ISO 27001 Annex A
93 requirements mapped to controls.
Requirements
| Requirement | Title | Controls | Owner |
|---|---|---|---|
| A.5.1 | Policies for information security | SID-ORG-01 | operator |
| A.5.2 | Information security roles and responsibilities | SID-ORG-02 | operator |
| A.5.3 | Segregation of duties | SID-ORG-02, SID-ACCESS-01 | platform |
| A.5.4 | Management responsibilities | SID-ORG-01 | operator |
| A.5.5 | Contact with authorities | SID-ORG-05 | operator |
| A.5.6 | Contact with special interest groups | SID-ORG-05 | operator |
| A.5.7 | Threat intelligence | SID-ORG-03, SID-TRUST-02 | platform |
| A.5.8 | Information security in project management | SID-OPS-08 | platform |
| A.5.9 | Inventory of information and other associated assets | SID-OPS-06 | operator |
| A.5.10 | Acceptable use of information and other associated assets | SID-ORG-07 | operator |
| A.5.11 | Return of assets | SID-ARCH-02 | operator |
| A.5.12 | Classification of information | SID-DATA-01, SID-DATA-02, SID-ORG-08 | platform |
| A.5.13 | Labelling of information | SID-ARCH-02, SID-ORG-08 | operator |
| A.5.14 | Information transfer | SID-TRANS-01, SID-TRANS-02, SID-TRANS-03 | platform |
| A.5.15 | Access control | SID-AUTH-01, SID-AUTH-02, SID-ACCESS-01, SID-ACCESS-02 | platform |
| A.5.16 | Identity management | SID-AUTH-01, SID-AUTH-03 | platform |
| A.5.17 | Authentication information | SID-AUTH-01, SID-CRYPTO-02, SID-CRYPTO-03 | platform |
| A.5.18 | Access rights | SID-ACCESS-01, SID-ACCESS-04 | platform |
| A.5.19 | Information security in supplier relationships | SID-ORG-04 | operator |
| A.5.20 | Addressing information security within supplier agreements | SID-ORG-04 | operator |
| A.5.21 | Managing information security in the ICT supply chain | SID-ORG-04, SID-OPS-04 | platform |
| A.5.22 | Monitor, review and change management of supplier services | SID-ORG-04 | operator |
| A.5.23 | Information security for use of cloud services | SID-ORG-04 | operator |
| A.5.24 | Information security incident management planning and preparation | SID-OPS-01 | operator |
| A.5.25 | Assessment and decision on information security events | SID-OPS-01, SID-AUDIT-01 | platform |
| A.5.26 | Response to information security incidents | SID-OPS-01 | operator |
| A.5.27 | Learning from information security incidents | SID-OPS-01 | operator |
| A.5.28 | Collection of evidence | SID-AUDIT-01 | platform |
| A.5.29 | Information security during disruption | SID-OPS-02 | operator |
| A.5.30 | ICT readiness for business continuity | SID-OPS-02 | operator |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | SID-ORG-05 | operator |
| A.5.32 | Intellectual property rights | SID-ORG-05 | operator |
| A.5.33 | Protection of records | SID-CRYPTO-03, SID-OPS-03 | platform |
| A.5.34 | Privacy and protection of PII | SID-PRIV-01, SID-DATA-01, SID-DATA-02 | platform |
| A.5.35 | Independent review of information security | SID-ORG-05 | operator |
| A.5.36 | Compliance with policies, rules and standards for information security | SID-ORG-05 | operator |
| A.5.37 | Documented operating procedures | SID-ORG-06 | operator |
| A.6.1 | Screening | SID-PPL-01 | operator |
| A.6.2 | Terms and conditions of employment | SID-PPL-01 | operator |
| A.6.3 | Information security awareness, education and training | SID-PPL-02 | operator |
| A.6.4 | Disciplinary process | SID-ARCH-02 | operator |
| A.6.5 | Responsibilities after termination or change of employment | SID-ARCH-02 | operator |
| A.6.6 | Confidentiality or non-disclosure agreements | SID-PPL-03 | operator |
| A.6.7 | Remote working | SID-ARCH-02 | operator |
| A.6.8 | Information security event reporting | SID-PPL-04 | operator |
| A.7.1 | Physical security perimeters | SID-PHY-01 | operator |
| A.7.2 | Physical entry | SID-PHY-01 | operator |
| A.7.3 | Securing offices, rooms and facilities | SID-PHY-01 | operator |
| A.7.4 | Physical security monitoring | SID-PHY-01 | operator |
| A.7.5 | Protecting against physical and environmental threats | SID-PHY-01 | operator |
| A.7.6 | Working In secure areas | SID-PHY-01 | operator |
| A.7.7 | Clear desk and clear screen | SID-PHY-02 | operator |
| A.7.8 | Equipment siting and protection | SID-PHY-02 | operator |
| A.7.9 | Security of assets off-premises | SID-PHY-02 | operator |
| A.7.10 | Storage media | SID-PHY-02, SID-CRYPTO-03 | platform |
| A.7.11 | Supporting utilities | SID-PHY-01 | operator |
| A.7.12 | Cabling security | SID-PHY-01 | operator |
| A.7.13 | Equipment maintenance | SID-PHY-02 | operator |
| A.7.14 | Secure disposal or re-use of equipment | SID-PHY-02 | operator |
| A.8.1 | User end point devices | SID-HARD-05, SID-CRYPTO-02 | platform |
| A.8.2 | Privileged access rights | SID-HARD-03 | platform |
| A.8.3 | Information access restriction | SID-ACCESS-01, SID-ACCESS-04 | platform |
| A.8.4 | Access to source code | SID-OPS-08, SID-OPS-12 | platform |
| A.8.5 | Secure authentication | SID-AUTH-01, SID-AUTH-02, SID-AUTH-03, SID-AUTH-04 | platform |
| A.8.6 | Capacity management | SID-OPS-02 | operator |
| A.8.7 | Protection against malware | SID-OPS-04, SID-HARD-05, SID-HARD-09 | platform |
| A.8.8 | Management of technical vulnerabilities | SID-OPS-04 | platform |
| A.8.9 | Configuration management | SID-OPS-05 | platform |
| A.8.10 | Information deletion | SID-PRIV-03, SID-DATA-10, SID-AUTH-06 | platform |
| A.8.11 | Data masking | SID-DATA-01, SID-DATA-02, SID-PRIV-01 | platform |
| A.8.12 | Data leakage prevention | SID-HARD-01, SID-HARD-05, SID-PRIV-01, SID-HARD-08, SID-DATA-09, SID-OPS-11 | platform |
| A.8.13 | Information backup | SID-OPS-03 | operator |
| A.8.14 | Redundancy of information processing facilities | SID-OPS-02 | operator |
| A.8.15 | Logging | SID-AUDIT-01, SID-OPS-06 | platform |
| A.8.16 | Monitoring activities | SID-AUDIT-01, SID-OPS-06 | platform |
| A.8.17 | Clock synchronization | SID-AUDIT-01 | operator |
| A.8.18 | Use of privileged utility programs | SID-HARD-03 | platform |
| A.8.19 | Installation of software on operational systems | SID-OPS-05 | operator |
| A.8.20 | Networks security | SID-TRANS-01, SID-TRANS-04 | platform |
| A.8.21 | Security of network services | SID-TRANS-01, SID-TRANS-04 | platform |
| A.8.22 | Segregation of networks | SID-HARD-03 | platform |
| A.8.23 | Web filtering | SID-TRANS-04 | platform |
| A.8.24 | Use of cryptography | SID-CRYPTO-01, SID-CRYPTO-02, SID-CRYPTO-03, SID-CRYPTO-04, SID-CRYPTO-05, SID-KEY-01, SID-KEY-02, SID-OPS-10, SID-TRANS-05 | platform |
| A.8.25 | Secure development life cycle | SID-OPS-08, SID-OPS-09 | platform |
| A.8.26 | Application security requirements | SID-HARD-02, SID-HARD-04, SID-HARD-05 | platform |
| A.8.27 | Secure system architecture and engineering principles | SID-HARD-03, SID-ACCESS-01, SID-KEY-01 | platform |
| A.8.28 | Secure coding | SID-HARD-01, SID-HARD-02, SID-TRANS-04, SID-HARD-09 | platform |
| A.8.29 | Security testing in development and acceptance | SID-OPS-08 | platform |
| A.8.30 | Outsourced development | SID-ORG-04 | operator |
| A.8.31 | Separation of development, test and production environments | SID-OPS-08 | platform |
| A.8.32 | Change management | SID-OPS-05 | platform |
| A.8.33 | Test information | SID-OPS-08 | platform |
| A.8.34 | Protection of information systems during audit testing | SID-OPS-08 | platform |