The organization should direct, monitor and review the activities related to outsourced system development

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy and rules on access control

Read and write access to source code, development tools and software libraries should be appropriately managed

Information security requirements should be identified, specified and approved when developing or acquiring applications

Allocation and management of authentication information should be controlled by a management process, including advising personnel of appropriate handling of authentication information

Cables carrying power, data or supporting information services should be protected from interception, interference or damage

The use of resources should be monitored and adjusted in line with current and expected capacity requirements

Changes to information processing facilities and information systems should be subject to change management procedures

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements

The clocks of information processing systems used by the organization should be synchronized to approved time sources

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of information from information security incidents

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed

The organization should establish and maintain contact with relevant authorities

Data masking should be used in accordance with the organization’s topic-specific policy on access control and business requirement, taking legal requirements into consideration

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation

Operating procedures for information processing facilities should be documented and made available to personnel who need them

Equipment should be maintained correctly

The full lifecycle of identities should be managed

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner

Information transfer rules, procedures, or agreements, both within the organization and between the organization and other parties, should be in place for all types of transfer facilities

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization

Logs that record activities, exceptions, faults and other relevant events should be produced, protected, stored and analysed

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents

Networks should be managed and controlled to protect information in systems and applications

Secure areas should be protected by appropriate entry controls and access points

Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and other associated assets

The organization should identify and meet the requirements regarding preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements

The allocation and use of privileged access rights should be restricted and managed

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legal, statutory, regulatory, contractual and business requirements

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises

Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis in accordance with applicable laws, regulations and ethics, and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control

Secure coding principles should be applied to software development

Rules for the secure development of software and systems should be established and applied

Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities

Security testing processes should be defined and implemented in the development lifecycle

Groups of information services, users, and information systems should be segregated in the organization’s networks

Storage media should be managed through its lifecycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements

The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled

Information stored on, processed by or accessible via user endpoint devices should be protected

Access to external websites should be managed to reduce exposure to malicious content

Procedures for working in secure areas should be designed and implemented

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Rules for the acceptable use and procedures for the handling of information and other associated assets should be identified, documented and implemented

An access control policy shall be established, documented and reviewed based on business and information security requirements.

Access to program source code shall be restricted.

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship

All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Agreements shall address the secure transfer of business information between the organization and external parties.

The organization should assess information security events and decide if they are to be categorized as information security incidents

Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and enforced

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.

The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Compliance with the organization’s information security policy, topic-specific policies and standards should be regularly reviewed

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

Appropriate contacts with relevant authorities shall be maintained.

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Data leakage prevention measures should be applied to systems, networks and endpoint devices that process, store or transmit sensitive information

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Media shall be disposed of securely when no longer required, using formal procedures.

Operating procedures shall be documented and made available to all users who need them.

Information involved in electronic messaging shall be appropriately protected.

Equipment shall be correctly maintained to ensure its continued availability and integrity.

Equipment should be sited securely and protected

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

Information security relevant legal, statutory, regulatory and contractual requirements and the organization’s approach to meet these requirements should be identified, documented and kept up to date

The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

The organization’s approach to managing information security and its implementation including people process and technology should be reviewed independently at planned intervals, or when significant changes occur

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control

Access to information and application system functions shall be restricted in accordance with the access control policy.

Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup

Information stored in information systems and devices should be deleted when no longer required

The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of organizational policies and procedures, as relevant for their job function

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

The organization should plan how to maintain information security at an appropriate level during disruption

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements

Information security should be integrated into the organization's project management activities

Information security shall be addressed in project management, regardless of the type of the project.