A.5 Organizational controls
None
None
A.5.1 Policies for information security
CM0088
|
CM0005
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SI-1
|
SR-1
A.5.2 Information security roles and responsibilities
CM0088
|
CM0005
|
CM0020
|
CM0022
|
CM0041
|
CM0052
|
CM0054
|
CM0074
|
CM0075
|
CM0076
|
CM0079
|
CM0081
|
CM0087
|
CM0070
|
CM0006
|
CM0042
|
CM0044
|
CM0043
|
CM0045
|
CM0048
|
CM0001
|
CM0009
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0030
|
CM0031
|
CM0050
|
CM0004
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0017
|
CM0018
|
CM0019
|
CM0023
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0035
|
CM0053
|
CM0056
|
CM0051
|
CM0037
|
CM0038
|
CM0057
|
CM0021
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CM-9
|
CP-1
|
CP-2
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PM-2
|
PM-10
|
PM-29
|
PS-1
|
PS-7
|
PS-9
|
RA-1
|
SA-1
|
SA-3
|
SA-9
|
SC-1
|
SI-1
|
SR-1
A.5.3 Segregation of duties
None
AC-5
A.5.4 Management responsibilities
CM0088
|
CM0005
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0041
|
CM0004
|
CM0010
|
CM0012
|
CM0013
|
CM0015
|
CM0021
|
CM0048
|
CM0022
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PL-4
|
PM-1
|
PM-18
|
PS-1
|
PS-6
|
PS-7
|
PT-1
|
RA-1
|
SA-1
|
SA-9
|
SC-1
|
SI-1
|
SR-1
A.5.5 Contact with authorities
CM0005
IR-6
A.5.6 Contact with special interest groups
CM0005
PM-15
|
SI-5
A.5.7 Threat intelligence
CM0009
|
CM0005
|
CM0052
|
CM0032
PM-16
|
PM-16(1)
|
RA-10
A.5.8 Information security in project management
CM0022
|
CM0001
|
CM0020
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0052
|
CM0002
|
CM0030
|
CM0031
|
CM0050
|
CM0004
|
CM0017
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0069
|
CM0005
|
CM0034
|
CM0035
|
CM0070
|
CM0006
|
CM0032
|
CM0042
|
CM0044
|
CM0051
|
CM0014
|
CM0037
|
CM0038
|
CM0048
|
CM0057
|
CM0029
|
CM0009
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0018
|
CM0019
|
CM0023
|
CM0053
|
CM0056
|
CM0043
|
CM0045
|
CM0041
|
CM0021
PL-2
|
PL-7
|
PL-8
|
SA-3
|
SA-4
|
SA-9
|
SA-15
A.5.9 Inventory of information and other associated assets
CM0012
|
CM0005
CM-8
A.5.10 Acceptable use of information and other associated assets
CM0005
|
CM0052
|
CM0085
|
CM0086
|
CM0077
|
CM0078
|
CM0079
|
CM0081
|
CM0084
|
CM0087
|
CM0048
|
CM0073
|
CM0049
|
CM0006
|
CM0071
MP-2
|
MP-4
|
MP-5
|
MP-6
|
MP-7
|
PE-16
|
PE-18
|
PE-20
|
PL-4
|
SC-8
|
SC-28
A.5.11 Return of assets
CM0052
PS-4
|
PS-5
A.5.12 Classification of information
CM0089
RA-2
A.5.13 Labelling of information
CM0005
MP-3
|
PE-22
A.5.14 Information transfer
CM0050
|
CM0005
|
CM0038
|
CM0002
|
CM0031
|
CM0004
|
CM0070
|
CM0029
|
CM0001
|
CM0020
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0041
|
CM0010
|
CM0012
|
CM0013
|
CM0015
|
CM0021
|
CM0048
|
CM0052
|
CM0033
|
CM0055
|
CM0034
|
CM0073
|
CM0049
|
CM0006
|
CM0071
AC-4
|
AC-17
|
AC-18
|
AC-19
|
AC-20
|
CA-3
|
PE-17
|
SA-9
|
SC-7
|
SC-8
|
SC-15
A.5.15 Access control
CM0088
|
CM0005
|
CM0055
|
CM0052
|
CM0039
|
CM0038
AC-1
|
AC-3
|
AC-6
A.5.16 Identity management
CM0039
|
CM0005
|
CM0031
|
CM0021
|
CM0052
|
CM0033
|
CM0002
|
CM0035
AC-2
|
IA-2
|
IA-4
|
IA-5
|
IA-8
A.5.17 Authentication information
CM0002
|
CM0005
|
CM0035
IA-5
A.5.18 Access rights
CM0039
|
CM0005
AC-2
A.5.19 Information security in supplier relationships
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0088
|
CM0004
|
CM0005
SR-1
|
SR-2
A.5.20 Addressing information security within supplier agreements
CM0005
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0025
SA-4
|
SR-2
|
SR-3
|
SR-5
A.5.21 Managing information security in the information and communication technology (ICT) supply chain
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0005
|
CM0025
SR-2
|
SR-3
|
SR-4
|
SR-5
A.5.22 Monitoring, review and change management of supplier services
CM0022
|
CM0004
|
CM0005
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0041
|
CM0010
|
CM0012
|
CM0013
|
CM0015
|
CM0021
|
CM0048
|
CM0001
RA-9
|
SA-9
|
SR-6
|
SR-7
A.5.23 Information security for use of cloud services
CM0088
|
CM0005
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0041
|
CM0004
|
CM0010
|
CM0012
|
CM0013
|
CM0015
|
CM0021
|
CM0048
SA-1
|
SA-4
|
SA-9
|
SA-9(3)
|
SR-5
A.5.24 Information security incident management planning and preparation
CM0041
|
CM0005
IR-8
A.5.25 Assessment and decision on information security events
CM0052
|
CM0005
|
CM0032
|
CM0044
AU-6
|
IR-4
A.5.26 Response to information security events
CM0052
|
CM0005
|
CM0032
|
CM0044
IR-4
A.5.27 Learning from information security incidents
CM0052
|
CM0005
|
CM0032
|
CM0044
IR-4
A.5.28 Collection of evidence
CM0005
AU-10(3)
|
AU-11
A.5.29 Information security during disruption
CM0020
|
CM0022
|
CM0041
|
CM0052
|
CM0054
|
CM0074
|
CM0075
|
CM0076
|
CM0079
|
CM0081
|
CM0087
|
CM0005
|
CM0070
|
CM0006
|
CM0042
|
CM0044
|
CM0043
|
CM0045
|
CM0048
|
CM0008
|
CM0029
|
CM0056
|
CM0032
|
CM0072
|
CM0077
|
CM0080
|
CM0084
|
CM0085
|
CM0086
CP-2
|
CP-4
|
CP-6
|
CP-7
|
CP-8
|
CP-9
|
CP-10
|
CP-11
|
CP-13
A.5.30 ICT readiness for business continuity
CM0089
|
CM0079
|
CM0081
|
CM0087
|
CM0022
|
CM0004
|
CM0005
|
CM0008
|
CM0041
CA-2
|
CP-2(1)
|
CP-2(8)
|
CP-4
|
CP-4(1)
A.5.31 Legal, statutory, regulatory and contractual requirements
CM0088
|
CM0005
|
CM0002
|
CM0033
|
CM0050
|
CM0006
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SC-13
|
SI-1
|
SR-1
A.5.32 Intellectual property rights
CM0012
CM-10
A.5.33 Protection of records
CM0055
|
CM0005
|
CM0032
|
CM0056
|
CM0001
|
CM0002
|
CM0030
|
CM0031
|
CM0050
|
CM0035
|
CM0071
|
CM0029
|
CM0049
AC-3
|
AU-9
|
CP-9
|
SC-8(1)
|
SC-28(1)
A.5.34 Privacy and protection of personal identifiable information (PII)
None
None
A.5.35 Independent review of information security
CM0089
CA-2(1)
A.5.36 Compliance with policies, rules and standards for information security
CM0088
|
CM0005
|
CM0089
|
CM0052
|
CM0090
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CA-2
|
CA-7
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MP-1
|
PE-1
|
PL-1
|
PM-1
|
PS-1
|
RA-1
|
SA-1
|
SC-1
|
SI-1
|
SR-1
A.5.37 Documented operating procedures
CM0088
|
CM0005
|
CM0001
|
CM0008
|
CM0007
|
CM0022
|
CM0024
|
CM0026
|
CM0027
|
CM0028
|
CM0004
AC-1
|
AT-1
|
AU-1
|
CA-1
|
CM-1
|
CP-1
|
IA-1
|
IR-1
|
MA-1
|
MP-1
|
PE-1
|
PL-1
|
PS-1
|
RA-1
|
SA-1
|
SA-5
|
SC-1
|
SI-1
|
SR-1
A.6 People controls
None
None
A.6.1 Screening
CM0052
PS-3
|
SA-21
A.6.2 Terms and conditions of employment
None
PL-4
|
PS-6
A.6.3 Information security awareness, education, and training
CM0041
|
CM0052
|
CM0005
AT-2
|
AT-3
|
CP-3
|
IR-2
|
PM-13
A.6.4 Disciplinary process
CM0052
PS-8
A.6.5 Responsibilities after termination or change of employment
CM0052
PS-4
|
PS-5
A.6.6 Confidentiality or non-disclosure agreements
None
PS-6
A.6.7 Remote working
CM0002
|
CM0031
|
CM0004
|
CM0005
|
CM0070
|
CM0029
AC-17
|
PE-17
A.6.8 Information security event reporting
CM0052
|
CM0005
|
CM0004
|
CM0010
|
CM0072
AU-6
|
IR-6
|
SI-2
A.7 Physical Controls
None
None
A.7.1 Physical security perimeters
CM0054
|
CM0053
PE-3
A.7.2 Physical entry
CM0052
|
CM0053
|
CM0054
|
CM0071
PE-2
|
PE-3
|
PE-4
|
PE-5
|
PE-16
A.7.3 Securing offices, rooms and facilities
CM0054
|
CM0053
PE-3
|
PE-5
A.7.4 Physical security monitoring
CM0005
|
CM0054
|
CM0053
|
CM0077
AU-6(6)
|
PE-3
|
PE-3(3)
|
PE-6
|
PE-6(1)
|
PE-6(4)
A.7.5 Protecting against physical and environmental threats
CM0085
|
CM0042
|
CM0086
|
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
CP-6
|
CP-7
|
PE-9
|
PE-13
|
PE-14
|
PE-15
|
PE-18
|
PE-19
|
PE-23
A.7.6 Working in secure areas
None
None
A.7.7 Clear desk and clear screen
CM0005
AC-11
|
MP-2
|
MP-4
|
PE-5
A.7.8 Equipment siting and protection
CM0085
|
CM0042
|
CM0086
|
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
PE-9
|
PE-13
|
PE-14
|
PE-15
|
PE-18
|
PE-19
|
PE-23
A.7.9 Security of assets off-premises
CM0005
AC-19
|
AC-20
|
MP-5
|
PE-17
A.7.10 Storage media
CM0005
|
CM0052
MA-2
|
MP-2
|
MP-4
|
MP-5
|
MP-6
|
MP-7
|
PE-16
A.7.11 Supporting utilities
CM0005
|
CM0029
|
CM0085
|
CM0042
|
CM0044
CP-8
|
PE-9
|
PE-10
|
PE-11
|
PE-12
|
PE-14
|
PE-15
A.7.12 Cabling security
CM0071
|
CM0085
PE-4
|
PE-9
A.7.13 Equipment maintenance
CM0005
MA-2
|
MA-6
A.7.14 Secure disposal or re-use of equipment
CM0005
MP-6
A.8 Technological controls
None
None
A.8.1 User end point devices
CM0005
|
CM0002
|
CM0031
|
CM0004
|
CM0070
|
CM0029
|
CM0020
|
CM0022
|
CM0041
|
CM0052
|
CM0054
|
CM0074
|
CM0075
|
CM0076
|
CM0079
|
CM0081
|
CM0087
|
CM0006
|
CM0042
|
CM0044
|
CM0043
|
CM0045
|
CM0048
AC-11
|
AC-17
|
AC-18
|
AC-19
|
CP-2
A.8.2 Privileged access rights
CM0039
|
CM0005
|
CM0055
|
CM0052
|
CM0038
|
CM0089
|
CM0023
AC-2
|
AC-3
|
AC-6
|
CA-2
|
CM-5
A.8.3 Information access restriction
CM0055
|
CM0005
|
CM0023
AC-3
|
AC-24
|
CM-5
A.8.4 Access to source code
CM0055
|
CM0005
|
CM0001
|
CM0008
|
CM0052
|
CM0049
|
CM0004
|
CM0007
|
CM0035
|
CM0023
AC-3
|
AC-3(11)
|
CM-5
A.8.5 Secure authentication
CM0005
AC-7
|
AC-8
|
AC-9
|
IA-6
A.8.6 Capacity management
CM0005
|
CM0032
|
CM0074
|
CM0075
|
CM0076
AU-4
|
CP-2(2)
|
SC-5(2)
A.8.7 Protection against malware
CM0041
|
CM0052
|
CM0027
|
CM0011
|
CM0018
|
CM0005
|
CM0032
AT-2
|
SI-3
A.8.8 Management of technical vulnerabilities
CM0009
|
CM0020
|
CM0022
|
CM0011
|
CM0018
|
CM0019
|
CM0008
|
CM0004
|
CM0012
|
CM0013
|
CM0016
|
CM0005
|
CM0010
|
CM0072
RA-3
|
RA-5
|
SI-2
A.8.9 Configuration management
CM0088
|
CM0007
|
CM0012
|
CM0013
|
CM0015
|
CM0023
|
CM0005
|
CM0072
|
CM0004
|
CM0010
|
CM0008
|
CM0020
|
CM0022
CM-1
|
CM-2
|
CM-2(3)
|
CM-3
|
CM-3(7)
|
CM-3(8)
|
CM-4
|
CM-5
|
CM-6
|
CM-8
|
CM-9
|
CM-9(1)
|
SA-10
A.8.10 Information deletion
CM0001
|
CM0040
|
CM0005
AC-4(25)
|
AC-7(2)
|
MA-2
|
MA-3(3)
|
MA-4(3)
|
MP-4
|
MP-6
|
MP-6(1)
|
SI-21
A.8.11 Data masking
CM0001
|
CM0040
|
CM0050
|
CM0005
|
CM0002
AC-4(23)
|
SI-19(4)
A.8.12 Data leakage prevention
CM0052
|
CM0053
|
CM0085
|
CM0003
|
CM0062
|
CM0057
|
CM0058
|
CM0059
|
CM0060
|
CM0061
|
CM0063
|
CM0064
|
CM0002
|
CM0005
|
CM0032
AU-13
|
PE-3(2)
|
PE-19
|
SC-7(10)
|
SI-20
A.8.13 Information backup
CM0005
|
CM0056
CP-9
A.8.14 Redundancy of information processing facilities
None
CP-6
|
CP-7
A.8.15 Logging
CM0005
|
CM0032
|
CM0052
AU-2
|
AU-3
|
AU-6
|
AU-9
|
AU-11
|
AU-12
|
AU-14
A.8.16 Monitoring activities
CM0055
|
CM0005
|
CM0002
|
CM0034
|
CM0052
|
CM0077
|
CM0033
|
CM0032
|
CM0066
|
CM0067
|
CM0068
|
CM0042
AC-2(12)
|
AC-17(1)
|
AU-13
|
IR-4(13)
|
MA-4(1)
|
PE-6
|
PE-6(3)
|
SC-7
|
SI-4
|
SI-4(4)
|
SI-4(13)
|
SI-4(16)
A.8.17 Clock synchronization
CM0005
|
CM0032
AU-8
A.8.18 Use of privileged utility programs
CM0055
|
CM0005
|
CM0052
|
CM0039
|
CM0038
AC-3
|
AC-6
A.8.19 Installation of software on operational systems
CM0023
|
CM0039
|
CM0047
|
CM0005
|
CM0012
|
CM0010
|
CM0069
|
CM0004
|
CM0013
|
CM0015
|
CM0021
CM-5
|
CM-7
|
CM-7(4)
|
CM-7(5)
|
CM-11
A.8.20 Networks security
CM0055
|
CM0005
|
CM0002
|
CM0031
|
CM0004
|
CM0029
|
CM0052
|
CM0033
|
CM0034
|
CM0073
|
CM0049
|
CM0006
|
CM0071
|
CM0036
AC-3
|
AC-18
|
AC-20
|
SC-7
|
SC-8
|
SC-10
A.8.21 Security of network services
CM0001
|
CM0020
|
CM0002
|
CM0005
|
CM0038
|
CM0029
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0041
|
CM0004
|
CM0010
|
CM0012
|
CM0013
|
CM0015
|
CM0021
|
CM0048
CA-3
|
SA-9
A.8.22 Segregation of networks
CM0050
|
CM0005
|
CM0038
|
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0034
AC-4
|
SC-7
A.8.23 Web filtering
CM0050
|
CM0005
|
CM0038
|
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0034
AC-4
|
SC-7
|
SC-7(8)
A.8.24 Use of cryptography
CM0002
|
CM0030
|
CM0005
|
CM0033
|
CM0050
|
CM0006
SC-12
|
SC-13
|
SC-17
A.8.25 Secure development life cycle
CM0001
|
CM0009
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0052
|
CM0030
|
CM0031
|
CM0050
|
CM0004
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0017
|
CM0018
|
CM0019
|
CM0023
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0005
|
CM0035
|
CM0053
|
CM0056
|
CM0042
|
CM0044
|
CM0051
|
CM0037
|
CM0038
|
CM0043
|
CM0045
|
CM0057
SA-3
|
SA-15
|
SA-17
A.8.26 Application security requirements
CM0052
|
CM0002
|
CM0033
|
CM0055
|
CM0005
|
CM0034
|
CM0073
|
CM0049
|
CM0006
|
CM0071
|
CM0050
SC-7
|
SC-8
|
SC-13
A.8.27 Secure system architecture and engineering principles
CM0001
|
CM0009
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0052
|
CM0030
|
CM0031
|
CM0050
|
CM0004
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0017
|
CM0018
|
CM0019
|
CM0023
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0005
|
CM0035
|
CM0053
|
CM0056
|
CM0042
|
CM0044
|
CM0051
|
CM0037
|
CM0038
|
CM0043
|
CM0045
|
CM0057
SA-8
|
SA-17
A.8.28 Secure coding
CM0004
|
CM0005
|
CM0001
|
CM0009
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0052
|
CM0030
|
CM0031
|
CM0050
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0017
|
CM0018
|
CM0019
|
CM0023
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0035
|
CM0053
|
CM0056
|
CM0042
|
CM0044
|
CM0051
|
CM0037
|
CM0038
|
CM0043
|
CM0045
|
CM0057
|
CM0016
SA-4(3)
|
SA-8
|
SA-10
|
SA-11(1)
|
SA-15(5)
A.8.29 Security testing in development and acceptance
CM0005
|
CM0008
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0004
|
CM0007
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0016
|
CM0017
|
CM0018
|
CM0019
|
CM0021
|
CM0023
SA-4
|
SA-11
|
SR-5(2)
A.8.30 Outsourced development
CM0005
|
CM0004
|
CM0023
|
CM0008
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0007
|
CM0010
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0016
|
CM0017
|
CM0018
|
CM0019
|
CM0021
SA-4
|
SA-10
|
SA-11
|
SR-2
|
SR-4
A.8.31 Separation of development, test and production environments
CM0004
|
CM0010
|
CM0023
|
CM0001
|
CM0009
|
CM0020
|
CM0022
|
CM0024
|
CM0025
|
CM0026
|
CM0027
|
CM0028
|
CM0052
|
CM0030
|
CM0031
|
CM0050
|
CM0011
|
CM0012
|
CM0013
|
CM0015
|
CM0017
|
CM0018
|
CM0019
|
CM0039
|
CM0046
|
CM0047
|
CM0055
|
CM0005
|
CM0035
|
CM0053
|
CM0056
|
CM0042
|
CM0044
|
CM0051
|
CM0037
|
CM0038
|
CM0043
|
CM0045
|
CM0057
CM-4(1)
|
CM-5
|
SA-3
A.8.32 Change management
CM0005
|
CM0072
|
CM0004
|
CM0023
|
CM0010
CM-3
|
SA-10
|
SI-2
A.8.33 Test information
CM0001
|
CM0004
|
CM0005
SA-3(2)
A.8.34 Protection of information systems during audit testing
None
None