ISO 27001
ISO 27001 is an international standard that helps organizations manage information security.
Control | Description |
---|---|
A.5.1.1 Policies for Information Security | A set of policies for information security shall be defined. |
A.6.1.1 Information Security Roles and Responsibilities | All information security responsibilities shall be defined and allocated. This mainly relies on Role-Based Access Control (RBAC) that can help organizations define and allocate responsibilities set forth in the information security policy. |
A.6.1.2 Segregation of Duties | Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. |
A.6.1.3 Contact with Authorities | Appropriate contacts with relevant authorities shall be maintained. |
A.6.1.4 Contact with Special Interest Groups | Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. |
A.8.1.1 Inventory of Assets | Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. |
A.8.1.2 Ownership of Assets | Assets maintained in the inventory shall be owned. |
A.8.1.3 Acceptable Use of Assets | Rules of acceptable use of information and assets associated with information and information processing facilities shall be identified, documented, and implemented. |
A.8.2.1 Classification of Information | Information shall be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. |
A.8.2.2 Labeling of Information | An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
A.8.3.2 Disposal of Media | Media shall be disposed of securely when no longer required, using formal procedures. |
A.9.1.1 Access Control Policy | An access control policy shall be established, documented, and reviewed based on business and information security requirements. |
A.9.1.2 Access of Networks and Network Services | Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
A.9.2.1 User Registration and De-Registration | Formal user registration and de-registration process shall be implemented to enable the assignment of access rights. Identity provisions such as the use of IAM are used. |
A.9.2.2 User Access Provisioning | A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. |
A.9.2.3 Management of Privileged Access Rights | The allocation and use of privileged access rights shall be restricted and controlled. Privileged Account Management (PAM) solution, built to help organizations discover, protect, and manage privileged accounts and access. Access to privileged accounts is tightly monitored and audited, and additional controls can be added to ensure stronger protection of the most sensitive of privileged accounts. |
A.9.2.4 Management of Secret Authentication Information of Users | The allocation of secret authentication information shall be controlled through a formal management process. |
A.9.3.1 User Responsibilities | To make users accountable for safeguarding their authentication information to prevent unauthorized access to systems and applications. |
A.9.4.1 Information Access Restriction | Access to information and application system functions shall be restricted in accordance with the access control policy. |
A.9.4.2 Secure Log-On Procedures | Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
A.9.4.3 Password Management System | Password management systems shall be interactive and shall ensure quality passwords. |
A.9.4.4 Use of Privileged Utility Programs | The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. |
A.9.4.5 Access Control to Program Source Code | Access to program source code shall be restricted. |
A.10.1.1 Policy on the Use of Cryptographic Controls | A policy on the use of cryptographic controls for the protection of information shall be developed and implemented. |
A.10.1.2 Key Management | A policy on the use, protection, and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.