5.1.1 Develop an information security policy document

5.1.2 Review your information security policy

6.1.1 Make an active commitment to information security

6.1.2 Coordinate information security implementation

6.1.3 Allocate information security responsibilities

6.1.4 Establish an authorization process for new facilities

6.1.5 Use confidentiality agreements to protect information

6.1.6 Maintain relationships with other organizations

6.1.7 Maintain relationships with special interest groups

6.1.8 Perform independent information system reviews

6.2.1 Identify risks related to the use of external parties

6.2.2 Address security before customers are given access

6.2.3 Address security using third party agreements

7.1.1 Compile an inventory of organizational assets

7.1.2 Select owners for your information and assets

7.1.3 Establish acceptable use rules for information and assets

7.2.1 Develop information classification guidelines

7.2.2 Use information handling and labeling procedures

8.1.1 Define your security roles and responsibilities

8.1.2 Verify the backgrounds of all new personnel

8.1.3 Use contracts to protect your organization’s information

8.2.1 Expect your managers to emphasize security

8.2.2 Deliver information security training programs

8.2.3 Set up a disciplinary process for security breaches

8.3.1 Assign responsibility for termination or reassignment

8.3.2 Make sure that assets are returned at termination

8.3.3 Remove information access rights at termination

9.1.1 Use physical security perimeters to protect areas

9.1.2 Use physical entry controls to protect secure areas

9.1.3 Secure your organization’s offices, rooms, and facilities

9.1.4 Protect your facilities from natural and human threats

9.1.5 Use work guidelines to protect secure areas

9.1.6 Isolate and control public access points

9.2.1 Use equipment siting and protection strategies

9.2.2 Make sure that supporting utilities are reliable

9.2.3 Secure power and telecommunications cables

9.2.4 Maintain your organization’s equipment

9.2.5 Protect your organization’s off‑site equipment

9.2.6 Control equipment disposal and re‑use

9.2.7 Control the use of assets off‑site

10.1.1 Document your operating procedures

10.1.2 Control changes to facilities and systems

10.1.3 Segregate duties and responsibilities

10.1.4 Separate development and operations

10.2.1 Manage third party service agreements

10.2.2 Monitor third party service delivery

10.2.3 Control changes to third party services

10.3.1 Monitor usage and carry out capacity planning

10.3.2 Use acceptance criteria to test your systems

10.4.1 Establish controls to handle malicious code

10.4.2 Control the use of mobile code

10.5.1 Backup your information and software

10.6.1 Establish network security controls

10.6.2 Control network service providers

10.7.1 Manage your organization’s removable media

10.7.2 Manage the disposal of your organization’s media

10.7.3 Control information handling and storage

10.7.4 Protect your system documentation

10.8.1 Establish information exchange policies and procedures

10.8.2 Establish information and software exchange agreements

10.8.3 Safeguard the transportation of physical media

10.8.4 Protect electronic messaging and messages

10.8.5 Protect interconnected business information systems

10.9.1 Protect information involved in ecommerce

10.9.2 Protect on‑line transaction information

10.9.3 Protect information available on public systems

10.10.1 Establish and maintain audit logs

10.10.2 Monitor information processing facilities

10.10.3 Protect logging facilities and log information

10.10.4 Log system administrator and operator activities

10.10.5 Log information processing and communication faults

10.10.6 Synchronize your system clocks

11.1.1 Develop a policy to control access to information

11.2.1 Establish a user access control procedure

11.2.2 Control the management of system privileges

11.2.3 Establish a process to manage passwords

11.2.4 Review user access rights and privileges

11.3.1 Expect users to protect their passwords

11.3.2 Expect users to protect their equipment

11.3.3 Establish a clear‑desk and clear‑screen policy

11.4.1 Formulate a policy on the use of networks

11.4.2 Authenticate remote user connections

11.4.3 Use automatic equipment identification methods

11.4.4 Control access to diagnostic and configuration ports

11.4.5 Use segregation methods to protect your networks

11.4.6 Restrict connection to shared networks

11.4.7 Establish network routing controls

11.5.1 Establish secure log‑on procedures

11.5.2 Identify and authenticate all users

11.5.3 Establish a password management system

11.5.4 Control the use of all system utilities

11.5.5 Use session time‑outs to protect information

11.5.6 Restrict connection times in high‑risk areas

11.6.1 Restrict access by users and support personnel

11.6.2 Isolate sensitive application systems

11.7.1 Protect mobile computing and communications

11.7.2 Protect and control teleworking activities

12.1.1 Identify security controls and requirements

12.2.1 Validate data input into your applications

12.2.2 Use validation checks to control processing

12.2.3 Protect message integrity and authenticity

12.2.4 Validate your applications’ output data

12.3.1 Implement a policy on the use of cryptographic controls

12.3.2 Establish a secure key management system

12.4.1 Control the installation of operational software

12.4.2 Control the use of system data for testing

12.4.3 Control access to program source code

12.5.1 Establish formal change control procedures

12.5.2 Review applications after operating system changes

12.5.3 Restrict changes to software packages

12.5.4 Prevent information leakage opportunities

12.5.5 Control outsourced software development

12.6.1 Control your technical system vulnerabilities

13.1.1 Report information security events as quickly as possible

13.1.2 Report security weaknesses in systems and services

13.2.1 Establish incident response responsibilities & procedures

13.2.2 Learn from your information security incidents

13.2.3 Collect evidence to support your actions

14.1.1 Establish a business continuity process for information

14.1.2 Identify the events that could interrupt your business

14.1.3 Develop and implement your business continuity plans

14.1.4 Establish a business continuity planning framework

14.1.5 Test and update your business continuity plans

15.1.1 Identify all relevant legal requirements

15.1.2 Respect intellectual property rights (IPR)

15.1.3 Protect your organization’s records

15.1.4 Protect the privacy of personal information

15.1.5 Prevent misuse of data processing facilities

15.1.6 Control the use of cryptographic controls

15.2.1 Review compliance with security policies and standards

15.2.2 Review technical security compliance

15.3.1 Control the audit of information systems

15.3.2 Protect information system audit tools