Skip to main content

ISO/IEC 27001

logo

Summary

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. The version used in this section is ISO/IEC 27001:2013 - Annex A.

Definitions

DefinitionRequirements
9_1_2. Access to networks and network services253. Restrict network access
257. Access based on user credentials
9_2_1. User registration and de-registration034. Manage user accounts
9_2_2. User access provisioning034. Manage user accounts
9_2_3. Management of privileged access rights035. Manage privilege modifications
9_4_2. Secure log-on procedures264. Request authentication
9_4_5. Access control to program source code051. Store source code in a repository
12_2_1. Controls against malware155. Application free of malicious code
12_4_1. Event logging075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
12_4_2. Protection of log information080. Prevent log modification
12_4_3. Administrator and operator logs075. Record exceptional events in logs
12_4_4. Clock synchronization363. Synchronize system clocks
12_6_1. Management of technical vulnerabilities262. Verify third-party components
13_1_3. Segregation in networks259. Segment the organization network
13_2_3. Electronic messaging181. Transmit data using secure protocols
14_1_3. Protecting application services transactions030. Avoid object reutilization
088. Request client certificates
178. Use digital signatures
181. Transmit data using secure protocols
324. Control redirects
14_2_2. System change control procedures051. Store source code in a repository
14_3_1. Protection of test data180. Use mock data
18_1_2. Intellectual property rights331. Guarantee legal compliance
18_1_3. Protection of records177. Avoid caching and temporary files
180. Use mock data
181. Transmit data using secure protocols
183. Delete sensitive data securely
184. Obfuscate application data
185. Encrypt sensitive information
261. Avoid exposing sensitive information
300. Mask sensitive data
329. Keep client-side storage without sensitive data
331. Guarantee legal compliance
360. Remove unnecessary sensitive information
375. Remove sensitive data from client-side applications
18_1_4. Privacy and protection of personally identifiable information189. Specify the purpose of data collection
310. Request user consent
311. Demonstrate user consent
312. Allow user consent revocation
313. Inform inability to identify users
314. Provide processing confirmation
315. Provide processed data information
316. Allow rectification requests
317. Allow erasure requests
318. Notify third parties of changes
331. Guarantee legal compliance
343. Respect the Do Not Track header
360. Remove unnecessary sensitive information
18_1_5. Regulation of cryptographic controls331. Guarantee legal compliance