ISO27k Controls Cross Check 2013
ISO27k Controls Cross Check 2013
ISO27k Controls Cross Check 2013
Control cro
The spreadsheet classifies the information security controls recommended by ISO/IEC 27002:
Other classifications are possible. Furthermore, you may disagree with the particular way we
point for discussion. Feel free to modify this spreadsheet as you wish for your own purposes
One way to use the spreadsheet is to identify and mark any controls that are excluded from y
appropriate to your circumstances. Then look down the columns to check that you still have
You may also use this spreadsheet when deciding how to treat identified risks, choosing a ba
Copyright
This work is copyright 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Common
use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial prod
they are published or shared, derivative works are shared under the same terms as this.
ISO/IEC 27002
Control
section
5
5.1
Internal Organization
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.2
6.2.1
6.2.2
Prior to employment
7.1.1
7.1.2
Screening
Terms and conditions of employment
7.2
During employment
7.2.1
7.2.2
7.2.3
Management responsibilities
Information security awareness, education and training
Disciplinary process
7.3
7.3.1
8.1
8.2
Information classification
8.2.1
8.2.2
8.2.3
Classification of information
Labelling of information
Handling of assets
8.3
Media handling
8.3.1
8.3.2
8.3.3
P
P
P
P
P
P
P
P
P
P
P
Recover
Confidentiality
Integrity
Availability
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Access Control
9.1
9.1.1
9.1.2
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3
User responsibilities
9.3.1
9.4
276063039.xlsx
P
P
React
Asset Management
8.1.1
8.1.2
8.1.3
8.1.4
P
P
Primary objective
Detect
7.1
Prevent
6.1
Avoid
5.1.1
5.1.2
Type
Deter
P
P
P
36
10
Cryptographic controls
10.1.1
10.1.2
Secure Areas
11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6
11.2
Equipment
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
12.1.1
12.1.2
12.1.3
12.1.4
12.2
12.2.1
12.3
Backup
12.3.1
Information backup
12.4
12.4.1
12.4.2
12.4.3
12.4.4
Event logging
Protection of log information
Administrator and operator logs
Clock synchronisation
12.5
12.5.1
12.6
12.6.1
12.6.2
12.7
12.7.1
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Communications security
13.1
13.1.1
13.1.2
13.1.3
Network controls
Security of network services
Segregation in networks
13.2
Information transfer
276063039.xlsx
P
P
P
P
Operations security
12.1
13
P
P
P
P
P
11.1
12
Cryptography
10.1
11
P
P
P
P
P
46
P
P
P
P
P
P
P
P
P
P
P
14
14.1.1
14.1.2
14.1.3
14.2
14.2.1
14.2.2
14.2.3
14.2.4
14.2.5
14.2.6
14.2.7
14.2.8
14.2.9
14.3
Test data
14.3.1
15.1
15.2
15.2.1
15.2.2
16.1.1
16.1.2
16.1.3
16.1.4
16.1.5
16.1.6
16.1.7
17.1
17.2
Redundancies
17.2.1
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Compliance
18.1
18.1.1
18.1.2
18.1.3
18.1.4
18.1.5
18.2
18.2.1
18.2.2
276063039.xlsx
P
P
P
P
P
17.1.1
17.1.2
17.1.3
18
P
P
P
16.1
17
Supplier relationships
15.1.1
15.1.2
15.1.3
16
P
P
P
P
P
P
P
P
P
P
P
14.1
15
P
P
P
P
P
P
P
P
P
P
P
56
P
P
P
P
P
P
P
P
P
P
P
276063039.xlsx
66