ISO/IEC 27002:2022 Information Security Controls

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals or if significant changes occur.

Information security roles and responsibilities shall be defined and allocated according to the organisation needs.

Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security requirements.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Background verification checks on all candidates to become personnel shall be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Premises shall be continuously monitored for unauthorised physical access.

The allocation and use of privileged access rights shall be restricted and managed.

Read and write access to source code, development tools and software libraries shall be appropriately managed.

Protection against malware shall be implemented and supported by appropriate user awareness.

Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Access to external websites shall be managed to reduce exposure to malicious content.

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

Secure coding principles shall be applied to software development.

Security testing processes shall be defined and implemented in the development life cycle.

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.