Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ISO/IEC
27001: 2013 Control
4 Context Organization
4.1 Understanding of the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the ISMS
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities, authorities
6 Planning
6.1 Screening
6.1.1 General
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
6.2 Terms and conditions of employment
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating documentation
7.5.3 Conntrol of documented information
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
383995320.xlsx 129
AnnexA-2013
ISO/IEC
27002: 2013 Control
5 Security policy
5.1 Information security policy
5.1.1 Policies for information security
5.1.2 Review of the policies for information security
6 Organization of information security
6.1 Internal Organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information Security in Project Management
6.2 Mobile Devices
6.2.1 Mobile device policy
6.2.2 Teleworking
7 Human Resources Security
7.1 Prior to employment
7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2 During employment
7.2.1 Management responsibilities
7.2.2 Information security awareness, education and training
7.2.3 Disciplinary process
7.3 Termination or change of employment
7.3.1 Termination or change of employment responsibilities
8 Asset Management
8.1 Responsibility for Assets
8.1.1 Inventory of Assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.2 Information classification
8.2.1 Classification guidelines
8.2.2 Labelling of information Han
8.2.3 Handling of assets
8.3 Media handling
8.3.1 Management of removeable media
8.3.2 Disposal of media
8.3.3 Physical Media transfer
9 Access Control
9..1 Business requirements for access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2 User access management
9.2.1 User registration and deregistration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
383995320.xlsx 229
AnnexA-2013
383995320.xlsx 329
AnnexA-2013
383995320.xlsx 429
AnnexA-2013
383995320.xlsx 529
AnnexA-2005
ISO/IEC
27002:2005 Control
5 Security policy
5.1 Management direction for information security
5.1.1 Information Security Policy document
5.1.2 Review of the information security policy
6 Organization of information security
6.1 Internal Organization
6.1.1 Management commitment to information security
6.1.2 Information security coordination
6.1.3 Allocation of information security responsibilities
6.1.4 Authorization process for information processing facilities
6.1.5 Confidentiality agreements
6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8 Independent review of information security
6.2 External Parties
6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
6.2.3 Addressing security in third party agreements
7 Asset Management
7.1 Responsibility for Assets
7.1.1 Inventory of Assets
7.1.2 Ownership of assets
7.1.3 Acceptable use of assets
7.2 Information classification
7.2.1 Classification guidelines
7.2.2 Information labelling and handling
8 Human Resources Security
8.1 Prior to employment
8.1.1 Roles and responsibilities
8.1.2 Screening
8.1.3 Terms and conditions of employment
8.2 During employment
8.2.1 Management responsibilities
8.2.2 Information security awareness, education and training
8.2.3 Disciplinary process
8.3 Termination or change of employment
8.3.1 Termination responsibilities
8.3.2 Return of assets
8.3.3 Removal of access rights
9 Physical and Environmental Security
9.1 Secure Areas
9.1.1 Physical security perimeter
9.1.2 Physical entry controls
9.1.3 Securing offices, rooms and facilities
9.1.4 Protecting against external and environmental attacks
9.1.5 Working in secure areas
9.1.6 Public access, delivery and loading areas
383995320.xlsx 629
AnnexA-2005
383995320.xlsx 729
AnnexA-2005
383995320.xlsx 829
AnnexA-2005
383995320.xlsx 929
AnnexA-2005-NIST
ISO/IEC
27002:2005 Control NIST SP 800-53r4 Controls
5 Security policy
5.1 Management direction for information security
5.1.1 Information Security Policy document XX-1 controls
5.1.2 Review of the information security policy XX-1 controls
6 Organization of information security
6.1 Internal Organization
XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,
6.1.1 Management commitment to information security SP 800-37
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;
6.1.2 Information security coordination SP 800-39, SP 800-37
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP
6.1.3 Allocation of information security responsibilities
800-39, SP 800-37
6.1.4 Authorization process for information processing facilities CA-1, CA-6, PM-10; SP 800-37
6.1.5 Confidentiality agreements PL-4, PS-6, SA-9
Multiple controls with contact reference (e.g.,
6.1.6 Contact with authorities
IR-6, SI-5); SP 800-39; SP 800-37
6.1.7 Contact with special interest groups PM-15, SI-5
6.1.8 Independent review of information security CA-2, CA-7; SP 800-39, SP 800-37
6.2 External Parties
6.2.1 Identification of risks related to external parties CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
6.2.2 Addressing security when dealing with customers AC-8 , AT-2, PL-4
6.2.3 Addressing security in third party agreements AU-16, CA-2, CA-3, PS-7, SA-9
7 Asset Management
7.1 Responsibility for Assets
7.1.1 Inventory of Assets CM-8, CM-9, PM-5
7.1.2 Ownership of assets CM-8, CM-9, PM-5
7.1.3 Acceptable use of assets AC-20, PL-4
7.2 Information classification
7.2.1 Classification guidelines RA-2
7.2.2 Information labelling and handling AC-16, MP-2, MP-3, SC-16
8 Human Resources Security
8.1 Prior to employment
XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2,
8.1.1 Roles and responsibilities
AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9
8.1.2 Screening PS-3
8.1.3 Terms and conditions of employment AC-16 ,MP-2, MP-3, SC-16
8.2 During employment
8.2.1 Management responsibilities PL-4, PM-13, PM-14, PS-6, PS-7, SA-9
8.2.2 Information security awareness, education and training AT-2, AT-3, IR-2
8.2.3 Disciplinary process PS-8
8.3 Termination or change of employment
8.3.1 Termination responsibilities PS-4, PS-5
8.3.2 Return of assets PS-4, PS-5PE-3
8.3.3 Removal of access rights AC-2, PS-4, PS-5
9 Physical and Environmental Security
9.1 Secure Areas
9.1.1 Physical security perimeter PE-3
9.1.2 Physical entry controls PE-3, PE-5, PE-6
383995320.xlsx 1029
AnnexA-2005-NIST
383995320.xlsx 1129
AnnexA-2005-NIST
383995320.xlsx 1229
AnnexA-2005-NIST
12.3.1 Policy on the use of crhptographic controls Multiple controls address cryptography (e.g., IA-7, SC-8, SC-12, SC-13)
12.3.2 Key management SC-12, SC-17
12.4 Security of system files
12.4.1 Control of operational software CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
Multiple controls; protection of test data not addressed separately in SP 800-53
12.4.2 Protection of system test data
(e.g., AC-3, AC-4)
12.4.3 Access control to program source code AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
12.5 Security in development and support processes
12.5.1 Change control procedures CM-1, CM-3, CM-9, SA-10
12.5.2 Technical review of applications after operating system changes CM-3, CM-4, CM-9, SI-2
12.5.3 Restrictions on changes to software packages CM-3, CM-4, CM-5, CM-9
12.5.4 Information leakage AC-4, IR-9, PE-19
12.5.5 Outsourced software development CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-13, SA-15, SA-17
12.6 Technical Vulnerability Management
12.6.1 Control of technical vulnerabilities RA-3, RA-5, SI-2, SI-5
13 Information security incident management
13.1 Reporting information security events and weaknesses
13.1.1 Reporting information security events AU-6, IR-1, IR-6, SI-4, SI-5
13.1.2 Reporting weaknesses PL-4, SI-2, SI-4, SI-5
13.2 Management of information security incidents and improvements
13.2.1 Responsibilities and procedures IR-1
13.2.2 Learning from information security incidents IR-4
13.2.3 Collection of evidence AU-7, AU-9, IR-4
14 Business Continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity management process CP-1, CP-2, CP-4
14.1.2 Business continuity and risk assessment CP-2, PM-9, RA Family
14.1.3 Developing and implementing continuity plans including information security CP Family
14.1.4 Business continuity planning framework CP-2, CP-4
14.1.5 Test maintaining and re-assessing business continuity plans CP-2, CP-4
15 Compliance
15.1 Compliance with legal requirements
15.1.1 Identification of applicable legislation XX-1 controls, IA-7
15.1.2 Intellectual Property Rights (IPR) CM-10
15.1.3 Protection of organisational records AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
15.1.4 Data protection and privacy of personal information Appendix J; SI-12
15.1.5 Prevention of misuse of information processing facilities AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
15.1.6 Regulation of cryptographic controls IA-7, SC-13
15.2 Compliance with security policies and standards, and technical compliance
XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8,
15.2.1 Compliance with security policies and standards
SI-12
15.2.2 Technical compliance checking CA-2, CA-7, RA-5
15.3 Information systems audit considerations
15.3.1 Information systems audit controls AU-1, AU-2
15.3.2 Protection of information system audit tools AU-9
383995320.xlsx 1329
ISO/IEC
27002: 2013 Control
5 Security policy
5.1 Information security policy
5.1.1 Policies for information security
5.1.2 Review of the policies for information security
6 Organization of information security
6.1 Internal Organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information Security in Project Management
6.2 Mobile Devices
6.2.1 Mobile device policy
6.2.2 Teleworking
7 Human Resources Security
7.1 Prior to employment
7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2 During employment
7.2.1 Management responsibilities
7.2.2 Information security awareness, education and training
7.2.3 Disciplinary process
7.3 Termination or change of employment
7.3.1 Termination or change of employment responsibilities
8 Asset Management
8.1 Responsibility for Assets
8.1.1 Inventory of Assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.2 Information classification
8.2.1 Classification guidelines
8.2.2 Labelling of information
8.2.3 Handling of assets
8.3 Media handling
8.3.1 Management of removeable media
8.3.2 Disposal of media
8.3.3 Physical Media transfer
9 Access Control
9..1 Business requirements for access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2 User access management
9.2.1 User registration and deregistration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
9.2.4 Management of secret authentication information of users
9.2.5 Review of user access rights
9.2.6 Removal or adjustment of access rights
9.3 User responsibilities
9.3.1 Use of secret authentication information
9.4 Application and information access control
9.4.1 Information access restriction
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
15.1.2 Addressing security within supplier agreements
15.1.3 Information and communication technology supply chain
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services
16 Information security incident management
16.1 Reporting information security events and weaknesses
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
16.1.4 Assessment of and decision on information security events
16.1.5 Response in information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
11.7.1
11.7.2
7
8.1.2
8.1.3
8.2.1
8.2.2
8.2.3
8.3.1
8
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
10.7.3
10.7.1
10.7.2
10.8.3
9
11.1.1
11.4.1
11.2.1, 11.5.2
11.2.3
11.2.3
11.2.4
8.3.3
11.3.1
11.6.1
11.5.3
11.5.4
12.4.3
10
12.3.1
12.3.2
11
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
9.2.1
9.2.2
9.2.3
9.2.5
9.2.4
9.2.7
9.2.5
9.2.6
11.3.2
11.3.3
12
10.1.1
10.1.2 10.1.1
10.3.1
10.1.4
10.4.1
10.5.1
10.10.1
10.10.3
10.10.3, 10.10.4
10.10.6
12.4.1
12.6.1
NEW CONTROL
11.1
15.3.1
13
10.6.1
10.6.2
11.4.5
10.8.1
10.8.2
10.8.4
6.1.5
13
12.1.1
10.9.1, 10.9.3
10.9.2
NEW CONTROL
12.5.1
12.5.2
12.5.3
NEW CONTROL
NEW CONTROL
12.5.5
NEW CONTROL
10.3.2
12.4.2
NEW CONTROL
NEW CONTROL
6.2.3
6.2.3
NEW CONTROL
10.2.2
10.2.3
16
13.2.1
13.1.1
13.1.2
NEW CONTROL
NEW CONTROL
13.2.2
13.2.3
17
14.1.2
NEW CONTROL
14.1.5
NEW CONTROL
NEW CONTROL
18
15.1.1
15.2.1
15.1.3
15.1.4
15.1.6
6.1.8
15.2.1
15.2.2
ISO/IEC
27002: 2013 Control
5 Security policy
5.1 Information security policy
5.1.1 Policies for information security
5.1.2 Review of the policies for information security
6 Organization of information security
6.1 Internal Organization
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
15.1.2 Addressing security within supplier agreements
15.1.3 Information and communication technology supply chain
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services
16 Information security incident management
16.1 Reporting information security events and weaknesses
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
16.1.4 Assessment of and decision on information security events
16.1.5 Response in information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
10.1.3 AC-5
Multiple controls with contact reference (e.g.,
6.1.6 IR-6, SI-5); SP 800-39; SP 800-37
8.1.2 PS-3
8.1.3 AC-16 ,MP-2, MP-3, SC-16
7.2.1 RA-2
7.2.2 AC-16, MP-2, MP-3, SC-16
10.7.3 MP Family, SI-12
11.2.1, 11.5.2 AC-1, AC-2, AC-21, IA-5, PE-1, PE-2 and IA-2, IA-4, IA-5, IA-8AC-3, AC-6, AC-14,
CM-5
11.2.3 IA-5
11.2.3 IA-5
11.2.4 AC-2, PE-2
8.3.3 AC-2, PS-4, PS-5
12.3.1 Multiple controls address cryptography (e.g., IA-7, SC-8, SC-12, SC-13)
12.3.2 SC-12, SC-17
11
9.1.1 PE-3
9.1.2 PE-3, PE-5, PE-6
9.1.3 PE-3, PE-4, PE-5
9.1.4 CP Family; PE-1, PE-9, PE-10, PE-11, PE-13, PE-15
9.1.5 AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8
9.1.6 PE-3 , PE-16
10.4.1 AC-19, AT-2, SA-8, SC-2, SC-3, SC-7, SC-42, SI-3, SI-7
10.5.1 CP-9
12.4.1 CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
10.6.1 AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5, SC-7, SC-8, SC-10, SC-19, SC-20,
SC-21,SC-22, SC-23
10.6.2 CA-3, SA-9, SC-8
11.4.5 AC-4, SA-8, SC-7
10.8.1 AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16
10.8.2 CA-3, SA-9, SC-8
10.8.4 Multiple controls; electronic messaging not addressed separately in SP 800-53
6.1.5 PL-4, PS-6, SA-9
13
NEW CONTROL
12.5.1 CM-1, CM-3, CM-9, SA-10
12.5.2 CM-3, CM-4, CM-9, SI-2
12.5.3 CM-3, CM-4, CM-5, CM-9
NEW CONTROL
NEW CONTROL
12.5.5 CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-13, SA-15, SA-17
NEW CONTROL
10.3.2 CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15,
12.4.2 Multiple controls; protection of test data not addressed separately in SP 800-53
(e.g., AC-3, AC-4)
NEW CONTROL
NEW CONTROL
6.2.3 AU-16, CA-2, CA-3, PS-7, SA-9
6.2.3 AU-16, CA-2, CA-3, PS-7, SA-9
NEW CONTROL
10.2.2 SA-9
10.2.3 RA-3, SA-9, SA-10
16
13.2.1 IR-1
13.1.1 AU-6, IR-1, IR-6, SI-4, SI-5
13.1.2 PL-4, SI-2, SI-4, SI-5
NEW CONTROL
NEW CONTROL
13.2.2 IR-4
13.2.3 AU-7, AU-9, IR-4
17