Trust, by design

Infrastructure Security

• Information security for use of cloud services

  Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

• Use of cryptography

  Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

• Secure authentication

  Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

• Remote working

  Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

• Security of network services

  Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

• Clock synchronization

  The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

• Application security requirements

  Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Organizational Security

• Determining the scope of the information security management system

  The organization shall determine the boundaries and applicability of the information security management system to establish its scope, considering external and internal issues, the requirements of interested parties, and interfaces and dependencies with other organizations. The scope shall be available as documented information.

• Security of assets off-premises

  Off-site assets shall be protected.

• Information security roles and responsibilities

  Information security roles and responsibilities shall be defined and allocated according to the organization’s needs.

• Segregation of duties

  Conflicting duties and conflicting areas of responsibility shall be segregated.

• Operation planning and control

  The organization shall plan, implement and control the processes needed to meet information security requirements, establish criteria for those processes, and control planned and unintended changes. Externally provided processes, products and services relevant to the ISMS shall be controlled.

• Supporting utilities

  Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

• Cabling security

  Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

Product Security

• Secure development life cycle

  Rules for the secure development of software and systems shall be established and applied.

Interne Security-Prozeduren

• Legal, statutory, regulatory and contractual requirements

  Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet them shall be identified, documented and kept up to date.

• Protection of information systems during audit testing

  Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

• Understanding the organization and its context

  The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its information security management system.

• Understanding the needs of interested parties

  The organization shall determine interested parties relevant to the ISMS, their relevant requirements, and which of those requirements will be addressed through the ISMS.

• Information security management system

  The organization shall establish, implement, maintain and continually improve an information security management system — including the processes needed and their interactions — in accordance with the requirements of ISO/IEC 27001.

• Leadership and commitment

  Top management shall demonstrate leadership and commitment by ensuring the policy and objectives are set, integrating ISMS requirements into business processes, providing resources, communicating the importance of effective information security management, promoting continual improvement, and supporting other roles in their areas of responsibility.

• Organizational roles, responsibilities and authorities

  Top management shall ensure responsibilities and authorities for information security roles are assigned and communicated, including responsibility for ISMS conformance and for reporting on ISMS performance.

• Information security objectives and planning to achieve them

  The organization shall establish measurable information security objectives at relevant functions and levels, consistent with the policy, taking into account applicable requirements and risk-treatment results, and shall plan what will be done, what resources are required, who is responsible, when it will be completed and how results will be evaluated.

• Communication

  The organization shall determine the need for internal and external communications relevant to the ISMS, including what, when, with whom and how to communicate.

• Documented information

  The ISMS shall include documented information required by ISO/IEC 27001 and any further documented information determined as necessary for its effectiveness.

+ 10 weitere Controls in dieser Gruppe

Daten und Datenschutz

• Acceptable use of information and other associated assets

  Rules for the acceptable use, and procedures for handling, information and other associated assets shall be identified, documented and implemented.

• Classification of information

  Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested-party requirements.

• Labelling of information

  An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

• Data leakage prevention

  Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.