Information security policies – controls on how the policies are written and reviewed
· Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking.
· Human resources security – controls prior to employment, during, and after the employment.
· Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling.
· Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities.
· Cryptography – controls related to encryption and key management.
· Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
· Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
· Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
· System acquisition, development and maintenance – controls defining security requirements and security in development and support processes.
· Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers.
· Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence.
· Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy.
· Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security.
User questions & answers