A.5
Organizational controls
None
None
A.5.1
Policies for information security
CM0005
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SI-1
|
SR-1
A.5.2
Information security roles and responsibilities
CM0005
|
CM0004
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CM-9
|
CP-1
|
CP-2
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PM-2
|
PM-10
|
PM-29
|
PS-1
|
PS-7
|
PS-9
|
RA-1
|
SA-1
|
SA-3
|
SA-9
|
SC-1
|
SI-1
|
SR-1
A.5.3
Segregation of duties
None
AC-5
A.5.4
Management responsibilities
CM0005
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PL-4
|
PM-1
|
PM-18
|
PS-1
|
PS-6
|
PS-7
|
PT-1
|
RA-1
|
SA-1
|
SA-9
|
SC-1
|
SI-1
|
SR-1
A.5.5
Contact with authorities
CM0005
IR-6
A.5.6
Contact with special interest groups
CM0005
PM-15
|
SI-5
A.5.7
Threat intelligence
CM0009
|
CM0005
|
CM0052
|
CM0032
PM-16
|
PM-16(1)
|
RA-10
A.5.8
Information security in project management
CM0005
|
CM0004
|
CM0017
PL-2
|
PL-7
|
PL-8
|
SA-3
|
SA-4
|
SA-9
|
SA-15
A.5.9
Inventory of information and other associated assets
CM0012
|
CM0005
CM-8
A.5.10
Acceptable use of information and other associated assets
CM0005
|
CM0052
|
CM0049
|
CM0006
MP-2
|
MP-4
|
MP-5
|
MP-6
|
MP-7
|
PE-16
|
PE-18
|
PE-20
|
PL-4
|
SC-8
|
SC-28
A.5.11
Return of assets
CM0052
PS-4
|
PS-5
A.5.12
Classification of information
None
RA-2
A.5.13
Labelling of information
CM0005
MP-3
|
PE-22
A.5.14
Information transfer
CM0050
|
CM0005
|
CM0038
|
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0034
|
CM0049
|
CM0006
AC-4
|
AC-17
|
AC-18
|
AC-19
|
AC-20
|
CA-3
|
PE-17
|
SA-9
|
SC-7
|
SC-8
|
SC-15
A.5.15
Access control
CM0005
|
CM0055
|
CM0052
|
CM0039
|
CM0038
AC-1
|
AC-3
|
AC-6
A.5.16
Identity management
CM0005
|
CM0052
|
CM0031
|
CM0033
|
CM0002
|
CM0035
AC-2
|
IA-2
|
IA-4
|
IA-5
|
IA-8
A.5.17
Authentication information
CM0002
|
CM0005
|
CM0035
IA-5
A.5.18
Access rights
CM0005
AC-2
A.5.19
Information security in supplier relationships
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0005
SR-1
|
SR-2
A.5.20
Addressing information security within supplier agreements
CM0005
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0025
SA-4
|
SR-2
|
SR-3
|
SR-5
A.5.21
Managing information security in the information and communication technology (ICT) supply chain
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0005
|
CM0025
SR-2
|
SR-3
|
SR-4
|
SR-5
A.5.22
Monitoring, review and change management of supplier services
CM0022
|
CM0004
|
CM0005
|
CM0025
|
CM0001
RA-9
|
SA-9
|
SR-6
|
SR-7
A.5.23
Information security for use of cloud services
CM0005
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0004
SA-1
|
SA-4
|
SA-9
|
SA-9(3)
|
SR-5
A.5.24
Information security incident management planning and preparation
None
IR-8
A.5.25
Assessment and decision on information security events
CM0052
|
CM0005
|
CM0032
|
CM0044
AU-6
|
IR-4
A.5.26
Response to information security events
CM0052
|
CM0005
|
CM0032
|
CM0044
IR-4
A.5.27
Learning from information security incidents
CM0052
|
CM0005
|
CM0032
|
CM0044
IR-4
A.5.28
Collection of evidence
CM0005
AU-10(3)
|
AU-11
A.5.29
Information security during disruption
CM0005
|
CM0029
|
CM0056
|
CM0032
|
CM0044
CP-2
|
CP-4
|
CP-6
|
CP-7
|
CP-8
|
CP-9
|
CP-10
|
CP-11
|
CP-13
A.5.30
ICT readiness for business continuity
CM0022
|
CM0004
|
CM0005
CA-2
|
CP-2(1)
|
CP-2(8)
|
CP-4
|
CP-4(1)
A.5.31
Legal, statutory, regulatory and contractual requirements
CM0005
|
CM0002
|
CM0033
|
CM0050
|
CM0006
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SC-13
|
SI-1
|
SR-1
A.5.32
Intellectual property rights
None
CM-10
A.5.33
Protection of records
CM0055
|
CM0005
|
CM0032
|
CM0056
|
CM0002
|
CM0049
AC-3
|
AU-9
|
CP-9
|
SC-8(1)
|
SC-28(1)
A.5.34
Privacy and protection of personal identifiable information (PII)
None
None
A.5.35
Independent review of information security
None
CA-2(1)
A.5.36
Compliance with policies, rules and standards for information security
CM0005
|
CM0052
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CA-2
|
CA-7
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SI-1
|
SR-1
A.5.37
Documented operating procedures
CM0005
|
CM0001
|
CM0008
|
CM0007
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PS-1
|
RA-1
|
SA-1
|
SA-5
|
SC-1
|
SI-1
|
SR-1
A.6
People controls
None
None
A.6.1
Screening
CM0052
PS-3
|
SA-21
A.6.2
Terms and conditions of employment
None
PL-4
|
PS-6
A.6.3
Information security awareness, education, and training
CM0041
|
CM0052
|
CM0005
AT-2
|
AT-3
|
CP-3
|
IR-2
|
PM-13
A.6.4
Disciplinary process
CM0052
PS-8
A.6.5
Responsibilities after termination or change of employment
CM0052
PS-4
|
PS-5
A.6.6
Confidentiality or non-disclosure agreements
None
PS-6
A.6.7
Remote working
CM0005
AC-17
|
PE-17
A.6.8
Information security event reporting
CM0052
|
CM0005
|
CM0004
|
CM0010
AU-6
|
IR-6
|
SI-2
A.7
Physical Controls
None
None
A.7.1
Physical security perimeters
CM0054
|
CM0053
PE-3
A.7.2
Physical entry
CM0052
|
CM0053
|
CM0054
PE-2
|
PE-3
|
PE-4
|
PE-5
|
PE-16
A.7.3
Securing offices, rooms and facilities
CM0054
|
CM0053
PE-3
|
PE-5
A.7.4
Physical security monitoring
CM0005
|
CM0054
|
CM0053
AU-6(6)
|
PE-3
|
PE-3(3)
|
PE-6
|
PE-6(1)
|
PE-6(4)
A.7.5
Protecting against physical and environmental threats
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
CP-6
|
CP-7
|
PE-9
|
PE-13
|
PE-14
|
PE-15
|
PE-18
|
PE-19
|
PE-23
A.7.6
Working in secure areas
None
None
A.7.7
Clear desk and clear screen
CM0005
AC-11
|
MP-2
|
MP-4
|
PE-5
A.7.8
Equipment siting and protection
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
PE-9
|
PE-13
|
PE-14
|
PE-15
|
PE-18
|
PE-19
|
PE-23
A.7.9
Security of assets off-premises
CM0005
AC-19
|
AC-20
|
MP-5
|
PE-17
A.7.10
Storage media
CM0005
|
CM0052
MA-2
|
MP-2
|
MP-4
|
MP-5
|
MP-6
|
MP-7
|
PE-16
A.7.11
Supporting utilities
CM0005
|
CM0029
CP-8
|
PE-9
|
PE-10
|
PE-11
|
PE-12
|
PE-14
|
PE-15
A.7.12
Cabling security
None
PE-4
|
PE-9
A.7.13
Equipment maintenance
CM0005
MA-2
|
MA-6
A.7.14
Secure disposal or re-use of equipment
CM0005
MP-6
A.8
Technological controls
None
None
A.8.1
User end point devices
CM0005
AC-11
|
AC-17
|
AC-18
|
AC-19
|
CP-2
A.8.2
Privileged access rights
CM0005
|
CM0055
|
CM0052
|
CM0039
|
CM0038
AC-2
|
AC-3
|
AC-6
|
CA-2
|
CM-5
A.8.3
Information access restriction
CM0055
|
CM0005
AC-3
|
AC-24
|
CM-5
A.8.4
Access to source code
CM0055
|
CM0005
|
CM0001
|
CM0008
|
CM0052
|
CM0049
|
CM0004
|
CM0007
|
CM0035
AC-3
|
AC-3(11)
|
CM-5
A.8.5
Secure authentication
CM0005
AC-7
|
AC-8
|
AC-9
|
IA-6
A.8.6
Capacity management
CM0005
|
CM0032
AU-4
|
CP-2(2)
|
SC-5(2)
A.8.7
Protection against malware
CM0041
|
CM0052
|
CM0005
AT-2
|
SI-3
A.8.8
Management of technical vulnerabilities
CM0008
|
CM0004
|
CM0011
|
CM0013
|
CM0016
|
CM0019
|
CM0005
|
CM0010
RA-3
|
RA-5
|
SI-2
A.8.9
Configuration management
CM0005
|
CM0004
|
CM0010
|
CM0023
|
CM0012
CM-1
|
CM-2
|
CM-2(3)
|
CM-3
|
CM-3(7)
|
CM-3(8)
|
CM-4
|
CM-5
|
CM-6
|
CM-8
|
CM-9
|
CM-9(1)
|
SA-10
A.8.10
Information deletion
CM0001
|
CM0040
|
CM0005
AC-4(25)
|
AC-7(2)
|
MA-2
|
MA-3(3)
|
MA-4(3)
|
MP-4
|
MP-6
|
MP-6(1)
|
SI-21
A.8.11
Data masking
CM0001
|
CM0040
|
CM0050
|
CM0005
|
CM0002
AC-4(23)
|
SI-19(4)
A.8.12
Data leakage prevention
CM0052
|
CM0053
|
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
|
CM0005
AU-13
|
PE-3(2)
|
PE-19
|
SC-7(10)
|
SI-20
A.8.13
Information backup
CM0005
|
CM0056
CP-9
A.8.14
Redundancy of information processing facilities
None
CP-6
|
CP-7
A.8.15
Logging
CM0005
|
CM0032
|
CM0052
AU-2
|
AU-3
|
AU-6
|
AU-9
|
AU-11
|
AU-12
|
AU-14
A.8.16
Monitoring activities
CM0055
|
CM0005
|
CM0002
|
CM0034
|
CM0052
|
CM0033
|
CM0032
|
CM0066
|
CM0067
|
CM0068
AC-2(12)
|
AC-17(1)
|
AU-13
|
IR-4(13)
|
MA-4(1)
|
PE-6
|
PE-6(3)
|
SC-7
|
SI-4
|
SI-4(4)
|
SI-4(13)
|
SI-4(16)
A.8.17
Clock synchronization
CM0005
|
CM0032
AU-8
A.8.18
Use of privileged utility programs
CM0055
|
CM0005
|
CM0052
|
CM0039
|
CM0038
AC-3
|
AC-6
A.8.19
Installation of software on operational systems
CM0039
|
CM0047
|
CM0005
|
CM0069
CM-5
|
CM-7
|
CM-7(4)
|
CM-7(5)
|
CM-11
A.8.20
Networks security
CM0055
|
CM0005
|
CM0052
|
CM0002
|
CM0033
|
CM0034
|
CM0049
|
CM0006
|
CM0036
AC-3
|
AC-18
|
AC-20
|
SC-7
|
SC-8
|
SC-10
A.8.21
Security of network services
CM0005
CA-3
|
SA-9
A.8.22
Segregation of networks
CM0050
|
CM0005
|
CM0038
|
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0034
AC-4
|
SC-7
A.8.23
Web filtering
CM0050
|
CM0005
|
CM0038
|
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0034
AC-4
|
SC-7
|
SC-7(8)
A.8.24
Use of cryptography
CM0002
|
CM0030
|
CM0005
|
CM0033
|
CM0050
|
CM0006
SC-12
|
SC-13
|
SC-17
A.8.25
Secure development life cycle
CM0004
|
CM0005
|
CM0017
SA-3
|
SA-15
|
SA-17
A.8.26
Application security requirements
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0005
|
CM0034
|
CM0049
|
CM0006
|
CM0050
SC-7
|
SC-8
|
SC-13
A.8.27
Secure system architecture and engineering principles
CM0005
SA-8
|
SA-17
A.8.28
Secure coding
CM0004
|
CM0005
|
CM0023
|
CM0016
|
CM0019
SA-4(3)
|
SA-8
|
SA-10
|
SA-11(1)
|
SA-15(5)
A.8.29
Security testing in development and acceptance
CM0005
|
CM0004
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
SA-4
|
SA-11
|
SR-5(2)
A.8.30
Outsourced development
CM0005
|
CM0004
|
CM0023
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0025
SA-4
|
SA-10
|
SA-11
|
SR-2
|
SR-4
A.8.31
Separation of development, test and production environments
CM0004
|
CM0010
|
CM0005
CM-4(1)
|
CM-5
|
SA-3
A.8.32
Change management
CM0005
|
CM0004
|
CM0023
|
CM0010
CM-3
|
SA-10
|
SI-2
A.8.33
Test information
CM0001
|
CM0004
|
CM0005
SA-3(2)
A.8.34
Protection of information systems during audit testing
None
None