ISO 27001

1. Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur

2. Information security roles and responsibilities shall be defined and allocated according to the organization needs.

3. Conflicting duties and conflicting areas of responsibility shall be segregated.

4. Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

5. The organization shall establish and maintain contact with relevant authorities.

6. The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

7. Information relating to information security threats shall be collected and analysed to produce threat intelligence.

8. Information security shall be integrated into project management.

9. An inventory of information and other associated assets, including owners, shall be developed and maintained.

10. Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

11. Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

12. Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

13. An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

14. Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

15. Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

16. The full life cycle of identities shall be managed.

17. Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

18. Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

19. Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

20. Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

21. Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

22. The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

23. Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

24. The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

25. The organization shall assess information security events and decide if they are to be categorized as information security incidents.

26. Information security incidents shall be responded to in accordance with the documented procedures.

27. Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

28. The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

29. The organization shall plan how to maintain information security at an appropriate level during disruption.

30. ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

31. Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

32. The organization shall implement appropriate procedures to protect intellectual property rights.

33. Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

34. The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

35. The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.

36. Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

37. Operating procedures for information processing facilities shall be documented and made available to personnel who need them.