ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. The official documentation for ISO/IEC 27001:2013 can be found here.
|Handling of assets
|Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
|Access Control Policy
|An access control policy shall be established, documented and reviewed based on business and information security requirements.
|User registration and de-registration
|A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
|Information access restriction
|Access to information and application system functions shall be restricted in accordance with the access control policy.
|Secure Log-on procedures
|Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
|Password management system
|Password management systems shall be interactive and shall ensure quality passwords.
|Policy on the use of cryptographic controls
|A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
|A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.
|Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
|Protection of log information
|Logging facilities and log information shall be protected against tampering and unauthorized access.
|Networks shall be managed and controlled to protect information in systems and applications.
|Security of network services
|Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.
|Segregation in networks
|Groups of information services, users and information systems shall be segregated on networks.
|Securing application services on public networks
|Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
|Protecting application services transactions
|Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
|Protection of records
|Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements.
If there is a specific requirement not included here that you would like to monitor, please email [email protected].
Updated 3 months ago