ISO 27001 is an international standard that helps organizations manage information security.


ControlDescription
A.5.1.1 Policies for Information Security
A set of policies for information security shall be defined.
A.6.1.1 Information Security Roles and Responsibilities
All information security responsibilities shall be defined and allocated. This mainly relies on Role-Based Access Control (RBAC) that can help organizations define and allocate responsibilities set forth in the information security policy.
A.6.1.2 Segregation of Duties
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
A.6.1.3 Contact with Authorities
Appropriate contacts with relevant authorities shall be maintained.
A.6.1.4 Contact with Special Interest Groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
A.8.1.1 Inventory of Assets
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
A.8.1.2 Ownership of Assets
Assets maintained in the inventory shall be owned.
A.8.1.3 Acceptable Use of Assets
Rules of acceptable use of information and assets associated with information and information processing facilities shall be identified, documented, and implemented.
A.8.2.1 Classification of Information
Information shall be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.
A.8.2.2 Labeling of Information
An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
A.8.3.2 Disposal of Media
Media shall be disposed of securely when no longer required, using formal procedures.
A.9.1.1 Access Control Policy
An access control policy shall be established, documented, and reviewed based on business and information security requirements.
A.9.1.2 Access of Networks and Network Services
Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
A.9.2.1 User Registration and De-Registration
Formal user registration and de-registration process shall be implemented to enable the assignment of access rights. Identity provisions such as the use of IAM are used.
A.9.2.2 User Access Provisioning
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
A.9.2.3 Management of Privileged Access Rights
The allocation and use of privileged access rights shall be restricted and controlled. Privileged Account Management (PAM) solution, built to help organizations discover, protect, and manage privileged accounts and access. Access to privileged accounts is tightly monitored and audited, and additional controls can be added to ensure stronger protection of the most sensitive of privileged accounts.
A.9.2.4 Management of Secret Authentication Information of Users
The allocation of secret authentication information shall be controlled through a formal management process.
A.9.3.1 User Responsibilities
To make users accountable for safeguarding their authentication information to prevent unauthorized access to systems and applications.
A.9.4.1 Information Access Restriction
Access to information and application system functions shall be restricted in accordance with the access control policy.
A.9.4.2 Secure Log-On Procedures
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
A.9.4.3 Password Management System
Password management systems shall be interactive and shall ensure quality passwords.
A.9.4.4 Use of Privileged Utility Programs
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
A.9.4.5 Access Control to Program Source Code
Access to program source code shall be restricted.
A.10.1.1 Policy on the Use of Cryptographic Controls
A policy on the use of cryptographic controls for the protection of information shall be developed and implemented.
A.10.1.2 Key Management
A policy on the use, protection, and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.


To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.