ISO/IEC 27001

Summary

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. The version used in this section is ISO/IEC 27001:2022 - Annex A.

Definitions

Definition	Requirements
ISO27001-5_16. Identity management	143. Unique access credentials 085. Allow session history queries 096. Set user's required privileges
ISO27001-5_17. Authentication information	127. Store hashed passwords 319. Make authentication options equally secure 380. Define a password management tool
ISO27001-5_22. Monitoring, review and change management of supplier services	262. Verify third-party components
ISO27001-5_28. Collection of evidence	377. Store logs based on valid regulation
ISO27001-5_33. Protection of records	377. Store logs based on valid regulation 080. Prevent log modification
ISO27001-5_34. Privacy and protection of Personal Identifiable Information (PII)	331. Guarantee legal compliance
ISO27001-5_35. Independent review of information security	378. Use of log management system
ISO27001-5_37. Documented operating procedures	232. Require equipment identity
ISO27001-7_2. Physical entry controls	114. Deny access with inactive credentials 143. Unique access credentials 096. Set user's required privileges
ISO27001-7_3. Securing offices, rooms and facilities	235. Define credential interface 257. Access based on user credentials
ISO27001-7_9. Security of assets off-premises	205. Configure PIN 213. Allow geographic location 326. Detect rooted devices
ISO27001-7_10. Storage media	214. Allow data destruction 350. Enable memory protection mechanisms
ISO27001-7_14. Secure disposal or re-use of equipment	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
ISO27001-8_1. User endpoint devices	205. Configure PIN 209. Manage passwords in cache 210. Delete information from mobile devices 261. Avoid exposing sensitive information 350. Enable memory protection mechanisms 373. Use certificate pinning
ISO27001-8_2. Privileged access rights	035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
ISO27001-8_3. Information access restriction	033. Restrict administrative access 096. Set user's required privileges
ISO27001-8_4. Access to source code	176. Restrict system objects 229. Request access credentials 265. Restrict access to critical processes
ISO27001-8_5. Secure authentication	228. Authenticate using standard protocols 319. Make authentication options equally secure
ISO27001-8_7. Protection against malware	118. Inspect attachments 273. Define a fixed security suite 353. Schedule firmware updates 374. Use of isolation methods in running applications
ISO27001-8_8. Management of technical vulnerabilities	259. Segment the organization network 353. Schedule firmware updates 365. Avoid exposing technical information 077. Avoid disclosing technical information
ISO27001-8_9. Configuration management	062. Define standard configurations
ISO27001-8_10. Information deletion	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
ISO27001-8_11. Data masking	300. Mask sensitive data
ISO27001-8_15. Logging	377. Store logs based on valid regulation 080. Prevent log modification
ISO27001-8_16. Monitoring activities	376. Register severity level 075. Record exceptional events in logs
ISO27001-8_17. Clock synchronization	363. Synchronize system clocks
ISO27001-8_19. Installation of software on operational systems	352. Enable trusted execution 353. Schedule firmware updates
ISO27001-8_20. Network controls	173. Discard unsafe inputs 251. Change access point IP 252. Configure key encryption 254. Change SSID name 356. Verify sub-domain names
ISO27001-8_21. Security of network services	249. Locate access points 250. Manage access points 253. Restrict network access 255. Allow access only to the necessary ports 257. Access based on user credentials
ISO27001-8_22. Web filtering	258. Filter website content
ISO27001-8_23. Segregation in networks	259. Segment the organization network
ISO27001-8_24. Use of cryptography	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 151. Separate keys for encryption and signatures 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 346. Use initialization vectors once 361. Replace cryptographic keys 370. Use OAEP padding with RSA 371. Use GCM Padding with AES 372. Proper Use of Initialization Vector (IV)
ISO27001-8_25. Secure development lifecycle	159. Obfuscate code 171. Remove commented-out code 180. Use mock data 322. Avoid excessive logging 036. Do not deploy temporary files 051. Store source code in a repository
ISO27001-8_26. Application security requirements	155. Application free of malicious code 161. Define secure default options 173. Discard unsafe inputs 176. Restrict system objects 184. Obfuscate application data 209. Manage passwords in cache 266. Disable insecure functionalities 326. Detect rooted devices 364. Provide extended validation (EV) certificates 373. Use certificate pinning 374. Use of isolation methods in running applications 375. Remove sensitive data from client-side applications 029. Cookies with security attributes 050. Control calls to interpreted code 077. Avoid disclosing technical information
ISO27001-8_27. Secure system architecture and engineering principles	266. Disable insecure functionalities 273. Define a fixed security suite 062. Define standard configurations
ISO27001-8_28. Secure coding	156. Source code without sensitive information 158. Use a secure programming language 161. Define secure default options 164. Use optimized structures 168. Initialize variables explicitly 171. Remove commented-out code 172. Encrypt connection strings 302. Declare dependencies explicitly 323. Exclude unverifiable files 342. Validate request parameters 344. Avoid dynamic code execution 348. Use consistent encoding 366. Associate type to variables
ISO27001-8_31. Separation of development, test and production environments	180. Use mock data

Last updated

2023/09/18