A.5.1 Management Direction
A set of information security policies

A.6.1 Internal Organisation
Roles and responsibilities, segregation of duties, contact with relevant authorities, contact with special interest groups, information security implemented in project management

A6.2 Mobile Devices and Teleworking
A policy and measures for mobile devices. A policy and measures for teleworking

A7.1 Prior to Employment
Pre-screening of employees, information security terms and conditions of employment

A7.2 During Employment
Management’s responsibility, awareness education and training, disciplinary processes

A7.3 Termination and Change of Employment
Responsibilities post-employment

A8.1 Responsibility for Assets
Asset Inventory, ownership, acceptable use, return of assets

A8.2 Information Classification
Classification of information, labelling information and handling assets

A8.3 Media Handling
Managing removal media, disposal of media, transfer of media

A9.1 Access Control
Access Control Policy, Access to networks and network services

A9.2 User Access Management
Registration and de-registration, provisioning, privileges, authentication, access rights, removal of rights

A9.3 User Responsibility
Authentication responsibilities

A9.4 System and Application Access Control
Access, log-on procedures, password management, utility programs, access to source code

A10.1 Cryptography
Cryptography Policy, Key Management

A11.1 Secure Areas
Physical security perimeters, entry controls, securing offices and facilities, external and environmental threats, secure areas, delivery and loading docks

A11.2 Equipment
Equipment siting, support utilities, cabling, equipment maintenance, removal of assets, securing equipment offsite, unattended user equipment, clear desk and clear screen

A12.1 Operational Procedures and Responsibilities
Documented operational procedures, change management, capacity management, separation of development and testing

A12.2 Malware
Protection against malware

A12.3 Backup
Backups in place and tested regularly

A12.4 Logging and Monitoring
Event logging, storing log in formation, administrator and operator logs, clock synchronisation

A12.5 Operational Software
Protection of installed software

A12.6 Technical Vulnerability Management
Management of vulnerabilities, restrictions on software installation

A12.7 Information Security Audits
Audits and verification of operational systems

A13.1 Network Security Management
Network controls, network services security, segregation in networks

A13.2 Information Transfer
Transfer policies and procedures, external parties, email, confidentiality and non-disclosure agreements

A14.1 Information Systems
Requirements, application services and public networks, application service transactions

A14.2 Development and Support
Development Policy, System change procedures, Operating Platform changes, modification to software
packages, secure system engineering, development
environment, outsourced development, security testing, acceptance testing

A14.3 Test data
Protecting test data

A15.1 Supplier Relationships
Supplier access, supplier agreements, supply chain

A15.2 Supplier Services
Monitor and audit suppliers, changes to supplier services

A16.1 Incidents and Improvements
Incident responsibilities, reporting of incidents, reporting weaknesses, assessment of events, incident response, learnings, collecting evidence

A17.1 Continuity
Continuity requirements, implementation of continuity processes, verifying and evaluating processes

A17.2 Redundancies
Ensuring information processing

A18.1 Compliance with Legal and Contractual Requirements
Documenting requirements, intellectual rights, protecting records, privacy, cryptographic regulations

A18.2 Security Reviews
Independent reviews, compliance with policies, technical compliance review