Updated
Feb 21, 2022, 11:44:03 AM
Name
ISO/IEC 27002 [2022]
Description
ISO/IEC 27002:2022 controls

{
    "label": "ISO/IEC 27002 [2013]",
    "language": "EN",
    "refs": [
        "https://www.iso.org/standard/54533.html"
    ],
    "uuid": "98ca84fb-db87-11e8-ac77-0800279aaa2b",
    "values": [
        {
            "category": "Information security policies",
            "code": "5.1.1",
            "label": "Policies for information security",
            "uuid": "267fc596-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Information security policies",
            "code": "5.1.2",
            "label": "Review of the policies for information security",
            "uuid": "267fc6a6-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.1.1",
            "label": "Information security roles and responsibilities",
            "uuid": "267fc73c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.1.2",
            "label": "Segregation of duties",
            "uuid": "267fd0b1-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.1.3",
            "label": "Contact with authorities",
            "uuid": "267fc7c0-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.1.4",
            "label": "Contact with special interest groups",
            "uuid": "267fc80f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.1.5",
            "label": "Information Security in Project Management",
            "uuid": "267fe6b9-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.2.1",
            "label": "Mobile device policy",
            "uuid": "267fd9d0-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Organization of information security",
            "code": "6.2.2",
            "label": "Teleworking",
            "uuid": "267fda0e-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.1.1",
            "label": "Screening",
            "uuid": "267fca6b-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.1.2",
            "label": "Terms and conditions of employment",
            "uuid": "267fcaad-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.2.1",
            "label": "Management responsibilities",
            "uuid": "267fc6f7-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.2.2",
            "label": "Information security awareness, education and training",
            "uuid": "267fcaeb-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.2.3",
            "label": "Disciplinary process",
            "uuid": "267fcb29-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Human resource security",
            "code": "7.3.1",
            "label": "Termination or change of employment responsibilities",
            "uuid": "267fcb79-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.1.1",
            "label": "Inventory of Assets",
            "uuid": "267fc90c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.1.2",
            "label": "Ownership of assets",
            "uuid": "267fc94c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.1.3",
            "label": "Acceptable use of assets",
            "uuid": "267fc989-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.1.4",
            "label": "Return of assets",
            "uuid": "267fcbce-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.2.1",
            "label": "Classification guidelines",
            "uuid": "267fc9c9-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.2.2",
            "label": "Labelling of information",
            "uuid": "267fca19-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.2.3",
            "label": "Handling of assets",
            "uuid": "267fe71a-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.3.1",
            "label": "Management of removeable media",
            "uuid": "267fd32a-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.3.2",
            "label": "Disposal of media",
            "uuid": "267fd369-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Asset management",
            "code": "8.3.3",
            "label": "Physical Media transfer",
            "uuid": "267fd421-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.1.1",
            "label": "Access control policy",
            "uuid": "267fd659-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.1.2",
            "label": "Access to networks and network services",
            "uuid": "267fd81b-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.1",
            "label": "User registration and deregistration",
            "uuid": "267fd899-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.2",
            "label": "User access provisioning",
            "uuid": "267fe782-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.3",
            "label": "Management of privileged access rights",
            "uuid": "267fd69f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.4",
            "label": "Management of secret authentication information of users",
            "uuid": "267fd6e4-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.5",
            "label": "Review of user access rights",
            "uuid": "267fd723-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.2.6",
            "label": "Removal or adjustment of access rights",
            "uuid": "267fcc3c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.3.1",
            "label": "Use of secret authentication information",
            "uuid": "267fd761-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.4.1",
            "label": "Information access restriction",
            "uuid": "267fd993-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.4.2",
            "label": "Secure log-on procedures",
            "uuid": "267fd954-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.4.3",
            "label": "Password management system",
            "uuid": "267fd8d8-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.4.4",
            "label": "Use of privileged utility programs",
            "uuid": "267fd917-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Access control",
            "code": "9.4.5",
            "label": "Access control to program source code",
            "uuid": "267fdbf1-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Cryptography",
            "code": "10.1.1",
            "label": "Policy on the use of cryptographic controls",
            "uuid": "267fda8c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Cryptography",
            "code": "10.1.2",
            "label": "Key management",
            "uuid": "267fdacc-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.1",
            "label": "Physical security perimeter",
            "uuid": "267fcca4-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.2",
            "label": "Physical entry controls",
            "uuid": "267fcce9-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.3",
            "label": "Securing offices, rooms and facilities",
            "uuid": "267fcd30-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.4",
            "label": "Protecting against external and environmental attacks",
            "uuid": "267fcd6f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.5",
            "label": "Working in secure areas",
            "uuid": "267fcdac-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.1.6",
            "label": "Delivery and loading areas",
            "uuid": "267fcdec-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.1",
            "label": "Equipment siting and protection",
            "uuid": "267fce44-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.2",
            "label": "Supporting utilities",
            "uuid": "267fce8a-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.3",
            "label": "Cabling Security",
            "uuid": "267fcecb-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.4",
            "label": "Equipment maintenance",
            "uuid": "267fcf0a-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.5",
            "label": "Security of equipment off-premises",
            "uuid": "267fcfdf-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.6",
            "label": "Security of equipment and assets off-premises",
            "uuid": "267fcf4f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.7",
            "label": "Secure disposal or re-use of equipment",
            "uuid": "267fcf90-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.8",
            "label": "Unattended user equipment",
            "uuid": "267fd7a0-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Physical and environmental security",
            "code": "11.2.9",
            "label": "Clear desk and clear screen policy",
            "uuid": "267fd7dd-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.1.1",
            "label": "Documented operating procedures",
            "uuid": "267fd029-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.1.2",
            "label": "Change management",
            "uuid": "267fd073-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.1.3",
            "label": "Capacity management",
            "uuid": "267fd1a8-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.1.4",
            "label": "Separation of development, testing and operational environments",
            "uuid": "267fd0ef-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.2.1",
            "label": "Controls against malicious code",
            "uuid": "267fd22e-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.3.1",
            "label": "Information Backup",
            "uuid": "267fd272-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.4.1",
            "label": "Event logging",
            "uuid": "267fd529-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.4.2",
            "label": "Protection of log information",
            "uuid": "267fd567-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.4.3",
            "label": "Administrator and operator logs",
            "uuid": "267fd5ae-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.4.4",
            "label": "Clock synchronisation",
            "uuid": "267fd610-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.5.1",
            "label": "Installation of software on operational systems",
            "uuid": "267fdb18-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.6.1",
            "label": "Management of technical vulnerabilities",
            "uuid": "267fdda3-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.6.2",
            "label": "Restrictions on software installation",
            "uuid": "267fe8fe-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Operations security",
            "code": "12.7.1",
            "label": "Information systems audit controls",
            "uuid": "267fe660-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.1.1",
            "label": "Network controls",
            "uuid": "267fd2b1-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.1.2",
            "label": "Security of network services",
            "uuid": "267fd2ee-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.1.3",
            "label": "Segregation in networks",
            "uuid": "267fd85b-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.2.1",
            "label": "Information transfer policies and procedures",
            "uuid": "267fd3a6-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.2.2",
            "label": "Agreements on information transfer",
            "uuid": "267fd3e3-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.2.3",
            "label": "Electronic messaging",
            "uuid": "267fd462-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Communications security",
            "code": "13.2.4",
            "label": "Confidentiality or non-disclosure agreements",
            "uuid": "267fc77e-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.1.1",
            "label": "Information security requirements analysis and specification",
            "uuid": "267fda50-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.1.2",
            "label": "Securing application services on public networks",
            "uuid": "267fd4ac-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.1.3",
            "label": "Protecting application services transactions",
            "uuid": "267fd4ed-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.1",
            "label": "Secure development policy",
            "uuid": "267fe8a1-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.2",
            "label": "System change control procedures",
            "uuid": "267fdc38-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.3",
            "label": "Technical review of applications after operating platform changes",
            "uuid": "267fdc8c-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.4",
            "label": "Restrictions on changes to software packages",
            "uuid": "267fdcf3-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.5",
            "label": "Secure system engineering principles",
            "uuid": "267fdf36-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.6",
            "label": "Secure development environment",
            "uuid": "267fe847-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.7",
            "label": "Outsourced software development",
            "uuid": "267fdd55-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.8",
            "label": "System security testing",
            "uuid": "267fe7e9-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.2.9",
            "label": "System acceptance testing",
            "uuid": "267fd1ea-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "System acquisition, development and maintenance",
            "code": "14.3.1",
            "label": "Protection of test data",
            "uuid": "267fdb78-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Supplier relationships",
            "code": "15.1.1",
            "label": "Information security policy for supplier relationships",
            "uuid": "267fc88e-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Supplier relationships",
            "code": "15.1.2",
            "label": "Addressing security within supplier agreements",
            "uuid": "267fc8cc-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Supplier relationships",
            "code": "15.1.3",
            "label": "Informaiton and communication technology supply chain",
            "uuid": "267fe959-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Supplier relationships",
            "code": "15.2.1",
            "label": "Monitoring and review of supplier services",
            "uuid": "267fd12f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Supplier relationships",
            "code": "15.2.2",
            "label": "Managing changes to supplier services",
            "uuid": "267fd16b-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.1",
            "label": "Responsibilities and procedures",
            "uuid": "267fde78-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.2",
            "label": "Reporting information security events",
            "uuid": "267fddeb-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.3",
            "label": "Reporting information security weaknesses",
            "uuid": "267fde31-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.4",
            "label": "Assessment of and decision on information security events",
            "uuid": "267fe9b4-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.5",
            "label": "Response in information security incidents",
            "uuid": "267fea11-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.6",
            "label": "Learning from information security incidents",
            "uuid": "267fdeb8-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "information security incident management",
            "code": "16.1.7",
            "label": "Collection of evidence",
            "uuid": "267fdef6-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Information security aspects of business continuity management",
            "code": "17.1.1",
            "label": "Planning information security continuity",
            "uuid": "267fdf76-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Information security aspects of business continuity management",
            "code": "17.1.2",
            "label": "Implementing information security continuity",
            "uuid": "267fdfbe-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Information security aspects of business continuity management",
            "code": "17.1.3",
            "label": "Verify, review and evaluate information security continuity",
            "uuid": "267fe022-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Information security aspects of business continuity management",
            "code": "17.2.1",
            "label": "Availability of information processing facilities",
            "uuid": "267fea72-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.1.1",
            "label": "Identification of applicable legislation",
            "uuid": "267fe08b-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.1.2",
            "label": "Intellectual Property Rights",
            "uuid": "267fe307-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.1.3",
            "label": "Protection of records",
            "uuid": "267fe37d-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.1.4",
            "label": "Privacy and protection of personally identifiable information",
            "uuid": "267fe3de-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.1.5",
            "label": "Regulation of cryptographic controls",
            "uuid": "267fe510-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.2.1",
            "label": "Independent review of information security",
            "uuid": "267fc84f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.2.2",
            "label": "Compliance with security policies and standards",
            "uuid": "267fe58f-f705-11e8-b555-0800279aaa2b"
        },
        {
            "category": "Compliance",
            "code": "18.2.3",
            "label": "Technical compliance review",
            "uuid": "267fe600-f705-11e8-b555-0800279aaa2b"
        }
    ],
    "version": 1,
    "version_ext": "ISO/IEC 27002:2013"
}