentiality, integrity and availability requirements
155 A.5.13 Labeling of information Develop and implement procedures for information labeling
156 A.5.14 Information transfer Establish rules, procedures or agreements on the transfer of information internally and with stakeholders
157 A.5.15  Access control Define and apply rules for physical and logical access to information according to business requirements and information security
158 A.5.16 Identity management Manage the full life cycle of identities
159 A.5.17 Authentication information Control the allocation and management of authentication information according to a specific process including recommendations for appropriate use
160 A.5.18 Access rights Provide, review, modify and remove access rights to information and assets in accordance with the topic-specific policy
161 A.5.19 Information security in supplier relationships Define and apply processes and procedures to manage information security risks associated with the use of supplier's products and services
162 A.5.20 Addressing information security within supplier agreements Set up and agree with each supplier the appropriate information security requirements
163 A.5.21 Managing information security in the information and communication technology (ICT) supply chain Define and apply processes and procedures to manage information security risks related to the ICT products and services supply chain
164 A.5.22 Monitoring review and change management of supplier services Regularly monitor, review, evaluate and manage changes in supplier information security practices
165 A.5.23 Information security for use of cloud services Establish processes for acquiring, using, managing and terminating cloud services according to corporate information security requirements
166 A.5.24 Information security incident management planning and preparation Plan and prepare for information security incident management with relevant processes, roles and responsibilities
167 A.5.25

Assessment and decision on information security events

Assess information security events and decide if they should be categorized as incidents
168 A.5.26 Response to information security incidents Respond to information security incidents in accordance with the documented procedures
169 A.5.27 Learning from information security incidents Use knowledge gained from information security incidents to strengthen and improve information security controls
170 A.5.28 Collection of evidence Establish and apply procedures for the identification, collection, acquisition and preservation of evidence related to information security events
171 A.5.29 Information security during disruption Plan how to maintain information security at an appropriate level during disruption
172 A.5.30 ICT readiness for business continuity Plan, apply, maintain and test ICT readiness according to business continuity objectives and requirements
173 A.5.31 Legal, statutory, regulatory and contractual requirements Identify, document and keep up-to-date  revant legal, statutory, regulatory and contractual information security requirements
174 A.5.32 Intellectual property rights Implement appropriate procedures to protect intellectual property rights
175 A.5.33 Protection of records Protect against loss, destruction, falsification, unauthorized access and unauthorized release of operational records
176 A.5.34 Privacy and protection of personal identifiable information Identify and comply with requirements regarding the preservation of privacy and protection of personal identifiable information  according to applicable laws, regulations and contractual requirements
177 A.5.35 Independent review of information security Review information security management, including people, processes and technology at planned intervals
178 A.5.36 Compliance with policies, rules and standards for information security Regularly verify compliance with information security policies, company standards and rules
179 A.5.37 Documented operating procedures Document and make available to personnel concerned the operating procedures for information processing facilities
A.6 People controls
180 A.6.1 Screening Carry out reference checks on job candidates before their integration into the company according to the business requirements, the classification of information and the risks identified, cf. sub-clause 7.2
181 A.6.2 Terms and conditions of employment Include personnel and company information security responsibilities in employment contracts
182  A.6.3 Information security awareness, education and training Educate, teach and train staff and stakeholders in information security, including policy and procedure updates
183 A.6.4 Disciplinary process Formalize and communicate the disciplinary process for those who have committed an information security policy violation
184 A.6.5 Responsibilities after termination or change of employment Define, enforce and communicate information security responsibilities and obligations that remain in effect after employment ends or changes
185 A.6.6 Confidentiality or non-disclosure agreements Identify, document, review and sign confidentiality (non-disclosure) agreements to protect sensitive information
186 A.6.7 Remote working Put in place security measures relevant to remote working to protect information outside of company premises
187 A.6.8 Information security event reporting Provide a mechanism to promptly report actual or suspected information security events
A.7 Physical controls
188 A.7.1 Physical security perimeters Define and use security perimeters to protect areas with sensitive information and assets
189 A.7.2 Physical entry Protect access areas with appropriate access security measures and access points
190 A.7.3 Securing offices, rooms and facilities Design and implement physical security measures for offices, rooms and facilities
191 A.7.4 Physical security monitoring Continuously monitor the premises to prevent unauthorized physical access
192 A.7.5 Protecting against physical and environmental threats Design and apply protection against physical and environmental threats (such as natural disasters), intentional or unintentional
193 A.7.6 Working in secure areas Design and apply safety measures for working in secure areas
194 A.7.7 Clear esk and clear screen Define and enforce clear desk and clear screen rules for information processing facilities
195 A.7.8 Equipment siting and protection Choose and protect a secure location for the equipment
196 A.7.9 Security of assets off-premises Protect off-site assets
197 A.7.10 Storage media Manage storage media throughout their life cycle (acquisition, use, transportation, and disposal) according to classification and business requirements
198 A.7.11 Supporting utilities Protect information processing facilities against power outages and other support service failures
199 A.7.12 Cabling security Protect electrical cables against interception, interference or damage
200 A.7.13 Equipment maintenance Maintain equipment properly to ensure availability, integrity and confidentiality of information
201 A.7.14 Secure disposal or re-use of equipment Check storage hardware to ensure secure deletion of sensitive data or licensed software
A.8 Technological controls
202 A.8.1 User end point devices Protect information stored, processed or accessible via a user end point device
203 A.8.2 Privileged access rights Limit and manage the allocation and use of privileged access rights
204 A.8.3 Information access restiction Restrict access to information and other assets according to access control policy
205 A.8.4 Access to code source Appropriately manage access to source code, development tools and software libraries
206 A.8.5 Secure authentication Apply secure authentication technologies and procedures according to the restrictions of the access control policy, cf. A.8.3
207 A.8.6 Capacity management Monitor and adjust resource usage according to scaling needs, cf. Capacity management plan, sub-clause 7.5.1
208 A.8.7 Protection against malware Apply protection against malware, raise staff awareness, cf. sub-clause 7.3
209 A.8.8 Management of technical vulnerabilities Obtain information on technical vulnerabilities of information systems, evaluate the company's exposure to these vulnerabilities and take appropriate measures
210 A.8.9 Configuration management Define, document, enforce, monitor and review security, hardware, software and network configuration
211 A.8.10 Information deletion Delete information, which is no longer necessary, on information systems, devices and other storage media
212 A.8.11 Data masking Mask data according to access control policy, cf. A.8.3 respecting business requirements and applicable legislation
213 A.8.12 Data leakage prevention Apply data leakage prevention measures of sensitive information to systems, networks and other devices
214 A.8.13 Information backup Retain and regularly test backup copies of information, software and systems according to the topic-specific backup policy
215 A.8.14 Redundancy of information processing facilities Apply information processing facilities with redundancy to meet availability requirements
216 A.8.15 Logging Generate, maintain, protect and analyze logs of activities, exceptions, faults and other relevant events
217 A.8.16 Monitoring activities Monitor networks, systems and applications and take appropriate action, cf. sub-clause 9.1
218 A.8.17 Clock synchronization Synchronize information processing system clocks to approved time sources
219 A.8.18 Use of privileged utilities programs Restrict and tightly control the use of utility programs with the ability to override system and application security measures
220 A.8.19 Installation of software on operating systems Apply procedures and measures to securely manage the installation of operational software
221 A.8.20 Networks security Secure, manage and control networks and network devices to protect system and application information
222 A.8.21 Security of network services Identify, apply and monitor security mechanisms, service levels and network service requirements
223 A.8.22 Segregation of networks Segregate information services, users and information systems groups
224 A.8.23 Web filtering Control access to external websites to reduce exposure to malicious content
225 A.8.24 Use of cryptography Define and apply cryptography rules, including cryptographic keys
226 A.8.25 Secure development life cycle Define and apply rules for the secure development of software and systems
227 A.8.26 Application security requirements Identify, specify and approve information security requirements when developing or acquiring applications
228 A.8.27 Secure system architecture and engineering principles Establish, document, maintain and apply secure systems engineering principles during the development of information systems
229 A.8.28 Secure coding Apply secure coding principles to software development
230 A.8.29 Security testing in development and acceptance Define and apply security testing processes during the development life cycle
231 A.8.30 Outsourced development Direct, monitor and review activities relating to the development of outsourced systems
232 A.8.31 Separation of development, test and production environments Separate and secure development, test and operational environments
233 A.8.32 Change management Submit changes to information processing resources and information systems to change management procedures, cf. sub-clause 6.3
234 A.8.33 Test information Select, protect and manage test information appropriately
235 A.8.34 Protection of information systems during audit testing Plan and agree between the tester and the appropriate level of management audit testing and other assurance activities involving the evaluation of operational systems