5.

1 Policies for information security

5.2 Information security roles and responsibilities
5.3 Segregation of duties
5.4 Management responsibilities
5.5 Contact with authorities
5.6 Contact with special interest groups
5.7 Threat intelligence
5.8 Information security in project management

ISO/IEC 19770-1:2017
5.9 Inventory of information and other associated assets

ISO 5501:2014

5.10 Acceptable use of information and other associated assets

8.1 User endpoint devices
5.11 Return of assets

8.2 Privileged access rights 5.12 Classification of information

ISO/IEC 29146
5.13 Labelling of information
5.14 Information transfer
8.3 Information access
restriction 5.15 Access control
ISO/IEC 29146
5.16 Identity management
5.17 Authentication information
8.4 Access to source code
5.18 Access rights
8.5 Secure authentication
ISO/IEC 29115
ISO/IEC 27036-1:2021

8.6 Capacity management 5.19 Information security in supplier relationships

8.7 Protection against

malware ISO/IEC 27036-2:2022
8.8 Management of technical
vulnerabilities
8.9 Configuration 5.20 Addressing information security within supplier agreements
management ISO/IEC 19086

ISO/IEC 27017 5.21 Managing information security in the ICT supply chain
ISO/IEC 27036-3:2022
8.10 Information deletion

ISO/IEC 27555 5.22 Monitoring, review and change management of supplier services
ISO/IEC 27036-3:2022

8.11 Data masking

ISO/IEC 20889 5.23 Information security for use of cloud services
ISO/IEC 27036-4:2016

8.12 Data leakage prevention

8.13 Information backup ISO/IEC 27035-1:2022

ISO/IEC 27040

8.14 Redundancy of information processing 5.24 Information security incident management planning and preparation
facilities ISO/IEC 27035-2:2022
8.15 Logging
8.16 Monitoring activities
8.17 Clock synchronization 8. Technological Controls ISO/IEC 27035-3:2020
8.18 Use of privileged utility
programs
8.19 Installation of software on operational ISO/IEC 27035-2:2022
systems
5.25 Assessment and decision on information security events

ISO/IEC 27033 5. Organizational Controls

ISO/IEC 27035-3:2020
8.20 Networks security

ISO/IEC TS 23167
ISO/IEC 27035-2:2022
5.26 Response to information security incidents
8.21 Security of network
services
8.22 Segregation of networks ISO/IEC 27035-3:2020
8.23 Web filtering

8.24 Use of cryptography ISO/IEC 27035-2:2022

ISO/IEC 11770
5.27 Learning from information security incidents
8.25 Secure development
lifecycle ISO/IEC 27035-3:2020
8.26 Application security
requirements
ISO/IEC 27034
ISO/IEC 27037:2012
8.27 Secure system architecture and engineering
principles
8.28 Secure coding
ISO/IEC 27050-1:2019
8.29 Security testing in development and
acceptance

8.30 Outsourced development 5.28 Collection of evidence

ISO/IEC 27036 ISO/IEC 27050-2:2018

8.31 Separation of development, test and production

environments ISO/IEC 27050-3:2020
8.32 Change management
8.33 Test information
8.34 Protection of information systems during ISO/IEC 27050-4:2021
audit testing

Introduction

ISO/IEC 22301:2019
1. Scope
5.29 Information security during disruption
Informative sections
2. Normative references
ISO/TS 22317:2021
3.1 Terms and definitions
3.2 Abbreviated terms 3. Terms, definitions and abbreviated terms

5.30 ICT readiness for business continuity

ISO/IEC 27002:2022 ISO/IEC 27031:2022
4.1 Clauses

Governance and Ecosystem 5.31 Legal, statutory, regulatory and contractual requirements
Protection 5.32 Intellectual property rights
Defence Security Domains

Resilience 5.33 Protection of records

ISO 15489-1:2016
Preventive
Detective
Control Type
5.34 Privacy and protection of PII
Corrective ISO/IEC 27701:2019
Confidentiality
Integrity
Information Security Property
Availability ISO/IEC 27007:2020
Identify 5.35 Independent review of information security
Protect
Detect ISO/IEC 27008:2019
Cybersecurity Concepts
Respond
Recover 4.2 Themes and attributes 5.36 Compliance with policies, rules and standards for information security

Application security 5.37 Documented operating procedures

Asset management 4. Structure of this document 6.1 Screening

Continuity 6.2 Terms and conditions of employment

Data protection 6.3 Information security awareness, education and training

Governance 6.4 Disciplinary process

Human resource security 6. People Controls 6.5 Responsibilities after termination or change of employment

Identity and access management 6.6 Confidentiality or non-disclosure agreements

Information security event management 6.7 Remote working

Operational Capabilities
Legal and compliance
6.8 Information security event reporting
Physical security ISO/IEC 27035
Secure configuration
Security assurance 7.1 Physical security perimeters

Supplier relationships security 7.2 Physical entry

System and network security 7.3 Securing offices, rooms and facilities

Threat and vulnerability management 7.4 Physical security monitoring

Attribute table 7.5 Protecting against physical and environmental threats

Control title 7.6 Working in secure areas

Control 7.7 Clear desk and clear screen

Purpose 4.3 Control layout 7.8 Equipment siting and protection

7. Physical Controls
Guidance 7.9 Security of assets off-
premises
Other information
7.10 Storage media
A.1 General
7.11 Supporting utilities
A.2 Organisational views Annex A Using Attributes
7.12 Cabling security

Annex B Correspondence of ISO/IEC 27002:2022 with ISO/IEC 27002:2013 7.13 Equipment maintenance

7.14 Secure disposal or re-use of equipment

ISO/IEC 27040:2015