controls β A guide to implementing and a
β Bridget Kenyon
π Scientific
π
2019
π IT Governance
π English
β¦ LIBER β¦
π
ISO 27001 Controls - A guide to implementing and auditing
β Scribed by Bridget Kenyon
- Publisher
- IT Governance Publishing Ltd
- Year
- 2024
- Tongue
- English
- Leaves
- 249
- Edition
- Second Edition
- Category
- Library
β¬ Acquire This Volume
No coin nor oath required. For personal study only.
β¦ Synopsis
Following the success of the first edition, this book has been re-released to reflect the ISO/IEC 27001:2022 and ISO/IEC 27002:2022 updates.
Ideal for information security managers, auditors, consultants and organisations preparing for ISO 27001:2022 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001:2022. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organisations to ISO 27001:2022.
The auditing guidance covers what evidence an auditor should look for to satisfy themselves that the requirement has been met. This guidance is useful for internal auditors and consultants, as well as information security managers and lead implementers as a means of confirming that their implementation and evidence to support it will be sufficient to pass an audit.
This guide is intended to be used by those involved in
Designing, implementing and/or maintaining an ISMS;
Preparing for ISMS audits and assessments; or
Undertaking both internal and third-party ISMS audits and assessments.
β¦ Table of Contents
Cover
Title
Copyright
About the Author
Disclaimer
Contents
Foreword
Chapter 1: Scope of this guide
Chapter 2: Field of application
2.1 Usage
2.2 Compliance
Chapter 3: Meeting ISO/IEC 27001 requirements
Chapter 4: Using control attributes
Chapter 5: Organizational controls (ISO/IEC 27001, A.5)
5.1 Policies for information security (ISO/IEC 27001, A.5.1)
5.2 Information security roles and responsibilities (ISO/IEC 27001, A.5.2)
5.3 Segregation of duties (ISO/IEC 27001, A.5.3)
5.4 Management responsibilities (ISO/IEC 27001, A.5.4)
5.5 Contact with authorities (ISO/IEC 27001, A.5.5) ..
5.6 Contact with special interest groups (ISO/IEC 27001, A.5.6)
5.7 Threat intelligence (ISO/IEC 27001, A.5.7)
5.8 Information security in project management (ISO/IEC 27001, A.5.8)
5.9 Inventory of information and other associated assets (ISO/IEC 27001, A.5.9)
5.10 Acceptable use of information and other associated assets (ISO/IEC 27001, A.5.10)
5.11 Return of assets (ISO/IEC 27001, A. 5.11)
5.12 Classification of information (ISO/IEC 27001, A.5.12)
5.13 Labelling of information (ISO/IEC 27001, A.5.13)
5.14 Information transfer (ISO/IEC 27001, A.5.14)
5.15 Access control (ISO/IEC 27001, A. 5.15)
5.16 Identity management (ISO/IEC 27001, A.5.16)
5.17 Authentication information (ISO/IEC 27001, A.5.17)
5.18 Access rights (ISO/IEC 27001, A.5.18)
5.19 Information security in supplier relationships (ISO/IEC 27001, A.5.19)
5.20 Addressing information security within supplier agreements (ISO/IEC 27001, A.5.20)
5.21 Managing information security in the information and communication technology (ICT) supply chain (ISO/IEC 27001, A.5.21)
5.22 Monitoring, review and change management of supplier services (ISO/IEC 27001, A.5.22)
5.23 Information security for use of cloud services (ISO/IEC 27001, A.5.23)
5.24 Information security incident management planning and preparation (ISO/IEC 27001, A.5.24)
5.25 Assessment and decision on information security events (ISO/IEC 27001, A.5.25)
5.26 Response to information security incidents (ISO/IEC 27001, A.5.26)
5.27 Learning from information security incidents (ISO/IEC 27001, A.5.27)
5.28 Collection of evidence (ISO/IEC 27001, A.5.28)
5.29 Information security during disruption (ISO/IEC 27001, A.5.29)
5.30 ICT readiness for business continuity (ISO/IEC 27001, A.5.30)
5.31 Legal, statutory, regulatory and contractual requirements (ISO/IEC 27001, A.5.31)
5.32 Intellectual property rights (ISO/IEC 27001, A.5.32)
5.33 Protection of records (ISO/IEC 27001, A.5.33)
5.34 Privacy and protection of personal identifiable information (PII) (ISO/IEC 27001, A.5.34)
5.35 Independent review of information security (ISO/IEC 27001, A.5.35)
5.36 Compliance with policies, rules and standards for information security (ISO/IEC 27001, A.5.36)
5.37 Documented operating procedures (ISO/IEC 27001, A.5.37)
Chapter 6: People controls (ISO/IEC 27001, A.6)
6.1 Screening (ISO/IEC 27001, A.6.1)
6.2 Terms and conditions of employment (ISO/IEC 27001, A.6.2)
6.3 Information security awareness, education and training (ISO/IEC 27001, A.6.3)
6.4 Disciplinary process (ISO/IEC 27001, A.6.4)
6.5 Responsibilities after termination or change of employment (ISO/IEC 27001, A.6.5)
6.6 Confidentiality or non-disclosure agreements (ISO/IEC 27001, A.6.6)
6.7 Remote working (ISO/IEC 27001, A.6.7)
6.8 Information security event reporting (ISO/IEC 27001, A.6.8)
Chapter 7: Physical controls
7.1 Physical security perimeters (ISO/IEC 27001, A.7.1)
7.2 Physical entry (ISO/IEC 27001, A.7.2)
7.3 Securing offices, rooms and facilities (ISO/IEC 27001, A.7.3)
7.4 Physical security monitoring (ISO/IEC 27001, A.7.4)
7.5 Protecting against physical and environmental threats (ISO/IEC 27001, A.7.5)
7.6 Working in secure areas (ISO/IEC 27001, A.7.6)
7.7 Clear desk and clear screen (ISO/IEC 27001, A.7.7)
7.8 Equipment siting and protection (ISO/IEC 27001, A.7.8)
7.9 Security of assets off-premises (ISO/IEC 27001, A.7.9)
7.10 Storage media (ISO/IEC 27001, A.7.10)
7.11 Supporting utilities (ISO/IEC 27001, A.7.11)
7.12 Cabling security (ISO/IEC 27001, A.7.12)
7.13 Equipment maintenance (ISO/IEC 27001, A.7.13)
7.14 Secure disposal or re-use of equipment (ISO/IEC 27001, A.7.14)
Chapter 8: Technological controls
8.1 User end point devices (ISO/IEC 27001, A.8.1)
8.2 Privileged access rights (ISO/IEC 27001, A.8.2)
8.3 Information access restriction (ISO/IEC 27001, A.8.3)
8.4 Access to source code (ISO/IEC 27001, A.8.4)
8.5 Secure authentication (ISO/IEC 27001, A.8.5)
8.6 Capacity management (ISO/IEC 27001, A.8.6)
8.7 Protection against malware (ISO/IEC 27001, A.8.7)
8.8 Management of technical vulnerabilities (ISO/IEC 27001, A.8.8)
8.9 Configuration management (ISO/IEC 27001, A.8.9)
8.10 Information deletion (ISO/IEC 27001, A.8.10)
8.11 Data masking (ISO/IEC 27001, A.8.11)
8.12 Data leakage prevention (ISO/IEC 27001, A.8.12)
8.13 Information backup (ISO/IEC 27001, A.8.13)
8.14 Redundancy of information processing facilities (ISO/IEC 27001, A.8.14)
8.15 Logging (ISO/IEC 27001, A.8.15)
8.16 Monitoring activities (ISO/IEC 27001, A.8.16)
8.17 Clock synchronization (ISO/IEC 27001, A.8.17)
8.18 Use of privileged utility programs (ISO/IEC 27001, A.8.18)
8.19 Installation of software on operational systems (ISO/IEC 27001, A.8.19)
8.20 Networks security (ISO/IEC 27001, A.8.20)
8.21 Security of network services (ISO/IEC 27001, A.8.21)
8.22 Segregation of networks (ISO/IEC 27001, A.8.22)
8.23 Web filtering (ISO/IEC 27001, A.8.23)
8.24 Use of cryptography (ISO/IEC 27001, A.8.24)
8.25 Secure development life cycle (ISO/IEC 27001, A.8.25)
8.26 Application security requirements (ISO/IEC 27001, A.8.26)
8.27 Secure system architecture and engineering principles (ISO/IEC 27001, A.8.27)
8.28 Secure coding (ISO/IEC 27001, A.8.28)
8.29 Security testing in development and acceptance (ISO/IEC 27001, A.8.29)
8.30 Outsourced development (ISO/IEC 27001, A.8.30)
8.31 Separation of development, test and production environments (ISO/IEC 27001, A.8.31)
8.32 Change management (ISO/IEC 27001, A.8.32)
8.33 Test information (ISO/IEC 27001, A.8.33)
8.34 Protection of information systems during audit testing (ISO/IEC 27001, A.8.34)
Further reading
π SIMILAR VOLUMES
Guide to the Implementation and Auditing
β Edward Humphreys, Bridget Kenyon
π Library
π
2013
π BSI British Standards Institution
π English
This book provides guidance on the implementation of ISMS (Information Security Management Systems) control requirements for auditing existing control implementations in order to help organizations preparing for certification in accordance with requirements specified in the new ISO/IEC 27001:2013 In
IT Governance: A Manager's Guide to Data
β Alan Calder, Steve Watkins
π Library
π
2008
π Kogan Page
π English
Information is widely regarded as the lifeblood of modern business, but organizations are facing a flood of threats to such βintellectual capitalβ from hackers, viruses, and online fraud. Β Directors must respond to increasingly complex and competing demands regarding data protection, privacy regulat
IT governance : an international guide t
β Steve Watkins; Alan Calder
π Library
π
2020
π English
Implementing and Auditing the Internal C
β Dimitris N. Chorafas
π Library
π
2001
π Palgrave Macmillan
π English
Dimitris N. Chorafas defines both auditing and internal control, and explains the value of internal control, why it must be audited, and how it can be most effectively achieved. He addresses top management's accountability for internal control and uses case studies to demonstrate the application of
Implementing and Auditing the Internal C
β Dimitris N. Chorafas (auth.)
π Library
π
2001
π Palgrave Macmillan UK
π English